Stig Solaris Solution Manual

4 SYSTEM CHECKS
Page 1
3. SYSTEM CHECK PROCEDURES
This section details the procedures to perform for manual UNIX system Security checks. Reviewers should use
the UNIX Scripts whenever possible. Manual checks are provided in the event that the scripts are either
unavailable to examine an item, return false negatives, return false positives, or will not execute on the system.
The check procedures in this document now contain Global Information Grid-Bandwidth Expansion (GIG-BE)
information to identify the MAC level, IA Control identifiers, and Department of Defense (DOD) description of
the IA Control. Many contain more than one pertinent IA Control. These are listed to the far right of the PDI
number within the identification block.
Each identification block also contains one of six codes to indicate the automation status of each PDI. These
may change from time to time, such as a script that is initially manual for an IAVA but is automated at a later
time. Scripts are either MAN+ /+ or PART because there is either information needed before they can be
automated, the attempts to automate them have proven to produce false positives/negatives, or just perform the
service adequately using current methods. The codes are:
AUTO
Indicates completely automated scripts.
PART
Indicates partially automated scripts.
PART+
Indicates partially automated scripts that we could fully automate.
MAN
Indicates scripts requiring manual reviews.
MAN+
MAN++
Indicates manual review scripts we could partially automate.

Indicates manual review scripts we could fully automate.
This page is intentionally left blank.

TABLE OF CONTENTS
Page
3
3.1
3.1.1
SYSTEM CHECK PROCEDURES
UNIX Overview and Site Information

System Equipement
3.1.1.1
GEN000020 Single User Mode Password
3.1.1.2
GEN000040 Single User Mode Password Incompatibility Documentation
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.1.1.3
GEN000060 Single User Mode Password Incompatibility Location
3.1.1.4
GEN000080 System Equipment Location
3.1.2
Operating System
3.1.2.1
GEN000100 Supported Release
3.1.2.2
GEN000120 Vendor Recommended and Security Patches
3.1.3
File Integrity
3.1.3.1
GEN000140 Create and Maintain System Baseline
3.1.3.2
GEN000160 System Baseline Backup on Write-protected Media
3.1.3.3
GEN000220 System Baseline for System Libraries and Binaries Checking
3.1.3.4
GEN000240 Network Time-Server
3.2
3.2.1
DISCRETIONARY ACCESS CONTROL AND GENERAL SECURITY

User Account Controls
3.2.1.1
GEN000260 Shared Account Documentation
3.2.1.2
GEN000280 Shared Account Direct Logon
3.2.2
Interactive Users
3.2.2.1
GEN000300 Unique Account Name
3.2.2.2
GEN000320 Unique UID
3.2.2.3
GEN000340 Reserved System Account UIDs
3.2.2.4
GEN000360 Reserved System Account GIDs
3.2.2.5
GEN000380 Groups Referenced in /etc/passwd
3.2.3
Logon Warning Banner
3.2.3.1
GEN000400 Logon Warning Banner Display
3.2.3.2
GEN000420 Logon Warning Banner Content
3.2.4
Account Access
3.2.4.1
GEN000440 Logging Login Attempts
3.2.4.2
GEN000460 Three Failed Login Attempts
3.2.4.3
GEN000480 Login Delay
3.2.5
Inactivity Timeout/Locking
3.2.5.1
GEN000500 Inactivity
3.2.5.2
GEN000520 Continuous Display
3.2.6
Page 2
Password Guidelines
3.2.6.1
GEN000540 Password Change 24 Hours
3.2.6.2
GEN000560 Password Protect Enabled Accounts
3.2.6.3
GEN000580 Password Length
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 3
3.2.6.4
GEN000600 Password Character Mix
3.2.6.5
3.2.6.6
3.2.6.7
GEN000660 Password Contents
3.2.6.8
GEN000680 Password Contents
3.2.6.9
GEN000700 Password Change Every 60 Days
3.2.6.10
GEN000740 Password Change Every Year
3.2.6.11
GEN000760 Inactive Accounts are not locked
3.2.6.12
GEN000780 Easily Guessed Passwords
3.2.6.13
GEN000800 Password Reuse
3.2.6.14
GEN000820 Global Password Configuration Files
3.2.6.15
GEN000840 Root Account Access
3.2.6.16
GEN000860 Password Change for Administrative Passwords Upon SA Reassignment
3.2.7
Root Account
3.2.7.1
GEN000880 Roots UID
3.2.7.2
GEN000900 Roots Home Directory
3.2.7.3
GEN000920 Roots Home Directory Permissions
3.2.7.4
GEN000940 Roots Search Path
3.2.7.5
GEN000960 Roots Search Path
3.2.7.6
GEN000980 Root Console Access
3.2.7.7
GEN001000 Remote Consoles
3.2.7.8
GEN001020 Direct Root Login
3.2.7.9
GEN001060 Log Root Access Attempts
3.2.7.10
3.2.8
GEN001080 Root Shell

Encrypted Root Access
3.2.8.1
GEN001100 Encrypting Root Access
3.2.8.2
GEN001120 Encrypting Root Access
3.2.9
File and Directory Controls
3.2.9.1
GEN001140 Uneven File Permissions
3.2.9.2
GEN001160 Unowned Files
3.2.9.3
GEN001180 Network Services Daemon Permissions
3.2.9.4
GEN001200 System Command Permissions
3.2.9.5
GEN001220 System Files, Programs, and Directories Ownership
3.2.9.6
GEN001240 System Files, Programs, and Directories Group Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.9.7
GEN001260 System Log File Permissions
3.2.9.8
GEN001280 Manual Page File Permissions
3.2.9.9
GEN001300 Library File Permissions
3.2.9.10
GEN001320 NIS/NIS+/yp File Ownership
3.2.9.11
GEN001340 NIS/NIS+/yp File Group Ownership
3.2.9.12
GEN001360 NIS/NIS+/yp File Permissions
3.2.9.13
GEN001380 /etc/passwd File Permissions
3.2.9.14
GEN001400 /etc/passwd and/or /etc/shadow File Ownership
3.2.9.15
GEN001420 /etc/shadow File Permissions
3.2.10
Home Directories
3.2.10.1
GEN001440 Assign Home Directories
3.2.10.2
GEN001460 Assigned Home Directories Exist
3.2.10.3
GEN001480 Home Directories Permissions
3.2.10.4
GEN001500 Home Directories Ownership
3.2.10.5
GEN001520 Home Directories Group Ownership
3.2.11
User Files
3.2.11.1
GEN001540 Home Directories File Ownership
3.2.11.2
GEN001560 Home Directories File Permissions
3.2.12
Run Control Scripts
3.2.12.1
GEN001580 Run Control Scripts Permissions
3.2.12.2
GEN001600 Run Control Scripts PATH Variable
3.2.12.3
GEN001620 Run Control Scripts SGID/SUID
3.2.12.4
GEN001640 Run Control Scripts World Writable Programs or Scripts
3.2.12.5
GEN001660 Run Control Scripts Ownership
3.2.12.6
GEN001680 Run Control Scripts Group Ownership
3.2.12.7
GEN001700 Run Control Scripts Execute Programs
3.2.13
Page 4
Global Initialization Files
3.2.13.1
GEN001720 Global Initialization Files Permissions
3.2.13.2
GEN001740 Global Initialization Files Ownership
3.2.13.3
GEN001760 Global Initialization Files Group Ownership
3.2.13.4
GEN001780 Global Initialization Files do not Contain mesg -n
3.2.13.5
GEN001800 Default/Skeleton Dot Files Permissions
3.2.13.6
GEN001820 Default/Skeleton Dot Files Ownership
3.2.13.7
GEN001840 Global Initialization Files PATH Variable
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.14
Page 5
Local Initialization Files
3.2.14.1
GEN001860 Local Initialization Files Ownership
3.2.14.2
GEN001880 Local Initialization Files Permissions
3.2.14.3
GEN001900 Local Initialization Files PATH Variable
3.2.14.4
GEN001920 Local Initialization Files SGID/SUID
3.2.14.5
GEN001940 Local Initialization Files World Writable Programs or Scripts
3.2.14.6
GEN001960 Local Initialization Files mesg -y
3.2.15
Trusted System/System Access Control Files
3.2.15.1
GEN001980 Plus (+) in Access Control Files
3.2.15.2
GEN002000 The .netrc File Exists
3.2.15.3
GEN002020 Access Control Files Host Pairs
3.2.15.4
GEN002040 Access Control Files Documentation
3.2.15.5
GEN002060 Access Control Files Accessibility
3.2.15.6
GEN002100 The .rhosts Supported in PAM
3.2.16
Shells
3.2.16.1
GEN002120 The /etc/shells File Does Not Exist
3.2.16.2
GEN002140 The /etc/shells Contents
3.2.16.3
GEN002160 Shells SUID
3.2.16.4
GEN002180 Shells SGID
3.2.16.5
GEN002200 Shells Ownership
3.2.16.6
GEN002220 Shells Permissions
3.2.17
Device Files
3.2.17.1
GEN002260 System Baseline for Device Files Checking
3.2.17.2
GEN002280 Device Files Directories Permissions
3.2.17.3
GEN002300 Device Files Ownership
3.2.17.4
GEN002320 Audio Device Permissions
3.2.17.5
GEN002340 Audio Device Ownership
3.2.17.6
GEN002360 Audio Device Group Ownership
3.2.18
Set User ID (suid)
3.2.18.1
GEN002380 SUID Files Baseline
3.2.18.2
GEN002400 System Baseline for SUID Files Checkling
3.2.18.3
GEN002420 File Systems Mounted With nosuid
3.2.19
3.2.19.1
Set Group ID (sgid)

GEN002440 SGID Files Baseline
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.19.2
3.2.20
GEN002460 System Baseline for SGID Files Checking

Sticky Bit
3.2.20.1
GEN002480 World Writable Files and Directories
3.2.20.2
GEN002500 Sticky Bit on Public Directories
3.2.20.3
GEN002520 Public Directories Ownership
3.2.20.4
GEN002540 Public Directories Group Ownership
3.2.21
Umask
3.2.21.1
GEN002560 Default umask
3.2.21.2
GEN002580 Permissive umask Documentation
3.2.22
3.2.22.1
3.2.23
3.2.23.1
3.2.24
Page 6
Development Systems
GEN002600 Development Systems Security Requirements
Default Accounts
GEN002640 Disabled Default System Accounts
Audit Requirements
3.2.24.1
GEN002660 Configure and Implement Auditing
3.2.24.2
GEN002680 Audit Logs Accessiblity
3.2.24.3
GEN002700 Audit Logs Permissions
3.2.24.4
GEN002720 Audit Failed File and Program Access Attempts
3.2.24.5
GEN002740 Audit File and Program Deletion
3.2.24.6
GEN002760 Audit Administrative, Privileged, and Security Actions
3.2.24.7
GEN002800 Audit Login, Logout, and Session Initiation
3.2.24.8
GEN002820 Audit Discretionary Access Control Permission Modifications
3.2.24.9
GEN002860 Audit Logs Rotation
3.2.24.10
GEN002900 Audit Data Retention
3.2.24.11
GEN002920 Audit Data Backup
3.2.25
3.2.25.1
3.2.26
Audit Review Guidance

GEN002940 Audit Logs Review
Cron Restrictions
3.2.26.1
GEN002960 Cron Utility Accessibility
3.2.26.2
GEN002980 The cron.allow Permissions
3.2.26.3
GEN003000 Cron Executes World Writable Programs
3.2.26.4
GEN003020 Cron Executes Programs in World Writable Directories
3.2.26.5
GEN003040 Crontabs Ownership
3.2.26.6
GEN003060 Default System Accounts and Cron
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.26.7
GEN003080 Crontab files Permissions
3.2.26.8
GEN003100 Cron and Crontab Directories Permissions
3.2.26.9
GEN003120 Cron and Crontab Directories Ownership
3.2.26.10
GEN003140 Cron and Crontab Directories Group Ownership
3.2.26.11
GEN003160 Cron Logging
3.2.26.12
GEN003180 Cronlog Permissions
3.2.26.13
GEN003200 cron.deny Permissions
3.2.26.14
GEN003220 Cron Programs umask
3.2.26.15
GEN003240 cron.allow Ownership
3.2.26.16
GEN003260 cron.deny Ownership
3.2.27
At Restrictions
3.2.27.1
GEN003280 At Utility Accessibility
3.2.27.2
GEN003300 The at.deny File
3.2.27.3
GEN003320 Default System Accounts and At
3.2.27.4
GEN003340 at.allow and at.deny Permissions
3.2.27.5
GEN003360 At Executes World Writable Programs
3.2.27.6
GEN003380 At Executes Programs in World Writable Directories
3.2.27.7
GEN003400 The at Directory Permissions
3.2.27.8
GEN003420 The at Directory Ownership
3.2.27.9
GEN003440 At Programs umask
3.2.27.10
GEN003460 at.allow Ownership
3.2.27.11
GEN003480 at.deny Ownership
3.2.28
Restrict/Disable Core Dumps
3.2.28.1
GEN003500 Restrict or Disable Core Dumps
3.2.28.2
GEN003520 Core Dump Directory Ownership and Permissions
3.2.29
3.2.29.1
Disable Executable Stack

GEN003540 Disable Executable Stack
3.2.30
Restrict NFS Port Listening
3.2.31
Use More Random TCP Sequence Numbers
3.2.31.1
3.2.32
3.2.32.1
3.2.33
3.2.33.1
Page 7
GEN003580 TCP Sequence Numbers

Network Security Settings
GEN003600 Network Security Settings
File Systems
GEN003620 Separate Filesytem Partitions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.33.2
GEN003640 Root Filesystem Logging
3.2.34
Syslog AUTH/AUTHPRIV Facility
3.2.34.1
3.3
3.3.1
GEN003660 Authentication Data Logging

Network Services
Network Services
3.3.1.1
GEN003680 Required Network Services For Operation
3.3.1.2
GEN003700 Disable inetd/xinetd
3.3.1.3
GEN003720 inetd.conf Ownership
3.3.1.4
GEN003740 inetd.conf Permissions
3.3.1.5
GEN003760 The Services File Ownership
3.3.1.6
GEN003780 The Services File Permissions
3.3.1.7
GEN003800 inetd Logging
3.3.2
3.3.2.1
3.3.3
3.3.3.1
3.3.4
Rlogin and rsh

GEN003820 Remote Login or Shell Is Enabled
Rexec
GEN003840 The rexec Service Is Enabled
Finger
3.3.4.1
GEN003860 The finger Service Is Enabled
3.3.4.2
GEN003865 Network analysis tools enabled.
3.3.5
Remote Host Printing
3.3.5.1
GEN003880 Print Server and Client Configuration Documentation
3.3.5.2
GEN003900 hosts.lpd Contents
3.3.5.3
GEN003920 hosts.lpd Ownership
3.3.5.4
GEN003940 hosts.lpd Permissions
3.3.6
Traceroute
3.3.6.1
GEN003960 The traceroute Command Ownership
3.3.6.2
GEN003980 The traceroute Command Group Ownership
3.3.6.3
GEN004000 The traceroute Command Permissions
3.3.7
Page 8
Client Browser Requirements
3.3.7.1
GEN004020 Browser Capable of 128-bit Encryption
3.3.7.2
GEN004040 Browser Software Update Feature
3.3.7.3
GEN004060 Browser Unencrypted Secure Content Caching
3.3.7.4
GEN004100 Browser Allows Active Scripting
3.3.7.5
GEN004120 Browser Data Redirection Warning
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.7.6
GEN004160 Browser Certificate Warning
3.3.7.7
GEN004180 Browser Home Page
3.3.7.8
GEN004200 Browser SSL Configuration
3.3.7.9
GEN004220 The root Accounts Browser
3.3.7.10
GEN004240 Browser Version
3.3.7.11
GEN004260 Browser Cookie Warning
3.3.7.12
GEN004280 Browser Form Data Warning
3.3.7.13
GEN004300 Browser Secure and Non-secure Content Warning
3.3.7.14
GEN004320 Browser Leaving Encrypted Site Warning
3.3.8
Sendmail or Equivalent
3.3.8.1
GEN004360 aliases Ownership
3.3.8.2
GEN004380 aliases Permissions
3.3.8.3
GEN004400 File Executed Through Aliases Accessibility
3.3.8.4
GEN004420 File Executed Through Aliases Permissions
3.3.8.5
GEN004440 Sendmail Logging
3.3.8.6
GEN004460 Critical Level Sendmail Messages Logging
3.3.8.7
GEN004480 Critical Sendmail Log File Ownership
3.3.8.8
GEN004500 Critical Sendmail Log File Permissions
3.3.8.9
GEN004540 Sendmail Help Command
3.3.8.10
GEN004560 Sendmail Greeting to Mask Version
3.3.8.11
GEN004580 .forward Files
3.3.8.12
GEN004600 Sendmail Version
3.3.8.13
GEN004620 Sendmail DEBUG Command
3.3.8.14
GEN004640 Sendmail DECODE Command
3.3.8.15
GEN004660 Sendmail EXPN Command
3.3.8.16
GEN004680 Sendmail VRFY Command
3.3.8.17
GEN004700 Sendmail WIZ Command
3.3.9
Page 9
File Transfer Protocol (FTP) and Telnet
3.3.9.1
GEN004720 FTP or Telnet Within Enclave Behind Router
3.3.9.2
GEN004760 FTP or Telnet Outside to Inside Enclave
3.3.9.3
GEN004780 FTP or Telnet Userids and Passwords
3.3.9.4
GEN004800 Unencrypted FTP or Telnet
3.3.9.5
GEN004820 Anonymous FTP
3.3.9.6
GEN004840 Anonymous FTP Segregation into DMZ
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.10
FTP Configuration
3.3.10.1
GEN004880 The ftpusers File
3.3.10.2
GEN004900 The ftpusers File Contents
3.3.10.3
GEN004920 The ftpusers File Ownership
3.3.10.4
GEN004940 The ftpusers File Permissions
3.3.10.5
GEN004980 FTP Daemon Logging
3.3.10.6
GEN005000 Anonymous FTP Account Shell
3.3.10.7
GEN005020 Anonymous FTP Configuration
3.3.10.8
GEN005040 FTP Users umask
3.3.11
3.3.11.1
File Service Protocol (FSP)

GEN005060 FSP Is Enabled
3.3.12
Trivial File Transfer Protocol (TFTP)
3.3.12.1
GEN005080 TFTP Secure Mode
3.3.12.2
GEN005100 TFTP SUID/SGID Bit
3.3.12.3
GEN005120 TFTP Configuration
3.3.12.4
GEN005140 TFTP Documentation
3.3.13
X Window System
3.3.13.1
GEN005160 .Xauthority Files
3.3.13.2
GEN005180 .Xauthority File Permissions
3.3.13.3
GEN005200 X Displays Exporting
3.3.13.4
GEN005220 X Client Authorization via X*.hosts
3.3.13.5
GEN005240 X Client Authorization
3.3.13.6
GEN005260 X Window System Not Required and Not Disabled
3.3.14
3.3.14.1
3.3.15
UNIX to UNIX Copy Program (UUCP)

GEN005280 Disable UUCP
Simple Network Management Protocol (SNMP)
3.3.15.1
GEN005300 Changed SNMP Community Strings
3.3.15.2
GEN005320 snmpd.conf Permissions
3.3.15.3
GEN005340 MIB File Permissions
3.3.15.4
GEN005360 snmpd.conf and .mib Ownership
3.3.15.5
GEN005380 Dedicated Hardware for SNMP
3.3.16
Page 10
System Logging Daemon
3.3.16.1
GEN005400 /etc/syslog.conf Assessiblity
3.3.16.2
GEN005420 /etc/syslog.conf Group Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.16.3
GEN005440 Local Loghosts
3.3.16.4
GEN005460 Remote Loghost Documentation
3.3.16.5
GEN005480 Syslog Accepts Remote Messages
3.3.17
Secure Shell (SSH) and Equivalents
3.3.17.1
GEN005500 SSH Version 1 Compatibility
3.3.17.2
GEN005540 Encrypted Communications IP Filtering and Banners
3.3.18
UNIX Routing Vulnerabilities
3.3.18.1
GEN005560 Default Gateway
3.3.18.2
GEN005580 Dedicated Hardware for Routing
3.3.18.3
GEN005600 Disable IP Forwarding
3.3.19
3.3.19.1
3.3.20
3.3.20.1
3.3.21
3.3.21.1
3.3.22
3.3.22.1
3.3.23
3.3.23.1
3.3.24
Lotus Domino Web Application

GEN005620 Lotus Domino Version
Squid Web Proxy Authentication Header
GEN005640 Squid Web Proxy Authentication Header Vulnerability
Squid Web Proxy MSNT Auth Helper
GEN005660 Squid Web Proxy MSNT Auth Helper Vulnerability
Squid Web Proxy Version
GEN005680 Squid Web Proxy Version
iPlanet Web Server
GEN005700 iPlanet Web Server NS-query-pat Vulnerability
Network Filesytem (NFS)
3.3.24.1
GEN005720 NFS Port Monitoring
3.3.24.2
GEN005740 Export Configuration File Ownership
3.3.24.3
GEN005760 Export Configuration File Permissions
3.3.24.4
GEN005780 Writable Exported File Systems Documentation
3.3.24.5
GEN005800 Exported System Files and Directories Ownership
3.3.24.6
GEN005820 Deny NFS Client Access Without Userid
3.3.24.7
GEN005840 Restrict NFS Filesystem Access to Local Hosts
3.3.24.8
GEN005860 NFS User Authentication
3.3.24.9
GEN005880 Root Access Option Documentation
3.3.24.10
3.3.25
3.3.25.1
3.3.26
Page 11
GEN005900 NFS Clients Enable nosuid and nosgid

Instant Messaging (IM)
GEN006000 Public Instant Messaging Client is Installed
Peer-to-Peer File-Sharing Utilities and Clients
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.26.1
GEN006040 Peer-to-Peer Application Authorization with DAA
3.3.27
Samba
3.3.27.1
GEN006060 Samba is Enabled
3.3.27.2
GEN006080 Samba Web Administration with SSH Port Forwarding
3.3.27.3
GEN006100 smb.conf Ownership
3.3.27.4
GEN006120 smb.conf Group Ownership
3.3.27.5
GEN006140 smb.conf Permissions
3.3.27.6
GEN006160 smbpasswd Ownership
3.3.27.7
GEN006180 smbpasswd Group Ownership
3.3.27.8
GEN006200 smbpasswd Permissions
3.3.27.9
GEN006220 smb.conf Configuration
3.3.28
Internet Network News (INN)
3.3.28.1
GEN006240 INN Documentation
3.3.28.2
GEN006260 /etc/news/hosts.nntp Permissions
3.3.28.3
GEN006280 /etc/news/hosts.nntp.nolimit Permissions
3.3.28.4
GEN006300 /etc/news/nnrp.access Permissions
3.3.28.5
GEN006320 /etc/news/passwd.nntp Permissions
3.3.28.6
GEN006340 /etc/news Files Ownership
3.3.28.7
GEN006360 /etc/news Files Group Ownership
3.4
3.4.1
Network Based Authentication

Network Information Service (NIS)
3.4.1.1
GEN006380 NIS/NIS+ Implemented Under UDP
3.4.1.2
GEN006400 NIS Documentation
3.4.1.3
GEN006420 NIS Maps Domain Names
3.4.2
Network Information Service Plus (NIS+)
3.4.2.1
GEN006440 NIS Used as Opposed to NIS+
3.4.2.2
GEN006460 NIS+ Server at Security Level 2
3.5
3.5.1
UNIX Security Tools

UNIX Security Tools
3.5.1.1
GEN006480 Host-Based Intrusion Detection Tool
3.5.1.2
GEN006540 System Vulnerabiltiy Assessment Tool
3.5.1.3
GEN006560 Security Tool Notifications
3.5.2
3.5.2.1
Page 12
Access Control Programs and TCP_WRAPPERS

GEN006580 Access Control Program
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.5.2.2
GEN006600 Access Control Program Logging
3.5.2.3
GEN006620 Access Control Program Control System Access
3.5.2.4
GEN006640 Virus Protection Software
3.6
Page 13
3.6.1
SUN SOLARIS
3.6.1.1
3.6.2
Removable Media
SOL00020 /etc/rmmount.conf Configuration
The audit_user File
3.6.2.1
SOL00040 audit_user User Auditing Levels
3.6.2.2
SOL00060 audit_user Ownership
3.6.2.3
SOL00080 audit_user Group Ownership
3.6.2.4
SOL00100 audit_user Permissions
3.6.3
3.6.3.1
3.6.4
3.6.4.1
3.6.5
Automated Security Enhancement Tool (ASET)

SOL00120 Aset Master Files Location
The uid_aliases File
SOL00140 /usr/asset/masters/uid_aliases Content
The asetenv File
3.6.5.1
SOL00160 ASET Used on a Firewall
3.6.5.2
SOL00180 ASET Environment Variables
3.6.6
Running ASET
3.6.6.1
SOL00200 NIS+ and YPCHECK
3.6.6.2
SOL00220 /usr/aset/userlist Content
3.6.6.3
SOL00240 /usr/asset/userlist Ownership
3.6.6.4
SOL00260 /usr/asset/userlist Permissions
3.6.7
3.6.7.1
3.6.8
Electrically Erasable Programmable Read-only Memory (EEPROM)

SOL00300 EEPROM security-mode Parameter
Sun Answerbook2
3.6.8.1
SOL00360 Sun Answerbook2 Script Access
3.6.8.2
SOL00380 Sun Answerbook2 dwhttpd Format String
3.6.9
3.6.9.1
3.6.10
3.6.10.1
3.6.11
3.6.11.1
NFS Server Logging

SOL00400 NFS Server Logging
Extended File Attributes
SOL00420 Hidden Extended File Attributes
Root Default Group
SOL00440 Group Account with gid of 0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.7
HEWLETT PACKARD UNIX (HP-UX)
3.7.1
Trusted Mode
3.7.1.1
HPUX0020 Operating in Trusted Mode
3.7.2
Trusted System Auditing
3.7.2.1
HPUX0040 AUDMON_ARGS Flag Configuration
3.7.3
The /etc/securetty File
3.7.3.1
HPUX0060 /etc/securetty Ownership
3.7.3.2
HPUX0080 / etc/securetty Group Owner
3.7.3.3
HPUX0100 /etc/securetty Permissions
3.8
IBM ADVANCED INTERACTIVE EXECUTIVE (AIX)
3.8.1
Security Structure
3.8.1.1
AIX00020 TCB Software
3.8.2
Network Security
3.8.2.1
AIX00040 securetcpip Command
3.8.3
System Commands
3.8.3.1
AIX00060 System Baseline for Files with TCB Bit Set
3.8.4
Authentication
3.8.4.1
AIX00080 SYSTEM Attribute
3.9
SILICON GRAPHICS (SGI) IRIX
3.10
3.10.1.1
3.11
3.11.1
3.11.1.1
3.11.2
3.11.2.1
3.11.3
Xfsmd
IRIX0020 The xmfsmd Service is Enabled
LINUX
System BIOS Configuration
LNX00040 Disable Boot From Removable Media
Restricting the Boot Process
LNX00060 Password Configuration Table Configuration
Boot Loaders
3.11.3.1
LNX00080 Boot Diskette
3.11.3.2
LNX00100 Default Boot Loader
3.11.3.3
LNX00120 /boot Partition
3.11.4
Password Protecting the GRUB Console Boot Loader
3.11.4.1
LNX00140 GRUB Boot Loader Encrypted Password
3.11.4.2
LNX00160 grub.conf Permissions
3.11.5
Page 14
Password Protecting the LILO Boot Loader
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.11.5.1
LNX00180 LILO Global Password
3.11.5.2
LNX00200 LILO Boot Loader Encrypted Password
3.11.5.3
LNX00220 /etc/lilo.conf Permissions
3.11.6
3.11.6.1
3.11.7
3.11.7.1
3.11.8
3.11.8.1
3.11.9
3.11.9.1
3.11.10
Filesystems
LNX00240 Journaling
Red Hat Kickstart and SuSE AutoYaST
LNX00260 Kickstart or AutoYaST
Dual Boot
LNX00280 Capable of Dual Boot
Ugidd RPC Daemon
LNX00300 The rpc.ugidd Daemon is Enabled
Default Accounts
3.11.10.1
LNX00320 Special Privileged Accounts
3.11.10.2
LNX00340 Unnecessary Accounts
3.11.11
X Windows
3.11.11.1
LNX00360 X Server Options Enabled
3.11.11.2
LNX00380 X Server Options Not Enabled
3.11.12
Console Access
3.11.12.1
LNX00400 Access File Ownership
3.11.12.2
LNX00420 Access File Group Ownership
3.11.12.3
LNX00440 Access File Permissions
3.11.13
Kernel Configuration File
3.11.13.1
LNX00480 /etc/sysctl.conf Ownership
3.11.13.2
LNX00500 /etc/sysctl.conf Group Ownership
3.11.13.3
LNX00520 / etc/sysctl.conf Permissions
3.11.14
NFS Server
3.11.14.1
LNX00540 The insecure Option
3.11.14.2
LNX00560 The insecure_locks Option
3.11.15
3.11.15.1
3.11.16
3.11.16.1
3.11.17
3.11.17.1
Page 15
The /etc/inittab File

LNX00580 Ctrl-Alt-Delete Sequence
Administrative Controls
LNX00600 PAM Configuration
The /etc/securetty File
LNX00620 /etc/securetty Group Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.11.17.2
LNX00640 /etc/securetty Ownership
3.11.17.3
LNX00660 /etc/securetty Permissions
3.11.18
RealPlayer
3.11.18.1
3.12
Page 16
LNX00680 RealPlayer Version

Information Assurance Vulnerability Management (IAVM)
3.12.1
IAVA0005 2001-A-0011 Format String Vulnerability in CDE ToolTalk
3.12.2
IAVA0010 1999-0002 TCP Wrappers Trojan Vulnerability
3.12.3
IAVA0015 98-06 Qpopper Vulnerability
3.12.4
IAVA0020 1998-A-0011 General Internet Message Access Protocol
3.12.5
IAVA0025 98-07 Buffer Overflow in Mail and News Clients
3.12.6
IAVA0030 2000-A-0003 Gauntlet Firewall Buffer Overflow
3.12.7
IAVA0035 2001-T-0004 MySQLd Vulnerability
3.12.8
IAVA0040 2001-A-0007 iPlanet
3.12.9
IAVA0045 2001-T-0008 BSD Telnet Daemon
3.12.10
IAVA0050 2004-B-0015 Sun JRE Bypass Vulnerability
3.12.11
IAVA0055 2001-B-0002 HP OpenView and Tivoli NetView
3.12.12
IAVA0060 2004-T-0038 Sun Remote Denial of Service
3.12.13
IAVA0065 2001-A-0013 SSH V1
3.12.14
IAVA0075 2001-A-0009 Gauntlet SMAP/SMAPD Buffer Overflow
3.12.15
IAVA0080 2001-T-0017 OpenSSH
3.12.16
IAVA0085 2005-A-0014 Oracle E-Business Suite Vulnerabilities
3.12.17
IAVA0090 2002-A-0001 CDE Buffer Overflow
3.12.18
IAVA0095 2001-T-0015 LPD Vulnerabilities
3.12.19
IAVA0100 2005-T-0014 Multiple Vulnerabilities in Mozilla Firefox
3.12.20
IAVA0105 2001-A-0014 Login Daemon
3.12.21
IAVA0110 2005-B-0012 PAWS DoS Vulnerability
3.12.22
IAVA0115 2002-A-SNMP-0002, 2002-A-SNMP-003 SNMP
3.12.23
IAVA0120 2005-A-0005 Multiple Vulnerabilities in BIND
3.12.24
IAVA0125 2001-T-0018 SSH Short Password Vulnerability
3.12.25
IAVA0135 2001-B-0004 WU-FTPD
3.12.26
IAVA0140 2005-T-0008 Multiple Vulnerabilities in Ethereal Software
3.12.27
IAVA0145 2002-T-0004 KTH Kerberos IV and V
3.12.28
IAVA0150 2005-T-0010 Multiple Vulnerabilities in Sybase Software
3.12.29
IAVA0155 2002-T-0008 Cachefsd Daemon
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.12.30
IAVA0160 2005-T-0017 IBM WebSphere Application Server
3.12.31
IAVA0165 2002-T-0009 Rpc.walld Service
3.12.32
IAVA0170 2005-T-0024 Sun JRE Privilege Escalation Vulnerability
3.12.33
IAVA0175 2002-T-0011 OpenSSH Challenge Response
3.12.34
IAVA0180 2005-T-0025 Vulnerabilities in Adobe Reader
3.12.35
IAVA0185 2005-T-0027 MIT Kerberos Multiple Vulnerabilities
3.12.36
IAVA0190 2005-T-0033 Adobe Reader Buffer Overflow
3.12.37
IAVA0195 2002-T-0012 CDE Vulnerability
3.12.38
IAVA0210 2005-T-0038 Java System Server JAR Disclosure
3.12.39
IAVA0215 2002-A-0004 OpenSSL Vulnerability
3.12.40
IAVA0225 2002-B-0003 PHP Vulnerabilities
3.12.41
IAVA0235 2002-T-0015 XDR-Libraries
3.12.42
IAVA0245 2002-T-0016 KAdmind
3.12.43
IAVA0250 2005-A-0019 Oracle Applications Vulnerabilities
3.12.44
IAVA0255 2002-T-0017 X Font Server
3.12.45
IAVA0260 2005-A-0034 Oracle Applications Vulnerabilities
3.12.46
IAVA0270 2000-B-0008 BIND 8.2.2-P6 DoS Vulnerabilities
3.12.47
IAVA0275 2001-A-0001 Buffer Overflows in ISC BIND
3.12.48
IAVA0280 2002-A-0006 Multiple Vulnerabilities in ISC BIND 4 and 8
3.12.49
IAVA0285 2003-B-0001 DNS Vulnerabilities Various Libraries
3.12.50
IAVA0295 2003-T-0001 Multiple SSH Vulnerabilities
3.12.51
IAVA0305 2003-T-0002 Solaris UUCP
3.12.52
IAVA0310 2005-T-0043 SMC HTTP TRACE Vulnerability
3.12.53
IAVA0315 2003-T-0004 Oracle 9i Vulnerabilities
3.12.54
IAVA0320 2003-T-0007 Sun XDR Library Buffer Overflow
3.12.55
IAVA0330 2003-B-0003 Sendmail - Memory Corruption Vulnerability
3.12.56
IAVA0335 2003-T-0015 PDF Writers
3.12.57
IAVA0345 2003-T-0018 Real Networks Helix Server
3.12.58
IAVA0350 2003-T-0020 OpenSSH Prior to 3.7.1
3.12.59
IAVA0355 2003-A-0013 SADMIND
3.12.60
IAVA0360 2003-A-0015 OpenSSL
3.12.61
IAVA0365 2003-T-0022 - JAVA RUNTIME and Virtual Machine
3.12.62
IAVA0370 2003-T-0024 - RSYNC DAEMON
3.12.63
IAVA0375 2004-A-0002 - Check Point Firewall-1
Page 17
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 18
3.12.64
IAVA0380 2004-B-0002 - H.323 Protocol
3.12.65
IAVA0385 2004-A-0004 - ISS Real Secure
3.12.66
IAVA0390 2004-T-0003 Apache SSL Certificate Forging
3.12.67
IAVA0395 2004-T-0008 TCPDUMP Buffer Overflows
3.12.68
IAVA0400 2004-B-0005 FreeBSD/Juniper Denial of Service
3.12.69
IAVA0405 2004-T-0006 Solaris Password Utility
3.12.70
IAVA0410 2004-B-0006 OpenSSL Denial of Service
3.12.71
IAVA0415 2004-B-0007 Linux JetAdmin Vulnerability
3.12.72
IAVA0420 2004-T-0014 CDE Remote Login
3.12.73
IAVA0425 2003-B-0005 Sendmail Prescan Variant Vulnerability
3.12.74
IAVA0430 2004-T-0016 Solaris Management Console Vulnerability
3.12.75
IAVA0435 2004-T-0017 MIT Kerberos Multiple Vulnerabilities
3.12.76
IAVA0440 2004-T-0018 Multiple Vulnerabilities in ISC DHCP 3
3.12.77
IAVA0445 2004-T-0032 Vulnerabilities in Apache Web Server
3.12.78
IAVA0455 2000-B-0005 Input Validation Problem in rpc.statd
3.12.79
IAVA0460 2001-A-0002 IRIX Telnet
3.12.80
IAVA0465 1999-B-0002 SGI Array Services
3.12.81
IAVA0470 1998-A-0010 SGI Buffer Overflow Vulnerability
3.12.82
IAVA0475 1999-A-0006 Statd and Automountd
3.12.83
IAVA0485 2001-T-0002 IRDP
3.12.84
IAVA0490 2001-A-0003 SNMP to DMI Mapper Daemon
3.12.85
IAVA0495 2001-T-007 Solaris Line Printer Daemon
3.12.86
IAVA0500 2000-B-0003 KDC Vulnerablity
3.12.87
IAVA0510 1999-A-0003 FTP RNFR Command Vulnerability
3.12.88
IAVA0515 1999-B-0003, 2000-B-0004, 2001-B-0004 WU-FTPd
3.12.89
IAVA0520 2006-A-0013 Sendmail remote execution vulnerability.
3.12.90
IAVA0530 2006-A-0007 Oracle E-Business Suite Vulnerabilities
3.12.91
IAVA0545 2005-B-0019 Vulnerabilities in IKE Packet Processing
3.12.92
IAVA0550 2006-A-0011 Vulnerabilities in Oracle E-Business Suite
3.12.93
IAVA0555 2006-A-0020 Vulnerabilities in Oracle E-Business Suite
3.12.94
IAVA0570 2006-A-0032 Multiple Vulnerabilities in Oracle E-Business Suite
3.12.95
IAVA0590 2006-T-0020 Mozilla Firefox/Thunderbird Vulnerabilities
3.12.96
IAVA0595 2006-T-0016 Sun Java Application Server Vulnerabilities
3.12.97
IAVA0600 1998-0011 General Internet Message Access Protocol (IMAP) and Post Office
Protocol (POP) Vulnerabilities
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 19
3.12.98
IAVA0605 1999-0001 Mountd Remote Buffer Overflow Vulnerability
3.12.99
IAVA0610 1999-0003 Remote FTP Vulnerability
3.12.100
IAVA0615 2000-T-0015 BMC Best/1 Version 6.3 Performance Management System
Vulnerability
3.12.101
IAVA0620 2000-B-0001 BIND NXT Buffer Overflow
3.12.102
IAVA0625 2000-B-0002 Netscape Navigator Improperly Validates SSL Sessions
3.12.103
IAVA0630 2000-A-0001 Cross-Site Scripting Vulnerability
3.12.104
IAVA0635 2001-B-0003 U Encoding Intrusion Detection System Bypass Vulnerability
3.12.105
IAVA0640 2002-T-0005 Multiple Vulnerabilities in Oracle Database Server
3.12.106
IAVA0645 2002-T-0006 Multiple Vulnerabilities in Oracle9i Application Server
3.12.107
IAVA0650 2002-T-0010 Denial of Service Vulnerability in ISC-BIND 9
3.12.108
IAVA0655 2002-T-SNMP-003 Multiple Simple Network Management Protocol
Vulnerabilities in Servers and Applications
3.12.109
IAVA0660 2002-A-SNMP-004 Multiple Simple Network Management Protocol
Vulnerabilities in Perimeter Devices
3.12.110
Vulnerabilities in Enclave Devices
3.12.111
3.12.112
Server
IAVA0675 2003-A-0006 Multiple Vulnerabilities in Multiple Versions of Oracle Database
3.12.113
IAVA0680 2004-T-0002 Oracle 9i Application/Database Server Denial Of Service
Vulnerability
3.12.114
IAVA0685 2004-T-0005 Oracle9i Lite Mobile Server Multiple Vulnerabilities
3.12.115
IAVA0690 2004-T-0011 Oracle Application Server Web Cache HTTP Request Method
Heap Overrun Vulnerability
3.12.116
IAVA0695 2004-T-0022 Check Point VPN-1 ASN.1 Buffer Overflow Vulnerability
3.12.117
IAVA0700 2004-T-0026 Mozilla Network Security Services Library Remote Heap
Overflow Vulnerability
3.12.118
IAVA0705 2004-T-0027 Multiple Vulnerabilities in MIT Kerberos V
3.12.119
IAVA0710 2004-B-0009 Oracle E-Business Suite Multiple SQL Injection
3.12.120
Queuing
IAVA0715 2005-T-0031 Multiple Vulnerabilities in Computer Associates Message
3.12.121
IAVA0720 2005-B-0007 Symantec UPX Parsing Engine Remote Heap
3.12.122
IAVA0725 2005-B-0008 Trend Micro VSAPI ARJ Handling Heap Overflow
3.12.123
IAVA0730 2005-A-0043 Symantec AntiVirus Library RAR Decompression
3.12.124
IAVA0735 2006-T-0002 Multiple Vulnerabilities within BEA WebLogic Software
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 20
3.12.125
IAVA0740 2006-T-0005 Multiple Vulnerabilities in Mozilla Products
3.12.126
IAVA0745 2006-T-0007 Veritas NetBackup Multiple Remote Buffer Overflow
3.12.127
IAVA0755 2006-T-0009 Multiple Vulnerabilities in Symantec AntiVirus Engine
3.12.128
IAVA0760 2006-T-0013 RealVNC Remote Authentication Bypass
3.12.129
IAVA0765 2006-T-0023 Multiple Vulnerabilities in Wireshark
3.12.130
IAVA0770 2006-T-0035 Sun Java System/iPlanet Messaging Server
3.12.131
BIND
IAVA0775 2006-B-0016 Multiple Remote Denial of Service Vulnerabilities within ISC
3.12.132
IAVA0780 2006-B-0017 Multiple Vulnerabilities in Adobe Flash Player
3.12.133
IAVA0785 2006-A-0008 Computer Associates (CA) iTechnology iGateway Service
Vulnerability
3.12.134
IAVA0805 2006-A-0050 Multiple Vulnerabilities in Oracle E-Business Suite and
Applications
3.12.135
IAVA0810 2007-T-0001 MIT Kerberos 5 RPC Library Remote Code Execution
Vulnerability
3.12.136
IAVA0815 2007-T-0002 MIT Kerberos 5 Administration Daemon Remote Code Execution
Vulnerability
3.12.137
IAVA0820 2007-T-0003 Sun Java RunTime Environment GIF Images Buffer Overflow
Vulnerability
3.12.138
IAVA0825 2007-A-0001 Snort Backtracking Denial of Service Vulnerability
3.12.139
IAVA0830 2007-A-0002 Snort GRE Packet Decoding Integer Underflow Vulnerability
3.12.140
IAVA0835 2007-A-0006 Multiple Vulnerabilities in Adobe Acrobat
3.12.141
IAVA0840 2007-A-0007 Multiple Vulnerabilities in Oracle Database Server
3.12.142
IAVA0845 2007-A-0008 Multiple Vulnerabilities in Oracle Application Server
3.12.143
IAVA0850 2007-A-0009 Multiple Vulnerabilities in Oracle Collaboration Suite
3.12.144
IAVA0855 2007-A-0010 Multiple Vulnerabilities in Oracle E-Business Suite
3.12.145
IAVA0860 2007-A-0011 Multiple Vulnerabilities in Oracle Enterprise Manager

1. UNIX Overview and Site Information
1. System Equipement
1. GEN000020 Single User Mode Password
Solaris 2.5 - 9
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 21
# cd /etc/rcS.d
# grep sulogin *
The sulogin utility should be called from within the svm start up script.
Additionally,
# more /etc/default/sulogin (if it exists)
Confirm PASSREQ=NO is not configured
Solaris 10
By default Solaris 10 requires a password and the /etc/default/sulogin does not exist.
HP-UX
# more /tcb/files/auth/system/default
Confirm the d_boot_authenticate is:
:d_boot_authenticate:
The entry :d_boot_authenticate@: is a finding.
AIX
AIX has a chassis key that is used to prevent booting to single-user mode without a password.
Confirm it is in the correct position and the key has been removed.
IRIX
Linux
# more /etc/inittab
Confirm the following line is configured:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 22
~~:S:wait:/sbin/sulogin
If the UNIX host is configurable and is bootable in single-user mode without a password, then this is a finding.
PDI:
GEN000020
V0000756
Category II
:
Status Code: AUTO
Previously:
G001
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP

IA Controls:
DCCS-1, DCCS-2, IAIA-1, IAIA-2
PDI Description:
The UNIX host configurable and is bootable in single-user mode

without a password.
Reference:
UNIX STIG: 2.5.1.1
2. GEN000040 Single User Mode Password Incompatibility Documentation
Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password.
If the UNIX host is not be configured to require a password when booted to single-user mode and is not justified
and documented with the IAO, then this is a finding.
This check is only applicable if GEN000020 is a finding.
PDI:
GEN000040
V0000757
Category II
:
Status Code: PART
Previously:
G002

IA Controls:
IAIA-1, IAIA-2, DCID-1
PDI Description:
The UNIX host is not configured to require a password when booted to

single-user mode and is not justified and documented with the IAO.
Reference:
UNIX STIG: 2.5.1.1
3. GEN000060 Single User Mode Password Incompatibility Location
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 23
Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password.
Solaris 2.5 - 9
# cd /etc/rcS.d
# grep sulogin *
The sulogin utility should be called from within the svm start up script.
Additionally,
Solaris 10
# more /etc/default/sulogin (if is exists)
Solaris 10
HP-UX
# more /tcb/files/auth/system/default
Confirm the d_boot_authenticate is:
:d_boot_authenticate:
The entry :d_boot_authenticate@: is a finding.
AIX
AIX has a chassis key that is used to prevent booting to single-user mode without a password.
Confirm it is in the correct position and the key has been removed.
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 24
Linux
# more /etc/inittab
Confirm the following line is configured:
~~:S:wait:/sbin/sulogin
If the UNIX host can not be configured to require a password when booted to single-user mode and is not located
in a controlled access area accessible only by SAs, then this is a finding. An access-controlled area is defined as
requiring two different checks of an individuals identity and authority before gaining access to the system.
Note: This check is only applicable if GEN000020 is a finding
PDI:
GEN000060
V0000758
Category II
:
Status Code: PART
Previously:
G003

IA Controls:
PECF-1, PECF-2
PDI Description:
The UNIX host can not be configured to require a password when

booted to single-user mode and is not located in a controlled access
area accessible only by SAs.
Reference:
UNIX STIG: 2.5.1.1
4. GEN000080 System Equipment Location
An access-controlled area is defined as requiring two different checks of an individuals identity and authority
before gaining access to the system. One of the checks should require two factor authentication.
If the UNIX system equipment is not located in a controlled access area, then this is a finding.
PDI:
GEN000080
Category:II
Status Code: MAN
Previously:
G234
V0001063
IA Controls:
PECF-1, PECF-2
PDI Description:
The UNIX system equipment is not located in a controlled access area.
Reference:
UNIX STIG: 2.5.1.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 25
2. Operating System
1. GEN000100 Supported Release
Check the release of the OS:
Solaris
# uname -a
Supported releases are 2.7 and newer.
HP-UX
# uname -a
AIX
# uname -a
Supported releases are 4.3 and newer, and 5.1 and newer.
IRIX
# uname -R
Linux
# uname -R
Supported releases are RedHat Enterprise 3 and newer and SUSE Enterpise 9 and later.
If the operating system is not a supported release, then this is a finding.
PDI:
GEN000100
Category:II
Status Code: AUTO
Previously:
N/A
V0011940
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 26

IA Controls:
DCSW-1
PDI Description:
The operating system is not a supported release.
Reference:
UNIX STIG: 2.5.2.1
2. GEN000120 Vendor Recommended and Security Patches
Check installed patches:
Solaris
# patchadd p |grep patch
or
# showrev p | grep patch
HP-UX
# swlist l fileset | grep patch
AIX
# /usr/sbin/instfix -c -i | cut -d":" -f1
IRIX
# versions | grep patch
Linux
# rpm qa | grep patch
Compare the system output with the most current vendor recommended and security patches.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 27
If vendor recommended and security patches are not installed or are out-of-date, then this is a finding. Program
managed specific systems should follow their configuration management cycle which may be longer than a
normal vendor cycle.
PDI:
GEN000120
V0000783
Category II
:
Status Code: PART
Previously:
G033

IA Controls:
DCSL-1, VIVM-1
PDI Description:
Vendor recommended and security patches are not installed or are outof-date.
Reference:
UNIX STIG: 2.5.2.1

3. File Integrity
1. GEN000140 Create and Maintain System Baseline
Confirm with the SA that a system baseline (all device files, all sgid and suid files, and system libraries and
binaries), to include cryptographic hashes of files in the baseline, has been created and is maintained.
If a system baseline (all device files, all sgid and suid files, and system libraries and binaries), to include
cryptographic hashes of files in the baseline, has not been created and is not maintained, then this is a finding.
PDI:
GEN000140
Category:II
Status Code: MAN
Previously:
N/A
V0011941
IA Controls:
DCCS-2
PDI Description:
A system baseline including cryptographic hashes is not created and

maintained.
Reference:
UNIX STIG: 2.5.3.1
2. GEN000160 System Baseline Backup on Write-protected Media
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 28
Confirm with the SA that the system baseline backup is stored on write-protected media.
If the system baseline backup(s) are not stored on write-protected media, then this is a finding. This check only
applies to backups that are not maintained by automated remote backup systems such as Veritas Netbackup.
PDI:
GEN000160
Category:II
Status Code: MAN
Previously:
N/A
V0011942
IA Controls:
DCCS-2
PDI Description:
The system baseline backup(s) are not on write-protected media.
Reference:
UNIX STIG: 2.5.3.1
3. GEN000220 System Baseline for System Libraries and Binaries Checking
Confirm with the SA that filesyst ems are checked at least weekly for unauthorized system libraries or binaries or
unauthorized modification to authorized system libraries or binaries.
If filesystems are not checked at least weekly for unauthorized system libraries or binaries or unauthorized
modification to authorized system libraries or binaries, then this is a finding.
PDI:
GEN000220
Category:II
Status Code: MAN
Previously:
N/A
V0011945
IA Controls:
DCCS-2
PDI Description:
Filesystems are not checked at least weekly for unauthorized system

libraries or binaries or unauthorized modification to authorized system
libraries or binaries.
Reference:
UNIX STIG: 2.5.3.1
4. GEN000240 Network Time-Server
Check if NTP running:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 29
All platforms
# ps e | egrep xntpd|ntpd
Check if ntpdate scheduled to run:
Solaris
# grep ntpdate /var/spool/cron/crontabs/*
HP-UX
AIX
IRIX
Linux
# grep ntpdate /var/spool/cron/*
# grep ntpdate /etc/cron.d/*
# grep ntpdate /etc/cron.daily/*
# grep ntpdate /etc/cron.hourly/*
# grep ntpdate /etc/cron.monthly/*
# grep ntpdate /etc/cron.weekly/*
If NTP is running or ntpdate is found:
# more /etc/ntp/ntp.conf
Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S.
DOD source.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 30
If a non-local/non-authoritative (U.S. DOD source) time-server is used, then this is a finding.

PDI:
GEN000240
Category I
:
V0004301
Status Code: AUTO
Previously:
G695

IA Controls:
DCHW-1
PDI Description:
A non-local/non-authoritative (U.S. DOD source) time-server is used.
Reference:
UNIX STIG: 2.5.3.1
2. DISCRETIONARY ACCESS CONTROL AND GENERAL SECURITY

1. User Account Controls
1. GEN000260 Shared Account Documentation
Solaris
Check for multiple accesses to an account from different workstations/IP addresses .
# last
HP-UX
# last R
# lastb -R
AIX
# last
IRIX
# last
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 31
Linux
# last R
Discuss with the SA whether shared accounts exist. A shared account is any account, other than root, that more
than one person knows the password to . If shared accounts do exist, confirm with the IAO shared accounts are
documented with the IAO. If a shared account is not justified and documented with the IAO, then this is a
finding.
PDI:
GEN000260
Category II
:
V0000759
Status Code: AUTO
Previously:
G006

IA Controls:
DCSD-1
PDI Description:
A shared account is not justified and documented with the IAO.
Reference:
UNIX STIG: 3.1
2. GEN000280 Shared Account Direct Logon
Solaris
# last
HP-UX
# last R
# lastb -R
AIX
# last
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 32
IRIX
# last
Linux
# last R
Confirm with the SA, if shared accounts exist, users log on to an individual account and switch user to the shared
account.
If a shared account is logged onto directly , then this is a finding.
Note: This check is only applicable if GEN000260 is a finding.
PDI:
GEN000280
Category II
:
V0000760
Status Code: PART
Previously:
G007

IA Controls:
IAIA-1, IAIA-2, IAAC-1
PDI Description:
A shared account is logged onto directly.
Reference:
UNIX STIG: 3.1
2. Interactive Users
1. GEN000300 Unique Account Name
Solaris
# logins d
HP-UX
# pwck s
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 33
AIX
# usrck n ALL
IRIX
# cut d : f1 /etc/passwd | uniq d
If duplicates are found, perform the following to display full listing.
# grep <account_name> /etc/passwd
Linux
# pwck r
If accounts have the same account name, then this is a finding.
PDI:
GEN000300
Category:III
Status Code: AUTO
Previously:
G008
V0000761
IA Controls:
PDI Description:
Accounts have the same user or account name.
Reference:
UNIX STIG: 3.1.1
2. GEN000320 Unique UID
Solaris
# logins d
HP-UX
# pwck s
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 34
AIX
# usrck n ALL
IRIX
# cut d : f3 /etc/passwd | uniq d
If duplicates are found, perform the following to display complete listing.
# grep ^.*:.*:<account_uid> /etc/passwd
Linux
# pwck r
If accounts have the same uid, then this is a finding.
PDI:
GEN000320
V0000762
Category II
:
Status Code: AUTO
Previously:
G009

IA Controls:
PDI Description:
Accounts have been assigned the same uid.
Reference:
UNIX STIG: 3.1.1
3. GEN000340 Reserved System Account UIDs
# more /etc/passwd
Confirm all accounts with a uid of 99 and below (499 and below for Linux) are used by a system account.
If a uid reserved for system accounts, 0 99 (0 499 for Linux), is used by a non-system account without
documentation, then this is a finding. A regular account within this range must be justified and documented
with the IAO.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN000340
V0011946
Page 35
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
ECPA-1
PDI Description:
A uid reserved for system accounts, 0 99 (0 499 for Linux), is used

by a non-system account.
Reference:
UNIX STIG: 3.1.1
4. GEN000360 Reserved System Account GIDs
# more /etc/passwd
Confirm all accounts with a gid of 99 and below (499 and below for Linux) are used by a system account.
If a gid reserved for system accounts, 0 99 (0 499 for Linux), is used by a non-system account without
documentation, then this is a finding. A regular account within this range must be justified and documented with
the IAO.
PDI:
GEN000360
V0000780
Category II
:
Status Code: AUTO
Previously:
G029

IA Controls:
ECPA-1
PDI Description:
A gid reserved for system accounts is used by a non-system account.

gid 14 (sysadmin - Solaris) may be used if documented
with the IAO.
gid 20 (users - HPUX) may be used if documented with
the IAO.
Reference:
UNIX STIG: 3.1.1
5. GEN000380 Groups Referenced in /etc/passwd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 36
Solaris
# logins d
HP-UX
# pwck s
AIX
# grpck
IRIX
# more /etc/passwd
Compare with:
# more /etc/group
Confirm each gid referenced in the /etc/passwd file is listed in the /etc/group file.
Linux
# pwck r
If a group referenced in the /etc/passwd file is not in the /etc/group file, then this is a finding.
PDI:
GEN000380
Category:IV
Status Code: AUTO
Previously:
G030
V0000781
IA Controls:
DCCS-1, DCCS-2, IAAC-1
PDI Description:
A group referenced in the /etc/passwd file is not in the /etc/group file .
Reference:
UNIX STIG: 3.1.1
3. Logon Warning Banner
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 37
1. GEN000400 Logon Warning Banner Display
Login banners will be configured for all services that allow login access to the system. For TCP WRAPPERS, c
heck for hosts.allow and hosts.deny files and then look for banner files associated with them. For
ssh , locate the ssh configuration file, sshd_config or ssh2d_config . This file is usually located in /
etc/sshd , /etc/ssh2 , /etc/ssh , or /usr/local/etc . Confirm that the Banner variable
contains the full path to the file containing the Logon Warning banner. Other files specific to each vendor are
listed below.
Solaris
Check for logon warning banner display.
# more /etc/issue
# more /etc/motd
# more /etc/dt/config/*/Xresources (if GUI is implemented)
# more /etc/default/telnetd
(if telnet is implemented without

TCP_Wrappers)
(if ftp is implemented without
# more /etc/default/ftpd
TCP_Wrappers)
# more /etc/ftpd/banner.msg
(Solaris 9 and above, if ftp is

implemented without
TCP_Wrappers)
HP-UX
# more /etc/issue
# more /etc/motd
# more /etc/ftpaccess

TCP_Wrappers should contain banner=/etc/issue )
AIX
# more /etc/motd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 38

# more /etc/ftpmotd
# more /etc/ftpaccess.ctl
# more /dev/console
# more /etc/security/login.cfg
IRIX
# last
Linux
Check for logon warning banner display .
# more /etc/issue
# more /etc/motd
# more /etc/issue.net
# more /etc/X11/xdm/Xresources (if GUI is implemented)
# more /etc/X11/xdm/kdmrc
(if GUI is implemented)

(if GUI is implemented)
# more /etc/X11/gdm/gdm
# more /etc/vsftpd.conf

TCP_Wrappers)
If the Department of Defense (DOD) logon banner is not displayed prior to a logon attempt, then this is a finding.
PDI:
GEN000400
V0000763
Category II
:
Status Code: MAN++
Previously:
G010

IA Controls:
ECWM-1
PDI Description:
The Department of Defense (DOD) logon banner is not displayed prior

to a logon attempt.
Reference:
UNIX STIG: 3.1.2
2. GEN000420 Logon Warning Banner Content
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 39
Use the Example Banner in Appendix G , Sample Logon Warning Banner, for further information. An exact
match is not required as long as these five elements are included.
A compressed version (subset) may be used as long as the below listed points are included:
The system is a DOD system.

The system is subject to monitoring.
Monitoring is authorized in accordance with applicable laws and regulations and conducted for purposes of
systems management and protection, protection against improper or unauthorized use or access, and
verification of applicable security features or procedures.
Use of the system constitutes consent to monitoring.
This system is for authorized US government use only.
If the Department of Defense (DOD) login banner does not contain the required notice and consent information,
then this is a finding.
PDI:
GEN000420
V0000764
Category II
:
Status Code: MAN++
Previously:
G011

IA Controls:
ECWM-1
PDI Description:
The Department of Defense (DOD) login banner does not contain the
required notice and consent information.
Reference:
UNIX STIG: 3.1.2
4. Account Access
1. GEN000440 Logging Login Attempts
Solaris
Check if successful logons are being logged.
# last | more
Check if unsuccessful logons are being logged .
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 40
# ls l /var/adm/loginlog
HP-UX
Check if successful logons are being logged .
# last R | more
# lastb R | more
AIX
# last | more
# last f
/etc/security/failedlogin | more
IRIX
# last | more
Linux
# last R | more
# lastb R | more
If successful and unsuccessful logins and logouts are not logged, then this is a finding.
PDI:
GEN000440
V0000765
Category II
:
Status Code: AUTO
Previously:
G012

IA Controls:
ECAR-1, ECAR-2, ECAR-3
PDI Description:
Successful and unsuccessful logins and logouts are not logged.
Reference:
UNIX STIG: 3.1.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 41
2. GEN000460 Three Failed Login Attempts
Solaris 5.1 through Solaris 9

Confirm RETRIES is set to 3 or less in /etc/default/login. This does not lock the account, but will discourage
brute force password guessing attacks.
# grep RETRIES /etc/default/login
Solaris 10
Confirm LOCK_AFTER_RETRIES is set to YES.

# grep LOCK_AFTER_RETRIES /etc/security/policy.conf
HP-UX
Confirm the u_maxtries is set to 3 or less, but not 0.
# grep :u_maxtries# /tcb/files/auth/system/default
AIX
Confirm the loginretries field is set to 3 or less, but not 0 for each user.
# /usr/sbin/lsuser -a loginretries ALL
IRIX
Confirm LOCKOUT is set to 3 or less, but not 0.
# grep LOCKOUT /etc/default/login
Linux
#
more /etc/pam.d/system-auth
Confirm the following line is configured;

account required
/lib/security/pam_tally.so deny=3 no_magic_root reset
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 42
If the above settings are not correct, then this is a finding.

PDI:
GEN000460
V0000766
Category II
:
Status Code: AUTO
Previously:
G013

IA Controls:
ECLO-1, ECLO-2
PDI Description:
After three consecutive unsuccessful login attempts, the account is not

disabled.
Reference:
UNIX STIG: 3.1.3
3. GEN000480 Login Delay
Solaris
Confirm SLEEPTIME is set to 4 or more, or that this variable is not configured as 4 is the system dafault.
# grep SLEEPTIME /etc/default/login
Note: This check is currently not applicable for Solaris 5.10.
HP-UX
Confirm the t_logdelay is set to 4 or more.
# grep :t_logdelay# /tcb/files/auth/system/default
AIX
Confirm the logindelay field is set to 4 or more.
# grep logindelay /etc/security/login.cfg
IRIX
Confirm SLEEPTIME is set to 4 or more.
# grep SLEEPTIME /etc/default/login
Linux
Confirm FAIL_DELAY is set to 4 or more.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 43
# grep FAIL_DELAY /etc/login.defs
PDI:
GEN000480
V0000768
Category II
:
Status Code: AUTO
Previously:
G015

IA Controls:
ECLO-1, ECLO-2
PDI Description:
The login delay between login prompts after a failed login is set to at
least four seconds.
Reference:
UNIX STIG: 3.1.3
5. Inactivity Timeout/Locking
1. GEN000500 Inactivity
This requirement can be satisfied with policy or a SOP to configure terminals and workstations with a screen lock
or password protected screen saver after 15 idle minutes. The windows software may also be configured to
support it.
For systems configured to use XLock, the command xlock will lock the display session. For systems configured
to use XScreensaver, the command xscreensaver-command lock will lock the display session. Ask the
SA to verify, at the command line, one of the screen-locking commands actually locks the display.
Solaris, under OpenWindows, uses a command called xlock for manually locking displays. HP 10.X uses a
command called lock that works on ASCII (not Windows) displays. Both Solaris and HP 10.X windows
systems offer a lock icon that will lock the display just by clicking on it.
If there is no terminal lockout or session disconnect after 15 inactive minutes requiring the account password to
resume or a new session, then this is a finding.
PDI:
GEN000500
V0004083
Category II
:
Status Code: MAN
Previously:
G605

IA Controls:
PESL-1
PDI Description:
There is no terminal lockout or session disconnect after 15 inactive

minutes requiring the account password to resume or a new session.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 44
Reference:
UNIX STIG: 3.1.4
2. GEN000520 Continuous Display
If there is an application running on the system that is continuously in use (such as a network monitoring
application), ask the SA what the name of the application is.
# ps ef | more
If the logon session for an application requiring a continuous display does not ensure:
The logon session is not a root session.
The inactivity exemption is justified and documented with the IAO.
The display station (e.g., keyboard, CRT) is located in a controlled access area.
Then this is a finding.
PDI:
GEN000520
V0000769
Category II
:
Status Code: MAN
Previously:
G016

IA Controls:
ECLP-1
PDI Description:
The logon session for an application requiring a con tinuous display

does not ensure:
The logon session is not a root session .
The inactivity exemption is justified and documented with the
IAO.
The display station (e.g., keyboard, CRT) is located in a
controlled access area.
Reference:
UNIX STIG: 3.1.4
6. Password Guidelines
1. GEN000540 Password Change 24 Hours
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 45
Solaris
Confirm the min days field (the 4 th field) is set to 1 or more for each user.
# more /etc/shadow
HP-UX
Confirm the mintm is set to 1 or more for each user.
# getprpw -r -m mintm <USER>
AIX
Confirm the minage field is set to 1 or more for each user.
# /usr/sbin/lsuser -a minage ALL
IRIX
Confirm the min days field (the 4th field) is set to 1 or more for each user.
# more /etc/shadow
Linux
Confirm the min days field (the 4 th field) is set to 1 or more for each user.
# more /etc/shadow
If passwords can be changed more than once every 24 hours, then this is a finding.
PDI:
GEN000540
V0001032
Category II
:
Status Code: AUTO
Previously:
G004

IA Controls:
IAAC-1
PDI Description:
Passwords can be changed more than once every 24 hours.
Reference:
UNIX STIG: 3.2.1
2. GEN000560 Password Protect Enabled Accounts
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 46
Examine the /etc/shadow (or equivalent) looking for accounts with blank passwords using the following
commands:
SOLARIS
#
pwck
HP-UX
#
pwck s or authck p
AIX
#
pwdck n ALL
IRIX
#
awk F: { if ( $2 == NULL ) print $0; } < /etc/shadow
Linux
# grep nullok /etc/pam.d/system-auth
If an entry for nullok is found, then this is a finding on Linux.
PDI:
GEN000560
V0000770
Category I
:
Status Code: AUTO
Previously:
G018

IA Controls:
IAIA-1, IAIA-2, DCCS-1, DCCS-2
PDI Description:
An enabled account on the system is not password protected.
Reference:
UNIX STIG: 3.2.1
3. GEN000580 Password Length
Solaris
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 47
Confirm PASSLENGTH is set to 9 or more.

# grep PASSLENGTH /etc/default/passwd
HP-UX
Confirm MIN_PASSWORD_LENGTH is set to 9 or more
# grep MIN_PASSWORD_LENGTH /etc/default/security
AIX
Confirm the minlen field is set to 9 or more for each user.
# /usr/sbin/lsuser -a minlen ALL
IRIX
Confirm PASSLENGTH is set to 9 or more for each user.
# grep PASSLENGTH /etc/default/passwd
Linux
Confirm pass_min_len is set to 9 or more for each user.
# grep minlen /etc/pam.d/passwd
If a password does not contain a minimum of 9 characters, then this is a finding.
PDI:
GEN000580
V0011947
Category II
:
Status Code: AUTO
Previously:
G019

IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain a minimum of 9 characters.
Reference:
UNIX STIG: 3.2.1
4. GEN000600 Password Character Mix
Verify that at least 2 lowercase letters are required and at least 2 upper case letters.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 48
Solaris 9 and prior

This check is not applicable.
Solaris 10
Confirm MINLOWER is set to at least 2 and MINUPPER is set to at least 2.
# egrep MINLOWER|MINUPPER /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_LOWER_CASE_CHARS /etc/default/security
# grep PASSWORD_MIN_UPPER_CASE_CHARS /etc/default/security
AIX
# grep minalpha /etc/security/user
Linux
# egrep lcredit|ucredit /etc/pam.d/system-auth

Lcredit and ucredit should be set to -2.
If the settings do not enforce at least two lower case letters and two upper case letter s, then this is a finding.
PDI:
GEN000600
V0011948
Category II
:
Status Code: PART
Previously:
G019

IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two upper and two lower
alphabetic characters.
Reference:
UNIX STIG: 3.2.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 49
Solaris 9 and prior

This check is not applicable.
Solaris 10
Confirm MINDIGIT is greater than or equal to 2.
# grep MINDIGIT /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_DIGIT_CHARS /etc/default/security
AIX
# grep minother /etc/security/user
Linux
# grep dcredit /etc/pam.d/system-auth

Dcredit should be set to -2.
If the minimum digits setting is not greater than or equal to 2, then this is a finding.
PDI:
GEN000620
V0011972
Category II
:
Status Code: PART
Previously:
G019

IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two numeric characters.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 50
Reference:
UNIX STIG: 3.2.1

Solaris 9
Not applicable
Solaris 10
Confirm MINSPECIAL is 2 or greater.
# grep MINSPECIAL /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_SPECIAL_CHARS /etc/default/security

- Linux
# grep ocredit /etc/pam.d/passwd
or
# grep ocredit /etc/pam.d/system-auth
Ocredit should be set to -2.
- AIX
Not applicable
If the special characters setting is not greater than or equal to 2, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN000640
V0011973
Page 51
Category II
:
Status Code: PART
Previously:
G019

IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two special characters.
Reference:
UNIX STIG: 3.2.1
7. GEN000660 Password Contents
This is a manual check of site policy, in most cases. Refer to Appendix E, Password Protection Schemes , for
password configuration guidelines.
PDI:
GEN000660
V0011974
Category II
:
Status Code: MAN
Previously:
G019

IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password contains information such as names, telephone numbers,

account names, dictionary words, etc.
Reference:
UNIX STIG: 3.2.1
8. GEN000680 Password Contents

This check will only apply to Solaris 10 and AIX. Most other operating systems have not implemented the
password complexity to comply with this check.
Solaris 10
Confirm MAXREPEATS is set to less than 3.
# grep MAXREPEATS /etc/default/passwd
-
AIX
Confirm maxrepeats is set to less than 3.
# g rep i maxrepeats /etc/security/ user
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 52
If the maxrepeats variable is greater than 3, then this is a finding.
PDI:
GEN000680
V0011975
Category II
:
Status Code: PART
Previously:
G019

IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password contains consecutive repeating characters.
Reference:
UNIX STIG: 3.2.1
9. GEN000700 Password Change Every 60 Days
Solaris
Confirm the max days field (the 5 th field) is set to 60 or less, but not 0 for each user.
# more /etc/shadow
HP-UX
Confirm the exptm is set to 60 or less, but not 0 for each user.
# getprpw -r -m exptm <USER>
AIX
Confirm the maxage field is set to 60 or less, but not 0 for each user.
# /usr/sbin/lsuser -a maxage ALL
IRIX
Confirm the min days field (the 5th field) is set to 1 or more for each user.
# more /etc/shadow
Linux
Confirm the max days field (the 5 th field) is set to 60 or less, but not 0 for each user.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 53
# more /etc/shadow
If passwords are not changed at least every 60 days, then this is a finding.
PDI:
GEN000700
V0011976
Category II
:
Status Code: AUTO
Previously:
G020

IA Controls:
DCSS-1, DCSS-2
PDI Description:
Passwords are not changed at least every 60 days .
Reference:
UNIX STIG: 3.2.1
10. GEN000740 Password Change Every Year
Ask the SA if there are any automated processing accounts on the system. If there are accounts on the system,
ask the SA if the passwords for those automated accounts are changed at least once a year. If not, then this is a
finding.
PDI:
GEN000740
Category:II
Status Code: MAN
Previously:
AD33
V0011977
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A non-interactive/automated processing account password is not

changed at least once a year .
Reference:
UNIX STIG: 3.2.1
11. GEN000760 Inactive Accounts are not locked
Indications of inactive accounts are those that have no entries in the last log. Check the date in the last log to
verify it is within the last 35 days. If an inactive account is not disabled via an entry in the password field in the /
etc/passwd or /etc/shadow (or TCB equivalent), check the /etc/passwd file to check if the account
has a valid shell. If not, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 54
GEN000760
V0000918
Category II
:
Status Code: AUTO
Previously:
G071

IA Controls:
IAAC-1, DCSS-1, DCSS-2
PDI Description:
An account is not locked after 35 days of inactivity .
Reference:
UNIX STIG: 3.2.1
12. GEN000780 Easily Guessed Passwords
Check this PDI by running a password strength application, such as Crack or Jack the Ripper, on the system. If
those are not available, then the check should be marked as Not Reviewed with an appropriate explanation in the
Remarks field.
PDI:
GEN000780
V0002390
Category I
:
Status Code: AUTO
Previously:
G511

IA Controls:
IAIA-1
PDI Description:
Easily guessed passwords are used.
Reference:
UNIX STIG: 3.2.1
13. GEN000800 Password Reuse
Solaris 10
Confirm HISTORY is set to 5 or more.
# grep HISTORY /etc/default/passwd
HP-UX
# grep HISTORY /etc/default/security
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 55
Linux
# ls /etc/security/opasswd
#
more /etc/pam.d/system-auth |grep password |

grep pam_unix.so | grep remember
If /etc/security/opasswd does not exist, then this is a finding. If the remember option in /etc/
pam.d/system-auth is not set to 5, then this is a finding.
If passwords are reused witin the last five changes, then this is a finding.
PDI:
GEN000800
V0004084
Category II
:
Status Code: AUTO
Previously:
G606

IA Controls:
IAIA-1
PDI Description:
Passwords are reused witin the last five changes.
Reference:
UNIX STIG: 3.2.1
14. GEN000820 Global Password Configuration Files
Solaris
Confirm MINWEEKS is set to 1 or more.
# grep MINWEEKS /etc/default/passwd
Confirm MAXWEEKS is set to 8 or less, but not 0.
# grep MAXWEEKS /etc/default/passwd
HP-UX
Confirm the default mintm is set to 1 or more
# getprdef -r -m mintm
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 56
Confirm the default exptm is set to 60 or less, but not 0

# getprdef -r -m exptm
AIX
Confirm the following:
# grep minage /etc/security/user
# grep maxage /etc/security/user
IRIX
Confirm MINWEEKS is set to 1 or more.
# grep MINWEEKS /etc/default/passwd
Confirm MAXWEEKS is set to 1 or more.
# grep MAXWEEKS /etc/default/passwd
Linux
Confirm PASS_MIN_DAYS is set to 1 or more.
# grep PASS_MIN_DAYS /etc/login.defs
Confirm PASS_MAX_DAYS is set to 60 or less, but not 0.
# grep PASS_MAX_DAYS /etc/login.defs
If global password configuration files are not configured per guidelines, then this is a finding.
PDI:
GEN000820
V0011978
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
IAIA-1, DCSS-1, DCSS-2
PDI Description:
Global password configuration files are not configured per guidelines.
Reference:
UNIX STIG: 3.2.1
15. GEN000840 Root Account Access
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 57
Ask the SA for the names of people sharing the root password and verify that they are security or SA personnel.
Ask the SA if the root users are documented with the IAO. If they are not, then this is a finding.
PDI:
GEN000840
V0004303
Category II
:
Status Code: MAN
Previously:
G691

IA Controls:
ECPA-1
PDI Description:
Access to the root account is not limited to security and administrative

users who require such access and not documented with the IAO.
Reference:
UNIX STIG: 3.2.1
16. GEN000860 Password Change for Administrative Passwords Upon SA

Reassignment
Ask the SA or the IAO for the password procedures that state the root passwords are changed upon administrator
reassignment. If there is not such documentation, then this is a finding.
PDI:
GEN000860
Category:III
Status Code: MAN
Previously:
AD16
V0000971
IA Controls:
ECPA-1, IAAC-1
PDI Description:
Administrative passwords are not changed when an individual with

access to the root password is reassigned.
Reference:
UNIX STIG: 3.2.1
7. Root Account
1. GEN000880 Roots UID
Perform the following to check for a duplicate root uid:

# grep :0: /etc/passwd | awk F: {print$1:$3:} |
grep :0:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 58
If any accounts are shown in addition to root, then this is a finding.
PDI:
GEN000880
V0000773
Category II
:
Status Code: AUTO
Previously:
G021

IA Controls:
ECPA-1
PDI Description:
An account other than root has a uid of 0.
Reference:
UNIX STIG: 3.3
2. GEN000900 Roots Home Directory
Perform the following to check compliance:

# grep ^root /etc/passwd | awk F: {print $6}
If the root user home directory is /, then this is a finding.

PDI:
GEN000900
Category:IV
Status Code: AUTO
Previously:
G022
V0000774
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The root account home directory has not been changed from /.
Reference:
UNIX STIG: 3.3

3. GEN000920 Roots Home Directory Permissions
Perform the following as root:

# grep ^root /etc/passwd | awk F: {print $6}
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 59
# ls ld <root home directory>

If the permissions of the root home directory are greater than 700, then this is a finding. If the home directory is
/ , this check will be marked Not Applicable.
PDI:
GEN000920
V0000775
Category II
:
Status Code: AUTO
Previously:
G023

IA Controls:
ECCD-1, ECCD-2
PDI Description:
The root account home directory (other than /) is more permissive

than 700.
Reference:
UNIX STIG: 3.3
4. GEN000940 Roots Search Path
As the root user perform the following to check the search path:
#
echo $PATH
If the PATH variable contains a . or :: or starts or ends with : then this is a finding.
PDI:
GEN000940
V0000776
Category II
:
Status Code: AUTO
Previously:
G024

IA Controls:
DCCS-1, DCCS-2
PDI Description:
The root accounts search path contains a ., ::, or starts or ends with
a :..
Reference:
UNIX STIG: 3.3
5. GEN000960 Roots Search Path
As the root user perform the following to check the search path:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 60
echo $PATH
#
ls ld <each directory in path variable>
If any of the directories in the PATH variable are world writeable, then this is a finding.
PDI:
GEN000960
V0000777
Category II
:
Status Code: AUTO
Previously:
G025

IA Controls:
ECCD-1, ECCD-2
PDI Description:
The root account has world writable directories in its search path.
Reference:
UNIX STIG: 3.3
6. GEN000980 Root Console Access
Solaris
Confirm CONSOLE is set to /dev/console .
# grep CONSOLE=/dev/console /etc/default/login
HP-UX
Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null .
# more /etc/securetty
AIX
# /user/sbin/lsuser a rlogin root
IRIX
Confirm CONSOLE is set to /dev/console or the console device.
# grep CONSOLE /etc/default/login
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 61
Confirm /etc/securetty exists and is empty or contains only the word console or a single tty
device.
PDI:
GEN000980
Category II
:
V0000778
Status Code: AUTO
Previously:
G026

IA Controls:
IAIA-1, IAIA-2
PDI Description:
The root account can be directly logged into from somewhere other
than the system console.
Reference:
UNIX STIG: 3.3
7. GEN001000 Remote Consoles
Solaris 2.5, 2.6, and 7

Confirm CONSOLE is set to /dev/console .
# grep CONSOLE=/dev/console /etc/default/login
Solaris 8, 9, and 10
Confirm there is no output from the below mentioned command.
# consadm p
HP-UX
Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null .
AIX
Ensure /etc/security/login.cfg does not define an alternate console.
IRIX
Confirm CONSOLE is set to /dev/console or the console device.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 62
# grep CONSOLE /etc/default/login
Linux
Confirm /etc/securetty exists and is empty or contains only the word console or a single tty
device.
PDI:
GEN001000
V0004298
Category II
:
Status Code: AUTO
Previously:
G698

IA Controls:
DCHW-1
PDI Description:
There are remote consoles defined.
Reference:
UNIX STIG: 3.3
8. GEN001020 Direct Root Login
Perform the following to check if root is logging in directly:

# last root |grep v reboot
If any entries exist for root other than the console, then this is a finding.
PDI:
GEN001020
V0011979
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
PDI Description:
The root account is logged onto directly.
Reference:
UNIX STIG: 3.3
9. GEN001060 Log Root Access Attempts
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 63
Check the following log files to determine if access to the root account is being logged. Try to su and enter
an incorrect password.
Solaris
# more /var/adm/sulog
HP-UX
AIX
IRIX
Linux
# more /var/log/messages
or
# more/var/adm/sulog (configurable from /etc/default/su)
If root login accounts are not being logged, then this is a finding.
PDI:
GEN001060
V0011980
Category II
:
Status Code: AUTO
Previously:
G027

IA Controls:
PDI Description:
Successful and unsuccessful access to the root account are not logged.
Reference:
UNIX STIG: 3.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 64
10. GEN001080 Root Shell
Perform the following to determine if /usr is partitioned.

# grep /usr /etc/vfstab
or
#grep /usr /etc/fstab
If /usr is partitioned, check the location of roots default shell.
# grep "^root:" /etc/passwd | grep ":/usr"
If the root shell is found to be a partitioned /usr filesystem, then this is a finding.
PDI:
GEN001080
Category:III
Status Code: AUTO
Previously:
G229
V0001062
IA Controls:
DCSS-1, DCSS-2
PDI Description:
The root shell is located in /usr and /usr is partitioned.
Reference:
UNIX STIG: 3.3
8. Encrypted Root Access

1. GEN001100 Encrypting Root Access
Perform the following to determine if root has logged in over an unencrypted network connection. The first
command determines if root has logged in over a network. The second will check to see if ssh is installed.
Solaris
# last
| grep ^root | egrep v reboot|console | more
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 65
# ps ef |grep sshd
HP-UX
# last R
# ps ef |grep sshd
AIX
# last
| grep ^root | egrep v reboot|console
| more
# ps ef |grep sshd
IRIX
# last
# ps ef |grep sshd
Linux
# last | grep ^root | egrep v reboot|console | more
# ps ef |grep sshd
If the output from the last command shows root has logged in over the network and sshd is not running,
PDI:
GEN001100
V0001046
Category I
:
Status Code: AUTO
Previously:
G499

IA Controls:
ECPA-1, IAIA-1, IAIA-2
PDI Description:
The root password is passed over a network in clear text form.
Reference:
UNIX STIG: 3.3.1
2. GEN001120 Encrypting Root Access
Perform the following to determine if ssh disables root logins:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 66
find / -name sshd_config print
#
permitrootlogin
grep v ^# <sshd_config path> | grep i
If the PermitRootLogin entry is found uncommented and set to yes, then this is a finding.
PDI:
GEN001120
V0001047
Category II
:
Status Code: AUTO
Previously:
G500

IA Controls:
ECPA-1, IAAC-1
PDI Description:
An encrypted remote access program, such as ssh, does not disable the
capability to log directly on as root.
Reference:
UNIX STIG: 3.3.1
9. File and Directory Controls

1. GEN001140 Uneven File Permissions
Perform:
#
ls lL <system directory>
to check the permissions for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin. Uneven file permission exist if the file owner has less privileges than the group or world users and
when the file is owned by a privileged user or group (such as root or bin) .. If any of the files in the above listed
directories contain uneven file permissions, then this is a finding.
PDI:
GEN001140
V0000784
Category II
:
Status Code: AUTO
Previously:
G034

IA Controls:
ECCD-1, ECCD-2
PDI Description:
There are files or directories with uneven access permissions.
Reference:
UNIX STIG: 3.4
2. GEN001160 Unowned Files
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 67
Perform:
#
find / nouser print > nousers
and
#
find / -nogroup print > nogroup
If there are any files list ed either in the nousers or nogroup files created from the above commands,
PDI:
GEN001160
V0000785
Category II
:
Status Code: AUTO
Previously:
G035

IA Controls:
ECCD-1, ECCD-2
PDI Description:
There are unowned files.
Reference:
UNIX STIG: 3.4
3. GEN001180 Network Services Daemon Permissions
Perform the following to check the permssions:
Solaris
# ls la /usr/bin or /usr/sbin
HP-UX
# ls la /usr/lbin
AIX
# ls la /usr/sbin
IRIX
# ls la /usr/etc
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 68
Linux
# ls la /usr/sbin
If any of the files that are used to start network daemons in the above directories have permissions greater than
755, then this is a finding.
Note: Network daemons that may not reside in these directories (such as httpd or sshd) must also be checked for
the correct permissions.
PDI:
GEN001180
V0000786
Category II
:
Status Code: AUTO
Previously:
G036

IA Controls:
ECLP-1, ECCD-1, ECCD-2
PDI Description:
Network services daemon file is more permissive than 755.
Reference:
UNIX STIG: 3.4
4. GEN001200 System Command Permissions
Perform:
#
to check the permissions for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin . If the file permissions are greater than 755, and the files are system commands, then this is a
finding.
Note: Elevate to Category Code I if world writable.
.
PDI:
GEN001200
V0000794
Category II
:
Status Code: AUTO
Previously:
G044

IA Controls:
PDI Description:
System command is more permissive than 755.
Reference:
UNIX STIG: 3.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 69
5. GEN001220 System Files, Programs, and Directories Ownership
Perform:
#
to check the owner for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /usr/
sbin . If the files are not owned by a system account or application, then this is a finding.
PDI:
GEN001220
V0000795
Category II
:
Status Code: AUTO
Previously:
G045

IA Controls:
PDI Description:
System files, programs, and directories are not owned by a system

account.
Reference:
UNIX STIG: 3.4
6. GEN001240 System Files, Programs, and Directories Group Ownership

Perform:
#
to check the group owner for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin . If the files are not owned by a system group or application group, then this is a finding.
PDI:
GEN001240
V0000796
Category II
:
Status Code: AUTO
Previously:
G046

IA Controls:
PDI Description:
System files, programs, and directories are not owned by a system

group.
Reference:
UNIX STIG: 3.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 70
7. GEN001260 System Log File Permissions
Most syslog messages are logged to /var/log, /var/log/syslog , or /var/adm directories. Check
the permissions by performing the following:
#
ls lL <syslog directory>
If any of the log files permissions are greate r than 640, then this is a finding.
PDI:
GEN001260
V0000787
Category II
:
Status Code: AUTO
Previously:
G037

IA Controls:
ECTP-1, ECCD-1, ECCD-2
PDI Description:
System log file is more permi ssive than 640.
Reference:
UNIX STIG: 3.4
8. GEN001280 Manual Page File Permissions
Check the man pages permissions by performing the following:

#
ls lL /usr/share/man
ls lL /usr/share/info
ls lL /usr/share/infopage
If any files in the above directories have permissions greater than 644, then this is a finding.
PDI:
GEN001280
Category:III
Status Code: AUTO
Previously:
G042
V0000792
IA Controls:
DCCS-1, DCCS-2, ECCD-1, ECCD-2
PDI Description:
Manual page file is more permissive than 644.
Reference:
UNIX STIG: 3.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 71
9. GEN001300 Library File Permissions
Check the library permissions by performing the following:

#
ls lL /usr/lib/*
If any of the file permissions are greater than 755, then this is a finding.
PDI:
GEN001300
V0000793
Category II
:
Status Code: AUTO
Previously:
G043

IA Controls:
DCSL-1, ECCD-1, ECCD-2
PDI Description:
Library file is more permissive than 755.
Reference:
UNIX STIG: 3.4
10. GEN001320 NIS/NIS+/yp File Ownership
Perform the following to check NIS file ownership:
Solaris
# ls la /usr/lib/netsvc/yp
HP-UX
# ls la /var/yp/<nis domainname>
AIX
# ls la /usr/lib/netsvc/yp or /usr/lib/nis
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 72
# ls la /usr/var/yp/<nis domainname>
Linux
If the file ownership is not root, sys, bin, then this is a finding.
PDI:
GEN001320
V0000789
Category II
:
Status Code: AUTO
Previously:
G039

IA Controls:
ECLP-1
PDI Description:
NIS/NIS+/yp files are not owned by root, sys or bin.
Reference:
UNIX STIG: 3.4
11. GEN001340 NIS/NIS+/yp File Group Ownership
Perform the following to check NIS file group ownership:
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 73
Linux
If the file group ownership is not root, sys, bin or other, then this is a finding.
PDI:
GEN001340
V0000790
Category II
:
Status Code: AUTO
Previously:
G040

IA Controls:
ECLP-1
PDI Description:
NIS/NIS+/yp files are not group owned root, sys, bin, or other.
Reference:
UNIX STIG: 3.4
12. GEN001360 NIS/NIS+/yp File Permissions
Perform the following to check NIS file permissions:
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 74
Linux
If any of the file permissions are greater than 755, then this is a finding.
PDI:
GEN001360
V0000791
Category II
:
Status Code: AUTO
Previously:
G041

IA Controls:
DCCS-1, DCCS-2, ECCD-1, ECCD-2
PDI Description:
NIS/NIS+/yp command file is more permissive than 755.
Reference:
UNIX STIG: 3.4
13. GEN001380 /etc/passwd File Permissions
Check /etc/passwd permissions:

# ls lL /etc/passwd
If /etc/passwd is more permissive than 644, then this is a finding.
PDI:
GEN001380
V0000798
Category II
:
Status Code: AUTO
Previously:
G048

IA Controls:
ECCD-1, ECCD-2
PDI Description:
The /etc/passwd file is more permissive than 644.
Reference:
UNIX STIG: 3.4
14. GEN001400 /etc/passwd and/or /etc/shadow File Ownership
Check /etc/passwd ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 75
# ls lL /etc/passwd
Check /etc/shadow and equivalent file(s) ownership:
HP-UX
The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow
structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if
they deviate from this configuration.
d555
/tcb
root
/tcb/files
d771
root
/tcb/files/auth
d771
root
/tcb/files/auth/[a-z]/*
664
sys
sys
sys
root
root
AIX.
# ls lL /etc/ security/passwd
All Other Platforms

# ls lL /etc/shadow
If the /etc/passwd and /etc/shadow (or equivalent) file is not owned by root, then this is a finding. If
HP-UX /tcb directories and files ownerships are not configured as detailed above, then this is a finding.
PDI:
GEN001400
V0000797
Category II
:
Status Code: AUTO
Previously:
G047

IA Controls:
ECCD-1, ECCD-2
PDI Description:
The /etc/passwd and /etc/shadow (or equivalent) file is not owned by

root.
Reference:
UNIX STIG: 3.4
15. GEN001420 /etc/shadow File Permissions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 76
Check /etc/shadow and equivalent file(s) permissions:
HP-UX
The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow
structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if
they deviate from this configuration.
d555
/tcb
root
/tcb/files
d771
root
/tcb/files/auth
d771
root
/tcb/files/auth/[a-z]/*
664
sys
sys
sys
root
root
AIX.
# ls lL /etc/ security/passwd
All Other Platforms

# ls lL /etc/shadow
If the /etc/shadow (or equivalent) file is more permissive than 400, then this is a finding. If HP-UX /tcb
directories and files permissions are not configured as detailed above, then this is a finding.
PDI:
GEN00142 Category II
0
:
Status
Code:
AUTO
Previously:
G050
V0000800
MAC/Confidentiality Levels:
MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The /etc/shadow (or equivalent) file is more permissive than 400.
Reference:
UNIX STIG: 3.4
10. Home Directories

1. GEN001440 Assign Home Directories
Perform:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 77
Solaris
# pwck
HP-UX
# pwck -s
AIX
# usrck n ALL
IRIX
# pwck
Linux
# pwck
If any interactive users are not assigned a home directory, then this is a finding.
PDI:
GEN001440
Category:IV
Status Code: AUTO
Previously:
G051
V0000899
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Users are not assigned a home directory in the /etc/passwd file.
Reference:
UNIX STIG: 3.5
2. GEN001460 Assigned Home Directories Exist
Perform:
Solaris
# pwck
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 78
HP-UX
# pwck -s
AIX
# usrck n ALL
IRIX
# pwck
Linux
# pwck
If an interactive user assigned home directories do not exist, then this is a finding.
PDI:
GEN001460
Category:IV
Status Code: AUTO
Previously:
G052
V0000900
IA Controls:
DCCS-1, DCCS-2
PDI Description:
A home directory defined in the /etc/passwd file does not exist.
Reference:
UNIX STIG: 3.5
3. GEN001480 Home Directories Permissions
Issue this command for each user in the /etc/passwd file to display user home directory permissions:
# ls lLd /<usershomedirectory>
If a users home directories are more permissive the 750, then this is a finding. Home directories with
permissions greater than 750 must be justified and documented with the IAO.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001480
V0000901
Page 79
Category II
:
Status Code: AUTO
Previously:
G053

IA Controls:
PDI Description:
User home directories are more permissive than 750.
Reference:
UNIX STIG: 3.5
4. GEN001500 Home Directories Ownership
Issue this command for each user in the /etc/passwd file to display user home directory ownership:
# ls lLd /<usershomedirectory>
If a users home directory(s) are not owned by the assigned user, then this is a finding. Home directories not
owned by the assigned user must be justified and documented with the IAO.
PDI:
GEN001500
V0000902
Category II
:
Status Code: AUTO
Previously:
G054

IA Controls:
ECCD-1, ECCD-2
PDI Description:
Users do not own their home directory.
Reference:
UNIX STIG: 3.5
5. GEN001520 Home Directories Group Ownership
Issue this command for each user in the /etc/passwd file to display user home directory group ownership:
# ls lLd /<usershomedirecotory>
# grep <user> /etc/group
If user home directories are not group owned by the assigned users primary group, then this is a finding. Home
directories with a group owner other than the assigned owner must be justified and documented with the IAO.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001520
V0000903
Page 80
Category II
:
Status Code: AUTO
Previously:
G055

IA Controls:
ECCD-1, ECCD-2
PDI Description:
Home directories are not group owned by the home directory owners
primary group. Exceptions may exist for application directories, which
will be documented with the IAO.
Reference:
UNIX STIG: 3.5
11. User Files

1. GEN001540 Home Directories File Ownership
If non-startup files are found in a users home directory which are not owned by the user ask the SA or IAO if
these files are documented.
If user home directories contain files or directories not owned by the home directory owner without
documentation, then this is a finding.
PDI:
GEN001540
Category:III
Status Code: AUTO
Previously:
G067
V0000914
IA Controls:
DCCS-1, DCCS-2
PDI Description:
User home directories contain files/directories not owned by the home

directory owner.
Reference:
UNIX STIG: 3.6
2. GEN001560 Home Directories File Permissions
If non-start-up files are found in a users home directory that have permissions less restrictive than 750, ask the
SA or IAO if these files are documented.
If user home directories contain files or directories more permissive than 750 without documentation, then this is
a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 81
GEN001560
Category:III
Status Code: AUTO
Previously:
G068
V0000915
IA Controls:
ECLP-1
PDI Description:
User home directories contain files/directories more permissive than

750.
Reference:
UNIX STIG: 3.6
12. Run Control Scripts

1. GEN001580 Run Control Scripts Permissions
Check run control scripts permissions:
Solaris
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls lL rc*
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 82
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
If run control scripts are more permissive than 755, then this is a finding.
PDI:
GEN001580
V0000906
Category II
:
Status Code: AUTO
Previously:
G058

IA Controls:
ECLP-1
PDI Description:
Run control scripts are more permissive than 755.
Reference:
UNIX STIG: 3.7
2. GEN001600 Run Control Scripts PATH Variable
Perform:
Solaris
# cd /etc/init.d
# grep PATH *
HP-UX
# cd /sbin/init.d
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 83
# grep PATH *
AIX
# cd /etc
# grep PATH rc*
IRIX
# cd /etc/init.d
# grep PATH *
Linux
(may vary)
# cd /etc
# grep PATH *
# cd /etc/init.d
# grep PATH */*
If the PATH variable has a . or a :: , then this is a finding.

PDI:
GEN001600
V0000907
Category II
:
Status Code: AUTO
Previously:
G059

IA Controls:
DCSS-1, DCSS-2
PDI Description:
Run control scripts PATH variable contains a . or a ::, or starts or

ends with a ..
Reference:
UNIX STIG: 3.7
3. GEN001620 Run Control Scripts SGID/SUID
Check run control scripts for sgid and suid :
Solaris
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 84
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
# cd /etc
(may vary)
# ls lL rc*
# cd /etc/init.d
# ls l
If run control scripts have the sgid or suid bit set, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001620
V0000909
Page 85
Category II
:
Status Code: AUTO
Previously:
G061

IA Controls:
ECLP-1
PDI Description:
Run control scripts have the sgid or the suid bit set.
Reference:
UNIX STIG: 3.7
4. GEN001640 Run Control Scripts World Writable Programs or Scripts
Perform more command to look in the system startup files to check for files or scripts being executed. Check
the permissions on the files or scripts to check if they are world writable. Alternatively, the command
#
find / -perm 0002 type f > wwlist
Will give a list of world writable files that can be checked against the executed files or scripts. If world writeable
files are found to be executed from systems startup scripts, then this is a finding.
PDI:
GEN001640
V0000910
Category I
:
Status Code: AUTO
Previously:
G062

IA Controls:
ECCD-1, ECCD-2
PDI Description:
Run control scripts execute world writable programs or scripts.
Reference:
UNIX STIG: 3.7
5. GEN001660 Run Control Scripts Ownership
Check run control scripts ownership :
Solaris
# cd /etc
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 86
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
If run control scripts are not owned by root or bin, then this is a finding.
PDI:
GEN001660
V0004089
Category II
:
Status Code: AUTO
Previously:
G611
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 87

IA Controls:
DCSW-1
PDI Description:
Run control scripts are not owned by root or bin.
Reference:
UNIX STIG: 3.7
6. GEN001680 Run Control Scripts Group Ownership
Check run control scripts group ownership :
Solaris
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 88
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l rc*
If run control scripts are not group owned by root, sys, bin, other or the system default, then this is a finding.
PDI:
GEN001680
Category II
:
V0004090
Status Code: AUTO
Previously:
G612

IA Controls:
DCSW-1
PDI Description:
Run control scripts are not group owned by root, sys, bin, other, or the
system default.
Reference:
UNIX STIG: 3.7
7. GEN001700 Run Control Scripts Execute Programs
Perform:
Solaris
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 89
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l rc*
Use the more command to search for programs executed by system start-up files. Then use the ls l
command to examine the permissions of the program. In most cases, they will be owned by root, sys, or bin. In a
very small minority of cases, they may be owned by identifiable applications. In no case will applications be
owned by users.
PDI:
GEN001700
V0004091
Category II
:
Status Code: MAN++
Previously:
G613

IA Controls:
DCCS-1, DCCS-2
PDI Description:
Run control scripts execute programs owned by neither a system

account nor an application account.
Reference:
UNIX STIG: 3.7
13. Global Initialization Files
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 90
1. GEN001720 Global Initialization Files Permissions
Check global initialization files permisions:

# ls l /etc/.login
# ls l /etc/profile
# ls l /etc/bashrc
# ls l /etc/environment
# ls l /etc/security/environ
If global initialization files are more permissive than 644, then this is a finding.
PDI:
GEN001720
V0011981
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
ECLP-1
PDI Description:
Global initialization files are more permissive than 644.
Reference:
UNIX STIG: 3.8.1
2. GEN001740 Global Initialization Files Ownership
Check global initialization files ownership:

# ls l /etc/.login
# ls l /etc/profile
# ls l /etc/bashrc
If global initialization files are not owned by root, then this is a finding.
PDI:
GEN001740
V0011982
Category II
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 91

IA Controls:
ECLP-1
PDI Description:
Global initialization files are not owned by root.
Reference:
UNIX STIG: 3.8.1
3. GEN001760 Global Initialization Files Group Ownership
Check global initialization files group ownership:

# ls l /etc/.login
# ls l /etc/profile
# ls l /etc/bashrc
If global initialization files are not group owned by root, sys, bin, other, or the system default, then this is a
finding.
PDI:
GEN001760
V0011983
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
ECLP-1
PDI Description:
Global initialization files are not group owned by root, sys, bin, other,
or the system default.
Reference:
UNIX STIG: 3.8.1
4. GEN001780 Global Initialization Files do not Contain mesg -n
# grep mesg -y /etc/.login

# grep mesg -y /etc/profile
# grep mesg -y /etc/bashrc
# grep mesg -y /etc/environment
# grep mesg -y /etc/security/environ
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 92
If global initialization files do contain mesg -y , then this is a finding.

PDI:
GEN001780
Category:III
Status Code: AUTO
Previously:
G112
V0000825
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Global initialization files do not contain the command mesg n.
Reference:
UNIX STIG: 3.8.1
5. GEN001800 Default/Skeleton Dot Files Permissions
Check skeleton files permisions :
AIX.
# ls l /etc/ security/.profile
All Other Platforms
# ls alL /etc/skel
If skeleton dot files are more permissive than 644, then this is a finding.
PDI:
GEN001800
V0000788
Category II
:
Status Code: AUTO
Previously:
G038

IA Controls:
ECCD-1, ECCD-2
PDI Description:
Default skeleton . files are more permissive than 644.
Reference:
UNIX STIG: 3.8.1
6. GEN001820 Default/Skeleton Dot Files Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 93
Check skeleton files ownership:
AIX.
# ls l /etc/ security/.profile
All Other Platforms
# ls alL /etc/skel
If skeleton dot files are not owned by root or bin, then this is a finding.
PDI:
GEN001820
V0011984
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
ECCD-1, ECCD-2
PDI Description:
Default skeleton . files are not owned by root or bin.
Reference:
UNIX STIG: 3.8.1
7. GEN001840 Global Initialization Files PATH Variable
# more /etc/.login |grep PATH

# more /etc/profile | grep PATH
# more /etc/bashrc | grep PATH
# more /etc/environment | grep PATH
# more /etc/security/environ | grep PATH
If the global initialization files PATH variable contains a . or a ::, or starts or ends with a :, then this is a
finding.
PDI:
GEN001840
V0011985
Category II
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 94

IA Controls:
DCSS-1, DCSS-2
PDI Description:
Global initialization files PATH variable contains a . or a ::, or

starts or ends with a :.
Reference:
UNIX STIG: 3.8.1
14. Local Initialization Files
1. GEN001860 Local Initialization Files Ownership
# ls al / <usershomedirectory>/.login
# ls al / <usershomedirectory>/.cschrc
# ls al / <usershomedirectory>/.logout
# ls al / <usershomedirectory>/.profile
# ls al / <usershomedirectory>/.bash_profile
# ls al / <usershomedirectory>/.bashrc
# ls al / <usershomedirectory>/.bash_logout
# ls al / <usershomedirectory>/.env
# ls al / <usershomedirectory>/.dtprofile
# ls al / <usershomedirectory>/.dispatch
# ls al / <usershomedirectory>/.emacs
# ls al / <usershomedirectory>/.exrc
If local initialization files are not owned the home directory user, then this is a finding. Local initialization files
not owned by the user must be justified and documented by the IAO.
PDI:
GEN001860
V0000904
Category II
:
Status Code: AUTO
Previously:
G056

IA Controls:
ECLP-1
PDI Description:
Local initialization files are not owned by the user or root.
Reference:
UNIX STIG: 3.8.2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 95
2. GEN001880 Local Initialization Files Permissions
# ls al / <usershomedirectory>/.login
# ls al / <usershomedirectory>/.cschrc
# ls al / <usershomedirectory>/.logout
# ls al / <usershomedirectory>/.profile
# ls al / <usershomedirectory>/.bash_profile
# ls al / <usershomedirectory>/.bashrc
# ls al / <usershomedirectory>/.bash_logout
# ls al / <usershomedirectory>/.env
# ls al / <usershomedirectory>/.dtprofile
(permissions should be 755)
# ls al / <usershomedirectory>/.dispatch
# ls al / <usershomedirectory>/.emacs
# ls al / <usershomedirectory>/.exrc
If local initialization files are more permissive than 740 or the .dtprofile file is more permissive than 755, then
this is a finding.
PDI:
GEN001880
V0000905
Category II
:
Status Code: AUTO
Previously:
G057

IA Controls:
ECLP-1
PDI Description:
Local initialization files are more permissive than 740.

.dt (a directory, this should have permissions of 755)
.dtprofile (a file, this should have permissions of 755)
Reference:
UNIX STIG: 3.8.2
3. GEN001900 Local Initialization Files PATH Variable
# more / <usershomedirectory>/.* |grep PATH

If the local initialization files PATH variable contains a . or a ::, or starts or ends with a :, then this is a
finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001900
V0011986
Page 96
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
DCSS-1, DCSS-2
PDI Description:
Local initialization files PATH variable contains a . or a ::, or starts

with a ..
Reference:
UNIX STIG: 3.8.2
4. GEN001920 Local Initialization Files SGID/SUID
# ls -la / <usershomedirectory>/.*
If any of the above files have the suid or sgid bit set, then this is a finding.
PDI:
GEN001920
V0000908
Category II
:
Status Code: AUTO
Previously:
G060

IA Controls:
ECLP-1
PDI Description:
Local initialization f iles have the suid or the sgid bit set.
Reference:
UNIX STIG: 3.8.2
5. GEN001940 Local Initialization Files World Writable Programs or Scripts
# more / <usershomedirectory>/.*
Look for programs or scripts executed within the local initialization files, and issue an ls -al on any programs
or scripts found to check if the called program or script is world writable.
If local initialization files execute world writable programs or scripts, then this is a finding.
PDI:
GEN001940
V0004087
Category II
:
Status Code: AUTO
Previously:
G609
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 97
IA Controls:
ECLP-1
PDI Description:
Local initialization files execute world writable programs or scripts.
Reference:
UNIX STIG: 3.8.2
6. GEN001960 Local Initialization Files mesg -y
# grep mesg y / <usershomedirectory>/.*

If local initialization files contain the mesg y or mesg y command, then this is a finding.
PDI:
GEN001960
Category:III
Status Code: AUTO
Previously:
G610
V0004088
IA Controls:
ECLP-1
PDI Description:
Local initialization files contain the mesg -y or mesg y command.
Reference:
UNIX STIG: 3.8.2
15. Trusted System/System Access Control Files
1. GEN001980 Plus (+) in Access Control Files
# find / -name .rhosts

# more /<directorylocation>/.rhosts
# find / -name .shosts
# more /<directorylocation>/.shosts
# find / -name hosts.equiv
# more /<directorylocation>/hosts.equiv
# find / -name shosts.equiv
# more /<directorylocation>/shosts.equiv
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 98
If the .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files contain a plus
(+) that is not used to define entries for NIS+ netgroups, then this is a finding.
PDI:
GEN001980
V0011987
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
DCCS-1, DCCS-2
PDI Description:
The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/

shadow, and/or /etc/group files contain a plus (+) and does not define
entries for NIS+ netgroups.
Reference:
UNIX STIG: 3.9
2. GEN002000 The .netrc File Exists
# find / -name .netrc

If the .netrc file exists, then this is a finding. The .netrc must be justified and documented with the IAO.
PDI:
GEN002000
V0000913
Category II
:
Status Code: AUTO
Previously:
G066

IA Controls:
IAIA-1, IAIA-2
PDI Description:
A .netrc file exists.
Reference:
UNIX STIG: 3.9
3. GEN002020 Access Control Files Host Pairs

# more /<directorylocation>/.rhosts
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 99

# more /<directorylocation>/.shosts
# more /<directorylocation>/hosts.equiv
# more /<directorylocation>/shosts.equiv
If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files contain other than hostname-user pairs and are not
justified and documented with the IAO , then this is a finding.
PDI:
GEN002020
V0004427
Category II
:
Status Code: PART
Previously:
G614

IA Controls:
IAIA-1, IAIA-2
PDI Description:
The .rhosts, .shosts, hosts.equiv, or shosts.equiv files contain other

than host-user pairs and are not justified and documented with the
IAO .
Reference:
UNIX STIG: 3.9
4. GEN002040 Access Control Files Documentation

If .rhosts, .shosts, hosts.equiv, or shosts.equiv are found and not justified and documented with the IAO, then
this is a finding.
PDI:
GEN002040
V0011988
Category I
:
Status Code: PART
Previously:
N/A

IA Controls:
IAIA-1, IAIA-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 100
PDI Description:
The .rhosts, .shosts, hosts.equiv, or shosts.equiv are used and not

justified and documented with the IAO.
Reference:
UNIX STIG: 3.9
5. GEN002060 Access Control Files Accessibility

# ls -al /<directorylocation>/.rhosts
# ls -al /<directorylocation>/.shosts
# ls -l /<directorylocation>/hosts.equiv
# ls -l /<directorylocation>/shosts.equiv
# find / -name .netrc
# ls -l /<directorylocation>/.netrc
If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files files have permissions greater than 700, then this is a
finding.
PDI:
GEN002060
V0004428
Category II
:
Status Code: AUTO
Previously:
G615

IA Controls:
DCCS-1, DCCS-2
PDI Description:
The .r hosts, .shosts, hosts.equiv, shosts.equiv, or .netrc files are

accessible by users other than root or the owner.
Reference:
UNIX STIG: 3.9
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 101
6. GEN002100 The .rhosts Supported in PAM
Linux.
# cd /etc/pam.d
# grep rhosts_auth *
All Other Platforms
# grep rhosts_auth /etc/pam.conf

If rhosts_auth is found and is not documented as required, then this is a finding. This must be justified and
documented with the IAO.
PDI:
GEN002100
Category II
:
V0011989
Status Code: AUTO
Previously:
N/A

IA Controls:
DCCS-1, DCCS-2
PDI Description:
The .rhosts file is supported in PAM.
Reference:
UNIX STIG: 3.9
16. Shells
1. GEN002120 The /etc/shells File Does Not Exist
AIX.
# ls l /etc/security/login.cfg
All Other Platforms

# ls l /etc/shells
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 102
If the /etc/shells (or equivalent) file does not exist , then this is a finding.
PDI:
GEN002120
Category II
:
V0000916
Status Code: AUTO
Previously:
G069

IA Controls:
DCCS-1, DCCS-2
PDI Description:
The /etc/shells (or equivalent) file does not exist.
Reference:
UNIX STIG: 3.10
2. GEN002140 The /etc/shells Contents
AIX.
# more /etc/passwd
All Other Platforms

# more /etc/passwd
# more /etc/shells
Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells (or equivalent)
file.
The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, (and equivalents), and sdshell , and application binaries will
be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file.
If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above me ntioned shells, then this
is a finding.
PDI:
GEN002140
V0000917
Category II
:
Status Code: AUTO
Previously:
G070

IA Controls:
DCCS-1, DCCS-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 103
PDI Description:
A shell referenced in /etc/passwd is not listed in the shells file.
Reference:
UNIX STIG: 3.10
3. GEN002160 Shells SUID
AIX.
For each shell listed in the /etc/security/login.cfg file:
# ls l <shell>
All Other Platforms

# find / -name *sh
For each shell found:
# ls l <shell>
If shell files have the suid bit set, then this is a finding.
Note: The remsh command is sometimes linked to the rsh command and will have the suid bit set; in this
case it is not a finding. Determine if that is the case by using ls li to determine if they share the same inode
number. The remsh command is the remote shell command and should not be considered a shell. Solaris
uses the /usr/bin/rsh and the /usr/ucb/rsh commands for remote shells, and they should also be
ignored here. A restricted shell also exists for bash (rbash).
PDI:
GEN002160
V0000919
Category I
:
Status Code: AUTO
Previously:
G072

IA Controls:
PDI Description:
Reference:
ECLP-1
Shell files have the suid bit set.
UNIX STIG: 3.10
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 104
4. GEN002180 Shells SGID
AIX.
# ls l <shell>
All Other Platforms

# find / -name *sh
# ls l <shell>
If shell files have the sgid bit set, then this is a finding.
PDI:
GEN002180
Category II
:
V0000920
Status Code: AUTO
Previously:
G073

IA Controls:
ECLP-1
PDI Description:
Shell files have the sgid bit set.
Reference:
UNIX STIG: 3.10
5. GEN002200 Shells Ownership
AIX.
# ls l <shell>
All Other Platforms

# find / -name *sh
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 105
# ls l <shell>
If shell files are not owned by root or bin, then this is a finding.
PDI:
GEN002200
Category II
:
V0000921
Status Code: AUTO
Previously:
G074

IA Controls:
ECLP-1
PDI Description:
Shell files are not owned by root or bin.
Reference:
UNIX STIG: 3.10
6. GEN002220 Shells Permissions
AIX.
# ls l <shell>
All Other Platforms

# find / -name *sh
# ls l <shell>
If shell files are more permissive than 755, then this is a finding.
PDI:
GEN002220
V0000922
Category II
:
Status Code: AUTO
Previously:
G075

IA Controls:
PDI Description:
Reference:
ECLP-1
Shell files are more permissive than 755.
UNIX STIG: 3.10
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 106
17. Device Files
1. GEN002260 System Baseline for Device Files Checking
# find / -type b
# find / -type c
# find / -type n
If the system is not checked weekly against the system baseline for extraneous device files, then this is a finding.
Ask the SA to show the previous weeks baseline of files.
PDI:
GEN002260
V0000923
Category III
:
Status Code: MAN
Previously:
G076

IA Controls:
PDI Description:
Reference:
VIVM-1
The system is not checked weekly against the system baseline for
extraneous device files.
UNIX STIG: 3.11
2. GEN002280 Device Files Directories Permissions
ls al /dev
ls al /devices (Solaris)
Check the permissions on the directories and subdirectories that contain device files.
If device file directories are writable by users other than a system account or as configured by the vendor, then
this is a finding.
PDI:
GEN002280
V0000924
Category II
:
Status Code: MAN
Previously:
G077

IA Controls:
ECCD-1, ECCD-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 107
PDI Description:
Device file directories are writable by users other than a system

account or as configured by the vendor.
Reference:
UNIX STIG: 3.11
3. GEN002300 Device Files Ownership
Attempt to determine if any backup devices exist for the system. Some systems will have a file containing the
default device files (such as /etc/default/ tar on Solaris). Others can be checked via a system
administration GUI (such as SAM on HP-UX). If backup device files exist ask the SA or IAO if the file(s) are
documented with the IAO. .
PDI:
GEN002300
Category II
:
V0000925
Status Code: PART
Previously:
G078

IA Controls:
DCSD-1, ECCD-1, ECCD-2
PDI Description:
Device files used for backup are writable by users other than root or a
pseudo backup user.
Reference:
UNIX STIG: 3.11
4. GEN002320 Audio Device Permissions
SOLARIS
# ls lL /dev/audio
HP-UX
# /usr/sbin/ioscan f
# ls lL <audio device file>
AIX
# /usr/sbin/lsdev C | grep I audio
#
ls lL /dev/*aud0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 108
IRIX
# ls lL /dev/audio
Linux
# ls -lL /dev/audio*
If the permissions are greater than 644, then this is a finding.
PDI:
GEN002320
Category II
:
V0001048
Status Code: AUTO
Previously:
G501

IA Controls:
PDI Description:
An audio device is more permissive than 644.
Reference:
UNIX STIG: 3.11
5. GEN002340 Audio Device Ownership
SOLARIS
# ls lL /dev/audio
HP-UX
AIX
#
ls lL /dev/*aud0
IRIX
# ls lL /dev/audio
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 109
Linux
If the audio device is not owned by root, then this is a finding.
PDI:
GEN002340
Category II
:
V0001049
Status Code: AUTO
Previously:
G502

IA Controls:
PDI Description:
An audio device is not owned by root.
Reference:
UNIX STIG: 3.11
6. GEN002360 Audio Device Group Ownership
SOLARIS
# ls lL /dev/audio
HP-UX
AIX
#
ls lL /dev/*aud0
IRIX
# ls lL /dev/audio
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 110
Linux
If the audio device group ownership is not root, sys, bin, or audio, then this is a finding.
PDI:
GEN002360
V0001061
Category II
:
Status Code: AUTO
Previously:
G504

IA Controls:
PDI Description:
Reference:
An audio device is not group owned by root, sys, or bin.

UNIX STIG: 3.11
18. Set User ID (suid)
1. GEN002380 SUID Files Baseline
# find / perm 4000 | more

If the ownership, permissions, and location of files with the suid bit set are not baselined with the IAO, then this
is a finding.
PDI:
GEN002380
V0000801
Category II
:
Status Code: PART
Previously:
G082

IA Controls:
PDI Description:
Reference:
ECLP-1
The ownership, permissions, and location of files with the suid bit set
are not documented with the IAO .
UNIX STIG: 3.12.1
2. GEN002400 System Baseline for SUID Files Checkling
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 111
# find / perm 4000 |more

If the system is not checked weekly against the system baseline for unauthorized suid files as well as
unauthorized modification to authorized suid files, then this is a finding.
PDI:
GEN002400
V0000803
Category II
:
Status Code: PART
Previously:
G084

IA Controls:
VIVM-1
PDI Description:
unauthorized suid files as well as unauthorized modification to
authorized suid files.
Reference:
UNIX STIG: 3.12.1
3. GEN002420 File Systems Mounted With nosuid
# mount | grep v nosuid

Confirm all NFS mounts, floppy & CD drives, and user file systems (e.g., /export/home or /usr/home )
are configured with the nosuid option.
If user file systems, removable media, or remote file systems that do not require suid/sgid files are not mounted
with the nosuid option invoked, then this is a finding.
PDI:
GEN002420
V0000805
Category II
:
Status Code: PART
Previously:
G086

IA Controls:
ECLP-1
PDI Description:
User file systems, removable media, or remote file systems are not
mounted with the nosuid option invoked.
Reference:
UNIX STIG: 3.12.1
19. Set Group ID (sgid)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 112
1. GEN002440 SGID Files Baseline

If the ownership, permissions, and location of files with the suid bit set are not baselined with the IAO, then this
is a finding.
PDI:
GEN002440
V0000802
Category II
:
Status Code: PART
Previously:
G083

IA Controls:
ECLP-1
PDI Description:
The ownership, permissions, and location of files with the suid bit set
are not documented with the IAO
Reference:
UNIX STIG: 3.12.1
2. GEN002460 System Baseline for SGID Files Checking

If the system is not checked weekly against the system baseline for unauthorized sgid files as well as
unauthorized modification to authorized sgid files, then this is a finding.
PDI:
GEN002460
V0000804
Category II
:
Status Code: PART
Previously:
G085

IA Controls:
VIVM-1
PDI Description:
unauthorized sgid files as well as unauthorized modification to
authorized sgid files.
Reference:
UNIX STIG: 3.12.2
20. Sticky Bit

1. GEN002480 World Writable Files and Directories
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 113
# find / -type f -perm -002 |more

If there are world writable files, then this is a finding.
# find / -type d -perm -002 |more
If there are world writable directories that are not public directories (e.g., /tmp), then this is a finding.
PDI:
GEN002480
V0001010
Category II
:
Status Code: PART
Previously:
G079

IA Controls:
ECCD-1, ECCD-2
PDI Description:
There are world writable files or world writable directories that are not
public directories.
Reference:
UNIX STIG: 3.12.3
2. GEN002500 Sticky Bit on Public Directories
# find / -type d -perm -002 ! perm -1000 |more

If the sticky bit is not set on public directories, then this is a finding.
PDI:
GEN002500
Category:III
Status Code: PART
Previously:
G087
V0000806
IA Controls:
ECCD-1, ECCD-2, ECLP-1
PDI Description:
The sticky bit is not set on public directories.
Reference:
UNIX STIG: 3.12.3
3. GEN002520 Public Directories Ownership
# find / -type d $ -perm -002 -a perm 1000 $ |more
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 114
If public directories are not owned by root or an application user, then this is a finding.
PDI:
GEN002520
Category II
:
V0000807
Status Code: PART
Previously:
G088

IA Controls:
ECLP-1
PDI Description:
Public directories are not owned by root or an application user.
Reference:
UNIX STIG: 3.12.3
4. GEN002540 Public Directories Group Ownership
# find / -type d $ -perm -002 -a perm 1000 $ |more

If public directories are not group owned by root, sys, bin, or an application group, then this is a finding.
PDI:
GEN002540
Category:II
Status Code: MAN
Previously:
N/A
V0011990
IA Controls:
ECLP-1
PDI Description:
Public directories are not group owned by root, sys, bin, or an

application group.
Reference:
UNIX STIG: 3.12.3
21. Umask
1. GEN002560 Default umask
AIX
# /usr/sbin/lsuser a umask ALL | more
All other platforms
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 115
Global Initialization Files

# grep umask /etc/*
Confirm the global initialization files set the umask to 077.

# grep umask / <usershomedirectory>/.*
Confirm the local initialization files do not exceed the default umask to 077.
Note: If the default umask is 000 or allows for the creation of world writable files this becomes a Severity Code I
finding.
If the system and user default umask is not 077, then this a finding.
PDI:
GEN002560
V0000808
Category II
:
Status Code: PART
Previously:
G089

IA Controls:
ECCD-1, ECCD-2
PDI Description:
The system and user default umask is not 077.
Reference:
UNIX STIG: 3.13
2. GEN002580 Permissive umask Documentation
AIX
# /usr/sbin/lsuser a umask ALL | more

# grep umask / <usershomedirectory>/.*
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 116
If an application has a umask less restrictive than 077, ask the SA or IAO if it is an application requirement and
ask to see the documentation. Note, however, that it is well known that Oracle requires a umask of 022. In that
case, or a similar one, this would not be a finding if it is documented with the IAO.
PDI:
GEN002580
V0000809
Category III
:
Status Code: MAN
Previously:
G090

IA Controls:
ECCD-1, ECCD-2
PDI Description:
Applications requiring an umask more permissive than 077 are not

Reference:
UNIX STIG: 3.13
22. Development Systems
1. GEN002600 Development Systems Security Requirements
Ask the SA if the system being evaluated is a development system. If the system is utilized for development, ask
the SA if the same security standards are applied to both the development and production systems. If the same
security standards are not applied to both development and production systems, then this is a finding.
PDI:
GEN002600
Category:II
Status Code: MAN
Previously:
N/A
V0011991
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The development system is not subject to the same security

requirements as production systems.
Reference:
UNIX STIG: 3.14
23. Default Accounts

1. GEN002640 Disabled Default System Accounts
To determine if default system accounts such as those for sys, bin, uucp, nuucp, daemon, smtp, etc., have been
disabled perform the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 117
Solaris
# grep *LK* /etc/shadow
HP-UX
# grep u_lock /tcb/files/auth/b/bin
Repeat for other system accounts.
AIX
#
grep account_locked /etc/security/user
IRIX
#
grep *LK* /etc/passwd
Linux
#
awk F: $2 == * {print $0} /etc/shadow
If there are any default system accounts that are not locked or have false for a shell, then this is a finding.
PDI:
GEN002640
Category:II
Status Code: MAN
Previously:
G092
V0000810
IA Controls:
PDI Description:
Default accounts have not been disabled.
Reference:
UNIX STIG: 3.15
24. Audit Requirements
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 118
1. GEN002660 Configure and Implement Auditing
Perform the following to determine if auditing is enabled:

Solaris
# ps ef |grep auditd
HP-UX
# audsys
AIX
#
/usr/sbin/audit query | head -1
IRIX
#
chkconfig audit
Linux
#
ps ef |grep auditd
If the auditd process is not found, then this is a finding.

PDI:
GEN002660
V0000811
Category II
:
Status Code: AUTO
Previously:
G093

IA Controls:
ECAN-1, ECAT-1, ECAT-2
PDI Description:
Auditing is not implemented.
Reference:
UNIX STIG: 3.16
2. GEN002680 Audit Logs Accessiblity
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 119
Perform the following to determine the location of audit logs and then check the ownership:
Solaris
# more /etc/security/audit_control
# ls lLd <audit log dir>
HP-UX
# ls la /.secure/etc/*
AIX
#
grep :bin: /etc/security/audit/config
Directories to search will be listed under the bin stanza.

#
ls la <audit directories>
IRIX
#
ls la /var/adm/sat
Linux
#
ls la /var/log/audit.d
# ls la /var/log/audit/audit.log
If any of the audit log file s are readable by unprivileged ids, then this is a finding.
PDI:
GEN002680
V0000812
Category II
:
Status Code: AUTO
Previously:
G094

IA Controls:
ECTP-1
PDI Description:
System audit logs are readable by unauthorized users.
Reference:
UNIX STIG: 3.16
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 120
3. GEN002700 Audit Logs Permissions
Perform the following to determine the location of audit logs and then check the permissions:
Solaris
# ls la <audit log dir>
HP-UX
# ls la /.secure/etc
AIX
#
grep :bin: /etc/security/audit/config
Directories to search will be listed under the bin stanza.

#
ls la <audit directories>
IRIX
#
ls la /var/adm/sat
Linux
#
ls la /var/log/audit.d
# ls la /var/log/audit/audit.log
If any of the audit log file permissions are greater than 640, then this is a finding.
PDI:
GEN002700
V0000813
Category II
:
Status Code: AUTO
Previously:
G095

IA Controls:
ECTP-1
PDI Description:
System audit logs are more permissive than 640.
Reference:
UNIX STIG: 3.16
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 121
4. GEN002720 Audit Failed File and Program Access Attempts
Solaris
Confirm flags fr or fr is configured.
HP-UX
#
grep i audevent_args1 /etc/rc.config.d/auditing \

| grep open
AIX
#
more /etc/security/audit/events
Confirm the following events are configured:

FILE_Open
IRIX
#
sat_select |egrep sat_access_denied|sat_access_failed
Linux
For LAUS:
#
grep @open-ops /etc/audit/filter.conf
For auditd:
# grep -a exit,always S open F success!=0 /etc/audit.rules
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 122
GEN002720
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000814
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit failed attempts to access

files and programs.
Reference:
UNIX STIG: 3.16
5. GEN002740 Audit File and Program Deletion
Solaris
# grep flags /etc/security/audit_control
Confirm flags fd or +fd and -fd is configured.
HP-UX
#

| grep delete
AIX
#

FILE_Unlink, FS_Rmdir
IRIX
#
sat_select |grep sat_file_crt_del
Linux
For LAUS:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 123
grep @rmdir-ops /etc/audit/filter.conf
grep @unlink-ops /etc/audit/filter.conf

For auditd:
# grep -a exit,always S unlink S rmdir /etc/audit.rules
PDI:
GEN002740
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000815
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit files and programs deleted
by the user.
Reference:
UNIX STIG: 3.16
6. GEN002760 Audit Administrative, Privileged, and Security Actions
Solaris 2.5 through 9

Confirm flags ad or +ad and -ad is configured.
Solaris 10 and some prior versions of 8 and 9

Confirm am or +am and -am is configured.
HP-UX
#

| grep admin

| grep removable
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 124
AIX
#

ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create,
FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount,
PASSWORD_Check, PROC_Adjtime,PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIds,
RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and
USER_SetEnv
IRIX
#
sat_select |egrep sat_ae_mount|sat_sysacct|sat_checkpriv
Linux
For LAUS:
#
#
grep @priv-ops /etc/audit/filter.conf

grep @mount-ops /etc/audit/filter.conf
grep @system-ops /etc/audit/filter.conf
For auditd the following should be present in /etc/audit.rules:

-w /var/log/audit/
-w /etc/auditd.conf
-w /etc/audit.rules
-a exit,always S stime S acct S reboot S swapon
-a exit,always S settimeofday S setrlimit S setdomainname
-a exit, always S sched_setparam S sched_setscheduler
PDI:
GEN002760
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000816
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit all administrative,

privileged, and security actions.
Reference:
UNIX STIG: 3.16
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 125
7. GEN002800 Audit Login, Logout, and Session Initiation
Solaris
# egrep flags|naflags /etc/security/audit_control
Confirm flags lo or +lo and -lo is configured.
Confirm naflags lo or +lo and lo is configured.
HP-UX
#

| grep login
AIX
#

USER_Login, USER_Logout, INIT_Start, INIT_End and USER_SU
IRIX
#
sat_select |grep sat_ae_identity
Linux
For LAUS:
#
grep process-login /etc/audit/filter.conf |grep always
For auditd:
This is not a finding. Auditd enables this by default in the source code.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 126
GEN002800
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000818
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit login, logout, and session
initiation.
Reference:
UNIX STIG: 3.16
8. GEN002820 Audit D iscretionary Access Control Permission Modifications

Solaris
Confirm flags fm or +fm and -fm is configured.
HP-UX
#
# | grep moddac
AIX
#

FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode and
FILE_Owner
IRIX
#
#
sat_select |grep sat_fd_attr_write

sat_select |grep sat_file_attr_write
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 127
Linux
For LAUS:
#
#
grep @mode-ops /etc/audit/filter.conf

grep @owner-ops /etc/audit/filter.conf
For auditd the following system calls should be present in /etc/audit.rules:

-a exit,always S chmod S fchmod S chown S chown32 S fchown
-a exit,always S fchown32 S lchown S lchown32
PDI:
GEN002820
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000819
IA Controls:
ECTP-1
PDI Description:
The audit system is not configured to audit all d iscretionary access

control permission modifications.
Reference:
UNIX STIG: 3.16
9. GEN002860 Audit Logs Rotation
Perform the following to search the crontab for entries to rotate the audit logs.
#
crontab l
If a program can be located, this is not a finding. Otherwise, query the SA. If there is one that is demonstrable
(and runs automatically), this is not a finding. If the SA runs it manually, it is still a finding, because if the SA is
not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding.
This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does
not have todays date, this is a finding.
PDI:
GEN002860
V0004357
Category II
:
Status Code: AUTO
Previously:
G674
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 128
IA Controls:
ECTP-1
PDI Description:
Audit logs are not rotated daily.
Reference:
UNIX STIG: 3.16
10. GEN002900 Audit Data Retention
Ask the SA or the IAO if audit data is retained for at least one year or five years for SAMI audit data. If it is not,
PDI:
GEN002900
V0011992
Category III
:
Status Code: MAN
Previously:
N/A

IA Controls:
ECRR-1
PDI Description:
Audit data is not retained at least one year or SAMI audit data for five
years.
Reference:
UNIX STIG: 3.16
11. GEN002920 Audit Data Backup
Ask the SA if audit logs and records are backed up onto a different system or offline media on at least a weekly
basis. If it is not, then this is a finding. This check only pertains to audit logs. If a full operating system backup
is completed weekly which contains all of the audit logs, then this is not a finding.
PDI:
GEN002920V001204 Category III

8
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECTB-1
PDI Description:
Audit data is not backed up onto a different system or backup

media on at least a weekly basis.
Reference:
UNIX STIG: 3.16
25. Audit Review Guidance
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 129
1. GEN002940 Audit Logs Review
Ask the IAO if audit files are reviewed daily for requirements stated in the Unix STIG. If the audit files are not
reviewed daily, then this is a finding.
PDI:
GEN002940V001199 Category II
3
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECAT-1, ECAT-2
PDI Description:
Audit trails and/or system logs are not reviewed on a daily basis
for:
Excessive logon attempt failures by single or multiple users
Logons at unusual/non-duty hours
Failed attempts to access restricted system or data files
indicating a possible pattern of deliberate browsing
Unusual or unauthorized activity by System Administrators
Command-line activity by a user that should not have that
capability
System failures or errors
Unusual or suspicious patterns of activity
Reference:
UNIX STIG: 3.16.1
26. Cron Restrictions
1. GEN002960 Cron Utility Accessibility
Verify the cron.allow and cron.deny files exist:
Solaris
# ls lL /etc/cron.d/cron.allow
# ls lL /etc/cron.d/cron.deny
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 130
HP-UX
# ls lL /var/adm/cron/cron.allow
# ls lL /var/adm/cron/cron.deny
AIX
IRIX
Linux
Red Hat
# ls lL /etc/cron.allow
# ls lL /etc/cron.deny
Or
SuSE
# ls lL /var/spool/cron/allow
# ls lL /var/spool/cron/deny
If the cron.allow or cron.deny files do exist, then this is a finding.
PDI:
GEN002960
V0000974
Category II
:
Status Code: AUTO
Previously:
G200

IA Controls:
PDI Description:
Reference:
ECPA-1
Access to the cron utility is not controlled via the cron.allow and/or
cron.deny file(s).
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 131
2. GEN002980 The cron.allow Permissions
Solaris
HP-UX
AIX
IRIX
Linux
Red Hat
Or
SuSE
If the cron.allow file is more permissive than 600, then this is a finding.
PDI:
GEN002980
V0000975
Category II
:
Status Code: AUTO
Previously:
G201

IA Controls:
PDI Description:
The cron.allow file is more permissive than 600.
Reference:
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 132
3. GEN003000 Cron Executes World Writable Programs
The following lists the directories to search for cron jobs:

Solaris
# ls /var/spool/cron/crontabs/
HP-UX
AIX
IRIX
Linux
# ls /var/spool/cron/
# ls /etc/cron.d/
# ls /etc/crontab
# ls /etc/cron.daily/
# ls /etc/cron.hourly/
# ls /etc/cron.monthly/
# ls /etc/cron.weekly/
If cron jobs exist under any of the above directories, use the following command to search for programs executed
by at:
#
more <cron job file>
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 133
Perform a lo ng listing of each program file found in the cron file to determine if the file is world writeable.
#
ls la <cron program file>
If cron executes world writeable files, then this is a finding.

PDI:
GEN003000
V0000976
Category II
:
Status Code: AUTO
Previously:
G203

IA Controls:
DCSL-1
PDI Description:
Cron executes group or world writable programs.
Reference:
UNIX STIG: 3.17.3
4. GEN003020 Cron Executes Programs in World Writable Directories
The following lists the directories to search for cron jobs:
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 134
Linux
# ls /var/spool/cron/
# ls /etc/cron.d/
# ls /etc/crontab
# ls /etc/cron.daily/
# ls /etc/cron.hourly/
# ls /etc/cron.monthly/
# ls /etc/cron.weekly/
If cron jobs exist under any of the above directories, use the following command to search for programs executed
by at:
#
more <cron job file>
Perform a long listing of each program file s parent directory found in the cron file to determine if the directory
is world writeable.
#
ls la <cron program file directory>
If cron executes programs in world writeable directories, then this is a finding.
PDI:
GEN003020V000097 Category:II
7
Status Code:AUTO
Previously:
G204
IA Controls:
DCSL-1
PDI Description:
Cron executes programs in or subordinate to world writable

directories.
Reference:
UNIX STIG: 3.17.3
5. GEN003040 Crontabs Ownership
Perform the following to view the crontab ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 135
Solaris
# ls lL /var/spool/cron/crontabs/
HP-UX
AIX
IRIX
Linux
# ls lL /var/spool/cron/
# ls lL /etc/cron.d/
# ls lL /etc/crontab
# ls lL /etc/cron.daily/
# ls lL /etc/cron.hourly/
# ls lL /etc/cron.monthly/
# ls lL /etc/cron.weekly/
If the file is not owned by root or the creating user account, then this is a finding.
PDI:
GEN003040
V0011994
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
DCSL-1
PDI Description:
Crontabs are not owned by root or the crontab creator.
Reference:
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 136
6. GEN003060 Default System Accounts and Cron
Check for default system accounts in the following:
Solaris
# more /etc/cron.d/cron.allow
HP-UX
# more /var/adm/cron/cron.allow
AIX
# more /var/adm/cron/cron.allow
IRIX
# more /etc/cron.d/cron.allow
Linux
Red Hat
# more /etc/cron.allow
Or
SuSE
# more /var/spool/cron/allow
Default accounts (such as bin, sys, adm, and others) will not be listed in the cron.allow file or this will be a
finding.
PDI:
GEN003060
V0011995
Category II
:
Status Code: AUTO
Previously:
N/A

IA Controls:
ECPA-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 137
PDI Description:
Default system accounts (with the possible exception of root) are listed
in the cron.allow file or excluded from the cron.deny file if cron.allow
does not exist.
Reference:
UNIX STIG: 3.17.3
7. GEN003080 Crontab files Permissions
Solaris
HP-UX
AIX
IRIX
Linux
# ls lL /var/spool/cron/
# ls lL /etc/cron.d/
# ls lL /etc/crontab
# ls lL /etc/cron.daily/
# ls lL /etc/cron.hourly/
# ls lL /etc/cron.monthly/
# ls lL /etc/cron.weekly/
( Permissions of 600)
( Permissions of 600)
(Permissions of 600)
If crontab files are more permissive than 600 (700 for some Linux files), then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN003080
V0000978
Page 138
Category II
:
Status Code: AUTO
Previously:
G205

IA Controls:
PDI Description:
Crontab files are more permissive than 600 (700 for some Linux files).
Reference:
UNIX STIG: 3.17.3
8. GEN003100 Cron and Crontab Directories Permissions
Solaris
# ls ld /var/spool/cron/crontabs
HP-UX
AIX
IRIX
Linux
# ls ld /var/spool/cron
# ls ld /etc/cron.d
# ls ld /etc/cron.daily
# ls ld /etc/cron.hourly
# ls ld /etc/cron.monthly
# ls ld /etc/cron.weekly
If the cron or crontab directories are more permissive than 755, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN003100
V0000979
Page 139
Category II
:
Status Code: AUTO
Previously:
G206

IA Controls:
PDI Description:
The cron or crontab directories are more permissive than 755.
Reference:
UNIX STIG: 3.17.3
9. GEN003120 Cron and Crontab Directories Ownership
Solaris
HP-UX
AIX
IRIX
Linux
# ls ld /etc/cron.d
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 140
If the cron or crontab directories are not owned by root or bin, then this is a finding.
PDI:
GEN003120
V0000980
Category II
:
Status Code: AUTO
Previously:
G207

IA Controls:
PDI Description:
The cron or crontab directories are not owned by root or bin.
Reference:
UNIX STIG: 3.17.3
10. GEN003140 Cron and Crontab Directories Group Ownership
Solaris
HP-UX
AIX
IRIX
Linux
# ls ld /etc/cron.d
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 141
If the cron or crontab directories are not group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003140
V0000981
Category II
:
Status Code: AUTO
Previously:
G208

IA Controls:
ECLP-1
PDI Description:
The cron or crontab directories are not group owned by root, sys, or bin.
Reference:
UNIX STIG: 3.17.3
11. GEN003160 Cron Logging

Perform the following to check for cron logging:
Solaris
# ls lL /var/cron/log
#
more /etc/default/cron
CRONLOG=YES
If this line does not exist, this is a finding.
HP-UX
# ls lL /var/adm/cron/log
Cron is logged by default.
AIX
Cron is logged by default.
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 142
Linux
Cron logging is controlled by the syslog on Linux:
#
grep cron* /etc/syslog.conf
Red Hat
# ls lL /var/log/cron
SuSE
# ls lL /var/log/messages
If an entry for cron is not found, then this is a finding.
PDI:
GEN003160
V0000982
Category II
:
Status Code: AUTO
Previously:
G209

IA Controls:
ECAT-1, ECAT-2, DCCS-1, DCCS-2
PDI Description:
Cron logging is not implemented.
Reference:
UNIX STIG: 3.17.3
12. GEN003180 Cronlog Permissions
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 143
IRIX
Linux
Red Hat
# ls lL /var/log/cron
SuSE
# ls lL /var/log/messages
If the cronlog file is more permissive than 600, then this is a finding.
PDI:
GEN003180
V0000983
Category II
:
Status Code: AUTO
Previously:
G210

IA Controls:
PDI Description:
The cronlog file is more permissive than 600.
Reference:
UNIX STIG: 3.17.3
13. GEN003200 cron.deny Permissions
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 144
IRIX
Linux
Red Hat
Or
SuSE
If the cron.deny file is more permissive than 600 , then this is a finding.
PDI:
GEN003200
V0004358
Category II
:
Status Code: AUTO
Previously:
G620

IA Controls:
PDI Description:
The cron.deny file is more permissive than 600.
Reference:
UNIX STIG: 3.17.3
14. GEN003220 Cron Programs umask
Perform the following to check for cron jobs:
Solaris
# ls lL /var/spool/cron/crontabs
HP-UX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 145
AIX
IRIX
Linux
# ls lL /var/spool/cron
# ls lL /etc/cron.d
# ls lL /etc/cron.daily
# ls lL /etc/cron.hourly
# ls lL /etc/cron.monthly
# ls lL /etc/cron.weekly
Determine if there are any cron jobs by viewing a long listing of the directory. If there are cron jobs perform the
following to check for any programs that may have a umask more permissive than 077:
#
grep umask ./*
If there are any, this is a finding unless the IAO has justifying documentation. If there are no cron jobs present,
this vulnerability is Not Applicable.
PDI:
GEN003220
Category:III
Status Code: PART
Previously:
G621
V0004360
IA Controls:
DCSW-1, DCSD-1
PDI Description:
Cron programs set the umask more permissive than 077 and these are
not justified and documented with the IAO.
Reference:
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 146
15. GEN003240 cron.allow Ownership
Solaris
HP-UX
AIX
IRIX
Linux
Red Hat
Or
SuSE
If the cron.allow file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003240
V0004361
Category II
:
Status Code: AUTO
Previously:
G622
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 147
IA Controls:
DCSW-1
PDI Description:
The cron.allow file is not owned and group owned by root , sys or bin.
Reference:
UNIX STIG: 3.17.3
16. GEN003260 cron.deny Ownership
Solaris
HP-UX
AIX
IRIX
Linux
Red Hat
Or
SuSE
If the cron.deny file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003260
V0004430
Category II
:
Status Code: AUTO
Previously:
G623
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 148
IA Controls:
DCSW-1
PDI Description:
The cron.deny file is not owned and group owned by root , sys, or bin.
Reference:
UNIX STIG: 3.17.3
27. At Restrictions
1. GEN003280 At Utility Accessibility
Verify the at.allow and/or at.deny files exist.
Solaris
# ls lL /etc/cron.d/at.allow
# ls lL /etc/cron.d/at.deny
HP-UX
# ls lL /var/adm/cron/at.allow
# ls lL /var/adm/cron/at.deny
AIX
IRIX
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 149
# ls lL /etc/at.allow
# ls lL /etc/at.deny
Ensure at least on of the above files exists .
PDI:
4
Status Code:AUTO
Previously:
G211
IA Controls:
ECPA-1
PDI Description:
Access to the at utility is not controlled via the at .allow and/or

at.deny file(s).
Reference:
UNIX STIG: 3.18.3
2. GEN003300 The at.deny File
Solaris
# more /etc/cron.d/at.deny
HP-UX
# more /var/adm/cron/at.deny
AIX
# more /var/adm/cron/at.deny
IRIX
# more /etc/cron.d/at.deny
Linux
# more /etc/at.deny
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 150
If the at.deny file exists and is empty, then this is a finding.
PDI:
5
Status Code:AUTO
Previously:
G212
IA Controls:
ECPA-1
PDI Description:
The at.deny file exists and is empty.
Reference:
UNIX STIG: 3.18.3
3. GEN003320 Default System Accounts and At
Solaris
# more /etc/cron.d/at.allow
HP-UX
# more /var/adm/cron/at.allow
AIX
# more /var/adm/cron/at.allow
IRIX
# more /etc/cron.d/at.allow
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 151
Linux
# more /etc/at.allow
Default accounts (such as bin, sys, adm, and others) will not be listed in the at.allow file or this will be a
finding.
PDI:
6
Status Code:AUTO
Previously:
G213
IA Controls:
ECPA-1
PDI Description:
Default system accounts (with the exception of root) are listed in

the at.allow file or excluded from the at.deny file if at.allow does
not exist.
Reference:
UNIX STIG: 3.18.3
4. GEN003340 at.allow and at.deny Permissions
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 152
Linux
If the at.allow or at.deny file(s) is more permissive than 600, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
G214
IA Controls:
PDI Description:
The at.allow or at.deny file(s) is more permissive than 600.
Reference:
UNIX STIG: 3.18.3
5. GEN003360 At Executes World Writable Programs
If at jobs exist under either /var/spool/cron/atjobs or /var/spool/atjobs , use the following

command to search for programs executed by at:
#
more <at job file>
Perform a long listing of each program file in the at job file to determine if the file is world writeable.
#
ls la <at program file>
If at executes programs that are world writeable, then this is a finding.

PDI:
8
Status Code:AUTO
Previously:
G215
IA Controls:
DCSL-1
PDI Description:
At executes group or world writable programs.
Reference:
UNIX STIG: 3.18.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 153
6. GEN003380 At Executes Programs in World Writable Directories
If at jobs exist under either /var/spool/cron/atjobs or /var/spool/atjobs , use the following

command to search for programs executed by at:
#
more <at job file>
Perform a long listing of each program file s parent directory found in the at job file to determine if the directory
is world writeable.
#
ls la <at program file directory>
If at executes programs in world writeable directories, then this is a finding.

PDI:
9
Status Code:AUTO
Previously:
G216
IA Controls:
DCSL-1
PDI Description:
At executes programs in or subordinate to world writable

directories.
Reference:
UNIX STIG: 3.18.3
7. GEN003400 The at Directory Permissions
Check the permissions of the at directory by performing the following:

# ls ld /var/spool/cron/atjobs
Or
#
ls ld /var/spool/atjobs
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 154
If the directory permissions are greater than 755, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G625
IA Controls:
PDI Description:
The at (or equivalent) directory is more permissive than 755.
Reference:
UNIX STIG: 3.18.3
8. GEN003420 The at Directory Ownership
Check the ownership of the at directory by performing the following:

# ls ld /var/spool/cron/atjobs
Or
#
ls ld /var/spool/atjobs
If the directory is not owned by root, sys, bin, or daemon, then this is a finding.
PDI:
5
Status Code:AUTO
Previously:
G626
IA Controls:
DCSW-1
PDI Description:
The at directory is not owned by root, sys, bin, or daemon.
Reference:
UNIX STIG: 3.18.3
9. GEN003440 At Programs umask
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 155
Perform the following to check for at jobs:

#
cd /var/spool/cron/atjobs
Or
#
cd /var/spool/atjobs
Determine if there are any at jobs by viewing a long listing of the directory. If there are at jobs perform the
following to check for any programs that may have a umask more permissive than 077:
#
grep umask ./*
If there are any, this is a finding unless the IAO has justifying documentation. If there are no at jobs present,
this vulnerability is Not Applicable.
PDI:
6
:
Status Code:PART
Previously:
G627
IA Controls:
DCSW-1, DCSD-1
PDI Description:
At programs set the umask more permissive than 077 and these
are not justified and documented with the IAO.
Reference:
UNIX STIG: 3.18.3
10. GEN003460 at.allow Ownership
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 156
IRIX
Linux
If the at.allow file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
7
:
Status Code:PART
Previously:
G629
IA Controls:
DCSW-1
PDI Description:
The at.allow file is not owned and group owned by root , sys, or
bin.
Reference:
UNIX STIG: 3.18.3
11. GEN003480 at.deny Ownership
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 157
Linux
If the at.deny file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
8
:
Status Code:PART
Previously:
G630
IA Controls:
DCSW-1
PDI Description:
The at.deny file is not owned and group owned by root , sys, or
bin.
Reference:
UNIX STIG: 3.18.3
28. Restrict/Disable Core Dumps
1. GEN003500 Restrict or Disable Core Dumps
Check for the disabling of core dumps with the following commands:
Solaris
# coreadm |grep enabled
If any lines are returned then this is a finding.
HP-UX
# grep ulimit /etc/profile
If the c argument with a value of 0 is not present, then this is a finding.
AIX
#
grep ulimit /etc/security/limits
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 158
If the c argument with a value of 0 is not present, then this is a finding.

Linux
#
ulimit c
If the above command does not return 0 ,then this a finding.

IRIX
#
systune rlimit_core_max
0
If the above command does not return 0, then this is a finding.

PDI:

6
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Core dumps are not disable d or restricted.
Reference:
UNIX STIG: 3.20.1
2. GEN003520 Core Dump Directory Ownership and Permissions
Perform the following to check the permissions of the core dump directory:
Solaris
# ls ld /var/crash
HP-UX
#
ls ld /var/adm/crash
ls ld /var/adm/ras
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 159
ls ld /var/adm/crash
ls ld /var/crash
Linux
If the file permissions are greater than 700, then this is a finding. If GEN003500 is Not a Finding, then this
check is Not Applicable.
PDI:

7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The core dump data directory is not owned and group owned by
root and/or is more permissive than 700.
Reference:
UNIX STIG: 3.20.1
29. Disable Executable Stack
1. GEN003540 Disable Executable Stack
To check that the executable stack has been disabled, perform the following:
Solaris and Irix
#
grep noexec_user_stack /etc/system
If the noexec_user_stack is not set to 1, then this is a finding.

HP-UX
Executable stacks are disabled by default. Check to ensure this is still set by:
#
kmtune q executable_stack
If the executable_stack tuneable is set to 1, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 160
Linux
Linux kernels must support the NX feature. Red Hat Enterprise 4 and SuSE 9.1 and later do support this
feature. This will be a finding on systems prior to the above releases. This is a manual review.
AIX
Stack execution is disabled by default. Mark this check Not a Finding.
PDI:
9
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The executable stack is not disabled.
Reference:
UNIX STIG: 3.20.2
30. Restrict NFS Port Listening
31. Use More Random TCP Sequence Numbers
1. GEN003580 TCP Sequence Numbers
Check the following to determine if TCP sequence numbers are not easily guessed:
Solaris
#
grep TCP_STRONG_ISS=2 /etc/default/inetinit
If the this variable is not set, then this is a finding.

HP-UX
#
ndd /dev/tcp tcp_isn_passphrase
If the tcp_isn_passphrase tuneable is not set, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 161
Linux
All kernels after 1996 are not vulnerable to this. This check should be marked as Not Applicable for Linux.
AIX
#
instfix ivk iy55950

#
instfix ivk iy55949
instfix ivk iy62006
If the above patches are not applied, then this is a finding.

Irix
#
systune tcpiss_md5
1
If any of the above settings are not configured, then this is a finding.
PDI:
1
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
More random TCP sequence numbers are not used.
Reference:
UNIX STIG: 3.20.4
32. Network Security Settings
1. GEN003600 Network Security Settings
Perform the following to ensure the network security settings are enabled for each operating system. The
command is listed with the expected response below it.
Solaris
#
ndd /dev/ip ip_forward_src_routed

0
#
ndd /dev/tcp tcp_rev_src_routes

0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 162
ndd /dev/tcp tcp_conn_req_max_q0

2048 or greater
ndd /dev/tcp tcp_conn_req_max_q

1024
ndd /dev/ip ip_respond_to_timestamp

0
ndd /dev/ip ip_respond_to_echo_broadcast

0
ndd /dev/ip ip_respond_to_timestamp_broadcast

0
HP-UX
#
ndd /dev/ip ip_forward_src_routed

0
#
ndd /dev/ip ip_respond_to_timestamp
0
#
ndd /dev/ip ip_respond_to_echo_broadcast

0
ndd /dev/ip ip_respond_to_timestamp_broadcast

0
AIX
#
/usr/sbin/no o ipsrcroutesend
0
/usr/sbin/no o directed_broadcast
0
/usr/sbin/no o bcastping
0
/usr/sbin/no o ipsrcrouteforward
0
Linux
# sysctl a | grep net.ipv4.ip_forward
0
#
sysctl a | grep net.ipv4.tcp_max_syn_backlog

1280
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 163
sysctl a | grep net.ipv4.conf.all.accept_source_route

0
sysctl a | grep net.ipv4.icmp_echo_ignore_broadcasts

1
Irix
#
systune ipforward
2
#
systune allow_brdaddr_scraddr
0
If any of the above settings are not applied ,then this is a finding.
PDI:
2
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Network parameters are not securely set.
Reference:
UNIX STIG: 3.20.5
33. File Systems
1. GEN003620 Separate Filesytem Partitions
Perform the following to determine if the /var, /home, and /export/home file partitions are on separate disk
partitions:
#
more /etc/fstab
Or
# more /etc/vfstab
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 164
Examine the first column for the disk device and ensure the device label for /var, /home, or /export/home are not
the same as the root filesystem. If they are the same, ask the SA if this is justified and documented with the
IAO. If it is not, then this is a finding.
PDI:

3
:
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Separate filesystem partitions are not used for /home, /export/

home, and /var and is not justified and documented with the IAO.
Reference:
UNIX STIG: 3.21
2. GEN003640 Root Filesystem Logging
Logging should be enabled for those types of files systems that do not turn on logging by default. JFS, VXFS,
HFS and EXT3 all turn logging on by default and will not be a finding. For those that do not turn logging on by
default, perform the following:
#
mount | grep logging
Ensure the root file systems shows loggin g or this will be a finding.
PDI:
4
Status Code:AUTO
Previously:
G690
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Logging is not implemented for the root filesystem.
Reference:
UNIX STIG: 3.21
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 165
34. Syslog AUTH/AUTHPRIV Facility
1. GEN003660 Authentication Data Logging
Check /etc/syslog.conf and verify the auth facility is logging both the notice and info level messages by:
#
grep auth.notice /etc/syslog.conf
auth.info /etc/syslog.conf
grep
If either of the above two entries are not found, then this is a finding.
PDI:
4
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1,DCCS-2
PDI Description:
Authentication and informational data is not logged.
Reference:
UNIX STIG: 3.21
3. Network Services
1. Network Services
1. GEN003680 Required Network Services For Operation
Perform the following to display network services that are configured:

#
grep v ^# /etc/inetd.conf
Or
#
svcs a (solaris 10)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 166
Or for Linux systems

# grep disable /etc/xinetd.d/* |grep no
Ask the SA if the network services are documented with the IAO.
PDI:
GEN003680V000097 Category III Status Code:PART

2
:
Previously:
A028
IA Controls:
DCSD-1, DCPP-1
PDI Description:
Network services not required for operations are not disabled

and/or network services required for operations are not
Reference:
UNIX STIG: 4
2. GEN003700 Disable inetd/xinetd
First determine if inetd/xinetd is running:

#
ps ef |grep inetd
ps ef |grep xinetd
Or
Or
# svcs -a
If inetd is not running, then this check is not a finding. Otherwise continue:
#
grep v ^# /etc/inetd.conf
grep v ^# /etc/xinetd.conf
Or
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 167
Or for Linux systems

# grep disable /etc/xinetd.d/* |grep no
If any services are found from the above three commands, then this is considered not a finding.
PDI:
5
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
All inetd/xinetd services are disabled and inetd (xinetd for Linux)
is not disabled.
Reference:
UNIX STIG: 4
3. GEN003720 inetd.conf Ownership
Check the permissions of inetd.conf file by:

#
ls lL /etc/inetd.conf
Or, for Linux systems

#
ls lL /etc/xinetd.conf
#
ls lL /etc/xinetd.d
This is a finding if any of the above files or directories are not owned by root or bin.
PDI:
1
Status Code:AUTO
Previously:
G107
IA Controls:
ECLP-1
PDI Description:
The inetd.conf file (xinetd.conf file and the xinetd.d directory for
Linux) is not owned by root or bin.
Reference:
UNIX STIG: 4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 168
4. GEN003740 inetd.conf Permissions
Check the permissions of inetd.conf file by:

#
ls lL /etc/inetd.conf
Or, for Linux systems

#
ls lL /etc/xinetd.conf
#
ls lL /etc/xinetd.d
This is a finding if permissions for the inetd.conf files are greater than 440. In addition, on Linux systems,
the /etc/xinetd.d directory permissions should not be greater than 755.
PDI:
2
Status Code:AUTO
Previously:
G108
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The inetd.conf (xinetd.conf for Linux) file is more permissive

than 440. The Linux xinetd.d. directory is more permissive than
755.
Reference:
UNIX STIG: 4
5. GEN003760 The Services File Ownership
# ls lL /etc/services
The services file is not owned by root or bin, then this is a finding
PDI:
3
:
Status Code:PART
Previously:
G109
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 169
IA Controls:
ECLP-1
PDI Description:
The services file is not owned by root or bin.
Reference:
UNIX STIG: 4
6. GEN003780 The Services File Permissions
# ls lL /etc/services
If the services file is more permissive than 644, then this is a finding.
PDI:
4
:
Status Code:PART
Previously:
G110
IA Controls:
PDI Description:
The services file is more permissive than 644.
Reference:
UNIX STIG: 4
7. GEN003800 inetd Logging
Solaris 2.5 through 9

#
ps ef |grep inetd |grep -t
Solaris 10
#
inetadm p |grep tcp_trace
If the tcp_trace option is not found in the exported configuration file, then this is a finding.
HP-UX
#
ps ef |grep inetd |grep -l
AIX and IRIX

#
ps ef |grep inetd |grep -d
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 170
Linux
Each file in the /etc/xinetd.d directory and the /etc/inetd.conf file should be examined for
the following:
log_type
= SYSLOG authpriv
log_on_success
= HOST PID USERID EXIT
log_on_failure
= HOST USERID
If inetd logging is not enabled, then this is a finding.

PDI:

1
:
Status Code:PART
Previously:
G198
IA Controls:
PDI Description:
Inetd (xinetd for Linux) logging/tracing is not enabled.
Reference:
UNIX STIG: 4
2. Rlogin and rsh
1. GEN003820 Remote Login or Shell Is Enabled
Solaris, HP-UX, AIX, IRIX

# grep v ^# /etc/inetd.conf |grep rlogind
# grep v ^# /etc/inetd.conf |grep rshd
Solaris 10
#
svcs rlogin
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 171
Linux
#
grep disable /etc/xinetd.d/rlogin

#
grep disable /etc/xinetd.d/rsh
If either rlogin or rsh are found to be enabled, then this is a finding.

PDI:
GEN003820V000468 Category I
7
:
Status Code:AUTO
Previously:
V042
IA Controls:
DCSW-1
PDI Description:
Remote login or remote shell is enabled.
Reference:
UNIX STIG: 4.1
3. Rexec
1. GEN003840 The rexec Service Is Enabled
Perform the following to determine if the rexec service is enabled:

# grep v ^# /etc/inetd.conf |grep rexec
Solaris 10
#
svcs rexec |grep disabled
Linux
#
grep disable /etc/xinetd.d/rexec
If rexec is found to be enabled, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 172
8
:
Status Code:AUTO
Previously:
V102
IA Controls:
DCSW-1
PDI Description:
The rexec service is enabled.
Reference:
UNIX STIG: 4.2
4. Finger
1. GEN003860 The finger Service Is Enabled
Perform the following to determine if the finger service is enabled:

# grep v ^# /etc/inetd.conf |grep finger
Solaris 10
#
svcs finger
Linux
#
grep disable /etc/xinetd.d/finger
If the finger service is not disabled, then this is a finding.

PDI:
GEN003860V000470 Category:III
1
Status Code:AUTO
Previously:
V046
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 173
IA Controls:
DCSW-1
PDI Description:
The finger Service Is Enabled
Reference:
UNIX STIG: 4.3
2. GEN003865 Network analysis tools enabled.
Perform the following to determine if any network analysis tools are enabled:
# find / -name ethereal
# find / -name tcpdump
# find / -name snoop
If the any of the above network analysis tools are found, then this is a finding.
PDI:
9
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSW-1
PDI Description:
Network Analysis tools are enabled.
Reference:
UNIX STIG: 4.3
5. Remote Host Printing
1. GEN003880 Print Server and Client Configuration Documentation
Ask the SA if the system is a print server or a client of another server. If it is either of these, ask the SA if it is
documented with the IAO. If the printer configuration is not documented with the IAO, then this is a finding.
PDI:
6
:
IA Controls:
Status Code:MAN
Previously:
G120

PESL-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 174
PDI Description:
The system is a print server /client, and the configuration is not

Reference:
UNIX STIG: 4.4
2. GEN003900 hosts.lpd Contents
Look for the presence of a print service configuration file by using the command:
#
find /etc name hosts.lpd print
If this file does not exist, use the command:

#
find /etc name Systems -print

#
find /etc name printers.conf
If neither of the files are found, then this check should be marked Not Applicable.
Otherwise perform:
#
more <print service file>
and search for entries that contain a + or _ character. If any are found then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
G121
IA Controls:
DCSL-1
PDI Description:
The hosts.lpd file (or equivalent) contains a + or _ character.
Reference:
UNIX STIG: 4.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 175
3. GEN003920 hosts.lpd Ownership
#

#

#
If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform:
#
ls lL <print service file>
If the owner of the file is not root, sys, bin or lp, then this is a finding.
PDI:
28
:
Status Code: AUTO
Previously:
G122
IA Controls:
ECLP-1
PDI Description:
The hosts.lpd (or equivalent) file is not owned by a root, sys, bin,
or lp.
Reference:
UNIX STIG: 4.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 176
4. GEN003940 hosts.lpd Permissions
#

#

#
If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform:
#
ls lL <print service file>
and verify the permissions are not greater than 664. If the permissions are greater than 664, then this is a
finding.
PDI:
9
Status Code:AUTO
Previously:
G123
IA Controls:
PDI Description:
The hosts.lpd (or equivalent) file is more permissive than 664.
Reference:
UNIX STIG: 4.4
6. Traceroute
1. GEN003960 The traceroute Command Ownership
Solaris
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 177
# ls lL /usr/sbin/traceroute
HP-UX
AIX
# ls lL /usr/bin/traceroute
IRIX
# ls lL /usr/etc/traceroute
Linux
If the traceroute command is not owned by root, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
G631
IA Controls:
DCSW-1
PDI Description:
The traceroute command is not owned by root.
Reference:
UNIX STIG: 4.5
2. GEN003980 The traceroute Command Group Ownership
Solaris
HP-UX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 178
AIX
IRIX
Linux
If the traceroute command is not group owned by root, sys, or bin, then this is a finding.
PDI:
0
Status Code:AUTO
Previously:
G632
IA Controls:
DCSW-1
PDI Description:
The traceroute command is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 4.5
3. GEN004000 The traceroute Command Permissions
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 179
IRIX
Linux
If the traceroute command is more permissive than 700, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G633
IA Controls:
PDI Description:
The traceroute command is more permissive than 700.
Reference:
UNIX STIG: 4.5
7. Client Browser Requirements
1. GEN004020 Browser Capable of 128-bit Encryption
This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox support 128bit encryption. Select Help from the browser menu, and then select About Navigator. The Netscape information
page will display. The line which says This version supports U.S. security indicates you have 128 bit
encryption. If its says This version supports International security you have 40 bit encryption and this is a
finding.
PDI:

2
:
IA Controls:
Status Code:MAN
Previously:
G634

DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 180
PDI Description:
The browser is not capable of 128-bit encryption.
Reference:
UNIX STIG: 4.6
2. GEN004040 Browser Software Update Feature
This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox can check for
new browser version, but will not automatically install them. Verify that automatic software installation is not
enabled. Select Edit>>Preferences>>Advanced from the web browser toolbar. Drop down the Advanced submenu. The Advanced options sub-menu gives us the Software Installation settings. Verify the Enable software
installation setting is not checked. If it is checked, then this is a finding.
PDI:
3
:
Status Code:MAN
Previously:
G635
IA Controls:
DCSW-1
PDI Description:
The browser SmartUpdate or software update feature is enabled.
Reference:
UNIX STIG: 4.6
3. GEN004060 Browser Unencrypted Secure Content Caching
This check is mainly pertaining to passwords or sensitive data that can be stored by the browser cache. Ensure
the following setting is enabled: Edit>>Preferences>>Privacy&Security from the web browser toolbar. Select
the Passwords sub-category and verify Use encryption when storing sensitive data under the Encrypting versus
Obscuring is checked. If it is not, then this is a finding.
PDI:
4
:
Status Code:MAN
Previously:
G636
IA Controls:
DCSW-1
PDI Description:
The browser has unencrypted secure content caching enabled.
Reference:
UNIX STIG: 4.6
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 181
4. GEN004100 Browser Allows Active Scripting
To check if Java is enabled in the Netscape or Mozilla browser select Edit >> Preferences from the browser tool
bar, and then select the Advanced menu i tem. If the option, Enable Java is checked, this is a finding.
To determine if a browser has JavaScript Enabled perform:
Select Edit>>Preferences>Advanced from the browser toolbar. Select the Scripts and Plug-ins tab. Ensure that
Navigator is not selected under the Enable JavaScript heading. If it is, then this is a finding.
If either Java or JavaScript are enabled, then this is a finding.
PDI:

6
:
Status Code:MAN
Previously:
G638
IA Controls:
DCSW-1
PDI Description:
The browser allows active scripting.
Reference:
UNIX STIG: 4.6
5. GEN004120 Browser Data Redirection Warning
To determine if a browser has browser data redirection warning enabled perform:

Select Edit>>Preferences>Privacy and Security from the browser toolbar. Select the Validation tab. Ensure that
Use OCSP to validate only certificates that specify an OCSP service URL is selected under the OCSP heading.
If it is not selected, then this is a finding.
PDI:
7
:
IA Controls:
Status Code:MAN
Previously:
G639

DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 182
PDI Description:
The browser does not issue a warning when form data is

redirected.
Reference:
UNIX STIG: 4.6
6. GEN004160 Browser Certificate Warning
To check if a browser warning is enabled to issue a warning prior to viewing remote data select Edit >>
Preferences in the browser tool bar, and then select the Privacy and Security (Advanced in Mozilla) menu i tem.
Select the Validation tab and verify that Use OCSP to validate only certificates that specify an OCSP service
URL under OCSP. If it is not selected, then this is a finding.
PDI:

9
:
Status Code:MAN
Previously:
G641
IA Controls:
DCSW-1
PDI Description:
The browser does not issue a warning prior to viewing remote

data on a remote site containing a security certificate that does
not match its Internet address.
Reference:
UNIX STIG: 4.6
7. GEN004180 Browser Home Page
Click on Edit>>Preferences>> Navigator, and verify the Blank Page button under Navigator Start
With is selected or, if Home Page is selected, verify the pathname under the Home Page box is for a local web
server. For Firefox select Edit >> Preferences in the browser tool bar, and then select the General item.
PDI:
0
:
IA Controls:
Status Code:MAN
Previously:
G642

DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 183
PDI Description:
The browser home page is not a blank page or a locally generated

page.
Reference:
UNIX STIG: 4.6
8. GEN004200 Browser SSL Configuration
To check if browsers are configured for SSL, select Edit >> Preferences in the browser tool bar, and then select
the Privacy and Security menu i tem. Select the SSL tab and verify that Enable SSL version 2 and Enable
SSL version 3 is checked under the SSL Protocol versions. If they are not, then this is a finding. The tables
below show the encryption algorithms associated with each version of SSL.
PDI:
1
:
Status Code:MAN
Previously:
G643
IA Controls:
DCSW-1
PDI Description:
The browser is not configured for Secure Socket Layer (SSL) v2

and SSL v3.
Reference:
UNIX STIG: 4.6
SSL v2 Enable
X
RC4 encryption with 128-bit key
Triple DES encryption with 168-bit key

DES encryption with 56-bit key

Table 4-1. SSL v2 Enable
SSL v3 Enable
X
RC4 encryption with 128-bit key and an MD5 MAC
Triple DES encryption with 168-bit key and a SHA-1 MAC
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 184
DES encryption with 56-bit key and a SHA-1 MAC

RC4 encryption with 40-bit key and an MD5 MAC
RC2 encryption with a 40-bit key and an MD5 MAC
No encryption with an MD5 MAC
Table 4-2. SSL v3 Enable
9. GEN004220 The root Accounts Browser
Look in the root account home directory for a .netscape or a .mozilla directory. If none exists, mark
this check as Not A Finding. If there is one, verify with the root users and the IAO what the intent of the
browsing is. Some evidence may be obtained by using the browser to view cached pages under the .netscape
directory.
PDI:
2
:
Status Code: PART
Previously:
G644
IA Controls:
ECMT-1, ECMT-2
PDI Description:
The root account uses the browser for reasons other than to
control local applications.
Reference:
UNIX STIG: 4.6
10. GEN004240 Browser Version
To view the version number click Help then click About Browser from the browser tool bar. If the browser
version is not Netscape 4.79 or greater, or FireFox 1.5 or greater, then this is a finding.
PDI:
8
:
Status Code: PART
Previously:
W01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 185
IA Controls:
DCSQ-1
PDI Description:
The browser is not a supported version.
Reference:
UNIX STIG: 4.6
11. GEN004260 Browser Cookie Warning
To check if a browser is enabled to display a warning prior to accepting cookies, select Edit >> Preferences in the
browser tool bar, and then select the Privacy and Security menu i tem. Select the Cookies tab and verify that
Ask for each cookie is checked under the Cookie Lifetime Policy. If it is not, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
W03
IA Controls:
ECWM-1
PDI Description:
The browser does not issue a warning prior to accepting a cookie

from a remote site.
Reference:
UNIX STIG: 4.6
12. GEN004280 Browser Form Data Warning
To check if a browser is enabled to issue a warning when submitting unencrypted form data, select Edit >>
Preferences in the browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL tab and
verify that Sending form data from an unencrypted page to an unencrypted page is checked. If it is not, then
this is a finding.
Note: This is a core setting in Firefox and should be marked as Not A Finding.
PDI:
1
IA Controls:
Status Code:AUTO
Previously:
W09

ECWM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 186
PDI Description:
A browser does not issue a warning when submitting non

encrypted form data.
Reference:
UNIX STIG: 4.6
13. GEN004300 Browser Secure and Non-secure Content Warning
To check if a browser warning is enabled when viewing a page with both encrypted/unencrypted content, select
Edit >> Preferences in the browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL
tab and verify that Viewing a page with an encrypted/unencrypted mix is checked. If it is not, then this is a
finding.
PDI:
2
Status Code:AUTO
Previously:
W11
IA Controls:
ECWM-1
PDI Description:
The browser does not issue a warning prior to viewing a

document with both secure and non-secure content.
Reference:
UNIX STIG: 4.6
14. GEN004320 Browser Leaving Encrypted Site Warning
To check if a browser warning is enabled when leaving an encrypted site, select Edit >> Preferences in the
browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL tab and verify that
Leaving a page that supports encryption is checked. If it is not, then this is a finding.
PDI:
3
IA Controls:
Status Code:AUTO
Previously:
W13

ECWM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 187
PDI Description:
The browser does not issue a warning prior to leaving an

encrypted or secure site.
Reference:
UNIX STIG: 4.6
8. Sendmail or Equivalent
1. GEN004360 aliases Ownership
Find the aliases file on the system:

# find / -name aliases depth print
#
ls lL <alias location>
If the file is not owned by root, then this is a finding.

PDI:
1
Status Code:AUTO
Previously:
G127
IA Controls:
ECLP-1
PDI Description:
The aliases file is not owned by root.
Reference:
UNIX STIG: 4.7
2. GEN004380 aliases Permissions

#
ls lL <alias location>
If the permissions are greater than 644, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 188
2
Status Code:AUTO
Previously:
G128
IA Controls:
ECLP-1
PDI Description:
The aliases file is more permissive than 644.
Reference:
UNIX STIG: 4.7
3. GEN004400 File Executed Through Aliases Accessibility

# more <aliases file location>
Examine the aliases file for any directories or paths that may be utilized. Perform:
# ls lL <path>
Ensure the file and parent directory are owned by root. If it is not, then this a finding.
PDI:
3
:
Status Code:AUTO
Previously:
G131
IA Controls:
ECLP-1
PDI Description:
Files executed through an aliases file are not owned by root and
do not reside within a directory owned and writable only by root.
Reference:
UNIX STIG: 4.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 189
4. GEN004420 File Executed Through Aliases Permissions

# more <aliases file location>
Examine the aliases file for any directories or paths that may be utilized. Perform:
# ls lL <path>
to check the permissions are not greater than 755.
If files executed through an alias have permissions greater than 755, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G132
IA Controls:
PDI Description:
Files executed through an aliases file are more permissive than

755.
Reference:
UNIX STIG: 4.7
5. GEN004440 Sendmail Logging
Find the sendmail.cf file on the system:

# find / -name sendmail.cf
To check if sendmail logging is set to level nine:
#
grep O L <sendmail location>/sendmail.cf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 190
Or
#
grep LogLevel <sendmail location>/sendmail.cf
If logging is set to less than nine, then this is a finding.

PDI:
GEN004440V000083 Category IV Status Code:AUTO

5
:
Previously:
G133
IA Controls:
PDI Description:
Sendmail logging is set to less than nine in sendmail.cf.
Reference:
UNIX STIG: 4.7
6. GEN004460 Critical Level Sendmail Messages Logging
Enter the command:

#
more /etc/syslog.conf
Ensure the configuration file logs mail.crit , mail.debug, mail.*, or *.crit . If the system is
not logging critical sendmail messages, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
G134
IA Controls:
PDI Description:
Critical-level sendmail messages are not logged.
Reference:
UNIX STIG: 4.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 191
7. GEN004480 Critical Sendmail Log File Ownership
Perform:
#
Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file.
Perform:
#
ls -lL <file location>
If the files is not owned by root, then this is a finding.

PDI:
7
Status Code:AUTO
Previously:
G135
IA Controls:
ECLP-1, ECTP-1
PDI Description:
Critical sendmail log file is not owned by root.
Reference:
UNIX STIG: 4.7
8. GEN004500 Critical Sendmail Log File Permissions
Perform:
#
Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file.
Perform:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 192
ls -lL <file location>
If the log file permissions are greater than 644, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
G136
IA Controls:
PDI Description:
Critical sendmail log file is more permissive than 644.
Reference:
UNIX STIG: 4.7
9. GEN004540 Sendmail Help Command
To check if Help is disabled in sendmail, perform the following:

#
telnet <host>:25
# help
The help feature can be disabled by creating an empty help file.
If the help command returns any sendmail version information, then this is a finding.
PDI:
6
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail help command is not disabled.
Reference:
UNIX STIG: 4.7
10. GEN004560 Sendmail Greeting to Mask Version
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 193
To check for the sendmail version being displayed in the greeting:

#
telnet localhost 25
If a version number is displayed, then the following line should be added to correct the problem in the
sendmail.cf file.
O SmtpGreetingMessage= Mail Server Ready ; $b
If the above entry is not in the sendmail.cf file, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G646
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The O Smtp greeting in sendmail.cf, or equivalent, has not been

changed to mask the version.
Reference:
UNIX STIG: 4.7
11. GEN004580 .forward Files
Search for any .forward files on the system by:

#
find name .forward print
This is considered a finding if any .forward files are found on the system.
PDI:
5
:
IA Controls:
Status Code:AUTO
Previously:
G647

DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 194
PDI Description:
. forward files were found.
Reference:
UNIX STIG: 4.7
12. GEN004600 Sendmail Version
Perform:
#
find / -name sendmail
to locate the sendmail daemon, and then perform:

#
what <file location>
strings <file location> | grep version
or
or
# sendmail d0
to determine the sendmail daemon version. Version 8.13.8 is the latest required version.
If the sendmail version is not at least 8.13. 8, then this is a finding.
PDI:
9
:
Status Code:AUTO
Previously:
V124
IA Controls:
DCCS-1, DCCS-2
PDI Description:
A sendmail server has an out-of-date version of sendmail active.
Reference:
UNIX STIG: 4.7
13. GEN004620 Sendmail DEBUG Command
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 195
Perform the following to determine if debug is disabled:

#
telnet localhost 25
debug
If the command does not return a 500 error code of command unrecognized, then this is a finding.
PDI:
0
:
Status Code:AUTO
Previously:
V125
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail debug command is not disabled.
Reference:
UNIX STIG: 4.7
14. GEN004640 Sendmail DECODE Command
Perform the following to determine if decode is disabled:

#
telnet localhost 25
decode
PDI:
1
:
Status Code:AUTO
Previously:
V126
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail decode command is not disabled.
Reference:
UNIX STIG: 4.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 196
15. GEN004660 Sendmail EXPN Command

Perform the following to determine if expn is disabled:
#
telnet localhost 25
expn root
Or
Locate the sendmail.cf configuration file by:
#
find / -name sendmail.cf print

#
grep v ^# <sendmail.cf location> |grep i no expn
On HP-UX and AIX systems look for:

# grep v ^# <sendmail.cf location> |grep i \
privacyoptions
The O PrivacyOptions should have the noexpn and novrfy options, or the goaway option to cover
both.
Ensure that the expn command is disabled with an entry in the sendmail.cf file that reads as follows:
Opnoexpn, noexpn , or goaway .
If the expn command is not disabled, then this is a finding.
PDI:
2
Status Code:AUTO
Previously:
V128
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail expn command is not disabled.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 197
Reference:
UNIX STIG: 4.7
16. GEN004680 Sendmail VRFY Command
Perform the following to determine if vrfy is disabled:

#
telnet localhost 25
vrfy root
Or
#

#
grep v ^# <sendmail.cf location> |grep i no vrfy
Ensure the vrfy command is disabled with an entry in the sendmail.cf file. The entry could be any one of
Opnovrfy , novrfy, goaway .
The goaway argument encompasses many things, such as novrfy
and noexpn .
PDI:
3
Status Code:AUTO
Previously:
V130
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail vrfy command is not disabled.
Reference:
UNIX STIG: 4.7
17. GEN004700 Sendmail WIZ Command
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 198
Perform the following to determine if wizard is disabled:

#
telnet localhost 25
wiz
wizard
Or
#

#
grep v ^# <sendmail.cf location> |grep i wiz
If an entry is found for wiz, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
V131
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail wiz/wizzard command is not disabled.
Reference:
UNIX STIG: 4.7
9. File Transfer Protocol (FTP) and Telnet

1. GEN004720 FTP or Telnet Within Enclave Behind Router
Perform the following to check for FTP or Telnet within the enclave:
# last | more
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 199
If any FTP or Telnet connections are found, examine the third field and ask the SA if the initiating client is inside
of the enclave. Ask the SA if the network connection is behind the premise router and protected by a firewall or
router access control list. If it is not, then this is a finding.
PDI:
7
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
FTP or telnet within an enclave is not behind the premise router

and protected by a firewall and router access control lists.
Reference:
UNIX STIG: 4.8
2. GEN004760 FTP or Telnet Outside to Inside Enclave
Perform the following to check for FTP or Telnet outside the enclave:
# last | more
If any FTP or Telnet connections are found, examine the third field and ask the SA if the initiating client is
outside of the enclave. If it is, then this is a finding.
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
FTP or telnet from outside the enclave into the enclave is

enabled and not within requirements.
Reference:
UNIX STIG: 4.8
3. GEN004780 FTP or Telnet Userids and Passwords
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 200
Perform the following to check for FTP:

#
more /etc/passwd
Make a note of any user accounts with administrative privileges by verifying the third field is set to 0 and then
perform the following.
#
more /etc/ftpd/ftpusers
Ensure that any root privileged user or users with any root roles is listed in the ftpusers file.
In addition perform the following to check for both ftp and telnet logins under root:
#
last |more
Verify that root has not logged in with telnet or ftp. If they have, then this is a finding.
PDI:
9
:
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
FTP or telnet userids/passwords have administrative or root

privileges.
Reference:
UNIX STIG: 4.8
4. GEN004800 Unencrypted FTP or Telnet
Perform the following to determine if unencrypted ftp or telnet are enabled on most systems:
#
grep ftp /etc/inetd.conf
grep telnet /etc/inetd.conf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 201
Solaris 10
#
svcs ftp
#
svcs telnet
Linux
#
chkconfig telnet
#
chkconfig vsftpd
If any of the above are found to be active, ask the SA if any type of encryption is being used with these services.
If it is not encrypted and an Acceptance of Risk Letter is not present, then this is a finding.
PDI:
0
Status Code: PART
Previously:
N/A
IA Controls:
ECNK-1
PDI Description:
An AORL is not used to document the use of unencrypted FTP or

telnet or the risk is not accepted as part of the accreditation
package.
Reference:
UNIX STIG: 4.8
5. GEN004820 Anonymous FTP
Perform the following to determine if a system is capable of anonymous ftp:

#
ps ef |grep ftpd
# grep ftp /etc/passwd

Use the command ftp to activate the ftp service. Attempt to log into this host with a user name of anonymous
and a password of guest (also try the password of guest@mail.com). If the logon is successful, ask if the use of
anonymous FTP on the system is documented with the IAO. If it is not, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 202
6
:
Status Code:PART
Previously:
G147
IA Controls:
DCSD-1
PDI Description:
Anonymous FTP is active and not documented by the IAO.
Reference:
UNIX STIG: 4.8
6. GEN004840 Anonymous FTP Segregation into DMZ
Perform the following to determine if a system is capable of anonymous ftp:

#
ps ef |grep ftpd
# grep ftp /etc/passwd

Ask the SA if the server is on a separate subnet located in a DMZ. If it is not, then this is a finding.
PDI:
2
:
Status Code:PART
Previously:
V052
IA Controls:
IAIA-1
PDI Description:
Anonymous FTP is not segregated into the network DMZ.
Reference:
UNIX STIG: 4.8
10. FTP Configuration
1. GEN004880 The ftpusers File
Perform the following to determine if the ftpusers file exist:

#
ls la <ftpusers file>
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 203
where <ftpusers file> is one of the files listed below.

Locations of the ftpusers file:
Solaris 5.5.1 5.8
Solaris 5.9 5.10
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
/etc/vsftpd.ftpusers
IRIX
/etc/ftpd/ftpusers
If the ftpusers files does not exist, then this is a finding.

PDI:
0
Status Code:AUTO
Previously:
G140
IA Controls:
DCSL-1
PDI Description:
The ftpusers file does not exist.
Reference:
UNIX STIG: 4.8.1
2. GEN004900 The ftpusers File Contents
Check for system accounts in the ftpusers files which should not be allowed to used ftp by:
#
more /etc/ftpusers
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Solaris 5.5.1 5.8

Solaris 5.9 5.10
Page 204
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
IRIX
/etc/ftpd/ftpusers
If system accounts are not listed in the ftpusers file, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G141
IA Controls:
DCSL-1
PDI Description:
The ftpusers file does not contain account names not allowed to
use FTP.
Reference:
UNIX STIG: 4.8.1
3. GEN004920 The ftpusers File Ownership
Perform the following on the ftpusers file associated with the applicable operating system:
#
ls la <file location>

Solaris 5.5.1 5.8
Solaris 5.9 5.10
HPUX 10
/etc/ftpusers
/etc/ftpd/ftpusers
/etc/ftpusers
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
HPUX 11
AIX
Page 205
/etc/ftpd/ftpusers
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
IRIX
/etc/ftpd/ftpusers
If the file is not owned by root, then this is a finding.

PDI:
2
Status Code:AUTO
Previously:
G142
IA Controls:
ECLP-1
PDI Description:
The ftpusers file is not owned by root.
Reference:
UNIX STIG: 4.8.1
4. GEN004940 The ftpusers File Permissions
Perform the following on the ftpusers file associated with the applicable operating system:
#
ls la <file location>

Solaris 5.5.1 5.8
Solaris 5.9 5.10
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
IRIX
/etc/ftpd/ftpusers
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 206
If the file permissions are greater than 640, then this is a finding
PDI:
3
Status Code:AUTO
Previously:
G143
IA Controls:
PDI Description:
The ftpusers file is more permissive than 640.
Reference:
UNIX STIG: 4.8.1
5. GEN004980 FTP Daemon Logging
Perform:
# grep ftpd /etc/inetd.conf ,
and check the line for ftpd to check if the l (HP-UX, Solaris, AIX, and Digital) or v (HP-UX) options are
invoked. If not, then this is a finding.
Solaris 10:
#
svccfg
svc:>
export ftp
svc:>
quit
Verify the line that contains /usr/sbin/in.ftpd contains the l option.
On Linux systems:
#
grep log /etc/xinetd.d/vsftpd
If either the log_on_success or log_on_failure are commented out, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 207
5
Status Code:AUTO
Previously:
G145
IA Controls:
DCSL-1
PDI Description:
The FTP daemon is not configured for logging or verbose mode.
Reference:
UNIX STIG: 4.8.1
6. GEN005000 Anonymous FTP Account Shell
Perform the following to check for anonymous FTP:

#
grep ^ftp /etc/passwd
If the sixth field does not contain one of the following:

/bin/false , /dev/null , /usr/bin/false , /bin/true , or the entry ends with a :, this check will
be a finding.
PDI:
7
:
Status Code:AUTO
Previously:
G649
IA Controls:
DCCS-1, DCCS-2
PDI Description:
There is an anonymous FTP account with a functional shell.
Reference:
UNIX STIG: 4.8.1
7. GEN005020 Anonymous FTP Configuration
First, determine if there is an anonymous ftp account by:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 208
grep ^ftp: /etc/passwd
If there is no output, mark this check as Not a Finding.

Change to the ftp home directory.
#
ls lL <ftp home directory>
It should be writable by no one (555). The following directories must exist in the account: /etc , and /bin
with permissions of (111). The /<ftp home directory> /etc directory will only contain password,
group and netgroup files but can be empty. The / <ftp home directory> /bin directory should be a
symbolic link to the /<ftp home directory>/ usr/bin directory in the ftp account and contain only a
copy of the ls command. There must be a /<ftp home directory>/ usr/lib directory owned by root
with permissions of (555). The /<ftp home directory>/usr/lib directory should contain the
following libraries with permissions of ( 555): ld.so.1 , libc.so.1 , libdl.so.1 , libmp.so.2 ,
libnsl.so.1 , libsocket.so.1 , nss_compat.so.1 , nss_dns.so.1 , nss_files.so.1 ,
nss_nis.so.1 , nss_nisplus.so.1 , and nss_xfn.so.1 . Other requirements include:
~ftp/etc will be owned by the superuser and not writable by anyone. The following files will be
there: copies of the files passwd, group, and netconfig files. The permissions will be 444 .
~ftp/pub will be owned by root with permissions of 755. Users may place files, which are to be
accessible via the anonymous account, in this directory.
~ftp/dev will be owned by root and not writable by anyone . It will contain the following files:
/dev/zero, /dev/tcp, /dev/udp and /dev/ticotsord . The permissions for these
files should be 666.
~ftp/usr/share/lib/zoneinfo will be owned by root with permissions of 555. It should have
the same contents as /usr/share/lib/zoneinfo .
Secuirty: For Linux, Solaris 8 and newer, in.ftpd uses pam (3PAM) for authentication, account and session
management. Here is a partial pam.conf file with required entries for the in.ftpd command using UNIX
authentication, account management, and session management modules.
ftp
auth
required
/usr/lib/security/pam_unix.so.1
ftp
account
required
ftp
session
required
PDI:
8
:
Status Code: PART
Previously:
G650
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 209
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Anonymous FTP is not configured using all security

recommendations.
Reference:
UNIX STIG: 4.8.1
8. GEN005040 FTP Users umask
To determine the umask of the ftp user, perform the following:

# su ftp
# umask
If the umask value does not return 077, then this is a finding.
PDI:
1
Status Code: AUTO
Previously:
N/A
IA Controls:
ECCD-1, ECCD-2
PDI Description:
An FTP users umask is not 077.
Reference:
UNIX STIG: 4.8.1
11. File Service Protocol (FSP)
1. GEN005060 FSP Is Enabled
To determine if fsp is enabled, perform the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 210
grep in.fspd /etc/inetd.conf
# netstat an |grep fspd

If an entry for fsp is found, then this is considered a finding.
PDI:
3
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSW-1
PDI Description:
FSP is enabled.
Reference:
UNIX STIG: 4.9
12. Trivial File Transfer Protocol (TFTP)
1. GEN005080 TFTP Secure Mode
Perform the following to determine if the system is running in tftp in secure mode:
Solaris
#
grep tftp /etc/inetd.conf | grep -s
HP-UX tftpd runs in secure mode by default, therefore this is not applicable.
AIX
#
more /etc/tftpaccess.ctl
If the file does not exist, then this is a finding. Ensure the only entry is to allow access to the tftp user home
directory.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 211
Linux
#
grep server_args /etc/xinetd.d/tftp |grep -s
IRIX
#
grep tftp /etc/inetd.conf | grep -s
If TFTP is not running in secure mode, then this is a finding.
PDI:
7
:
Status Code:AUTO
Previously:
G149
IA Controls:
DCSL-1
PDI Description:
The TFTP daemon is not running in secure mode.
Reference:
UNIX STIG: 4.10
2. GEN005100 TFTP SUID/SGID Bit

Perform :
#
find / - name *tftpd print
to locate the file. Once the file is located, use the command:
# ls la <file location>
to check for the suid or sgid bit being set. If either of the bits are set, then this is a finding.
PDI:
8
:
Status Code:AUTO
Previously:
G150
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 212
IA Controls:
ECLP-1
PDI Description:
The TFTP daemon has the suid or sgid bit set.
Reference:
UNIX STIG: 4.10
3. GEN005120 TFTP Configuration
Check the /etc/passwd file to determine if TFTP is configured properly:

#
grep tftp /etc/passwd
If a tftp user account does not exist and TFTP is active, then this is a finding.
Ensure the user shell is /bin/false or equivalent. If it is not, then this is a finding.
Ensure the TFTP user is assigned a home directory . If not, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
G151
IA Controls:
ECCD-1, ECCD-2
PDI Description:
TFTP is not configured to vendor specifications, including the

following:
A TFTP user will be created.
The default shell will be set /bin/false, or equivalent.
A home directory owned by the TFTP user will be created.
Reference:
UNIX STIG: 4.10
4. GEN005140 TFTP Documentation
Perform the following to determine if TFTP is active:

07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 213
grep v ^# /etc/inetd.conf |grep tftp
Solaris 10
#
svcs tftp
Linux
#
chkconfig -list | grep tftp
Or
#
chkconfig tftp
If TFTP is found to enabled, ask the SA if it is documented with the IAO. This is a finding if it is not
documented.
PDI:
5
:
Status Code: PART
Previously:
V141
IA Controls:
ECCD-1, ECCD-2
PDI Description:
TFTP is active and it is not justified and documented with the

IAO.
Reference:
UNIX STIG: 4.10
13. X Window System
1. GEN005160 .Xauthority Files
To check for .Xauthority files being utilized, change directory to a users home directory and perform:
#
ls la .Xauthority
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 214
If the file does not exist, ask the SA if the user is using Xwindows. If the user is utilizing Xwindows and
the .Xauthority file does not exist and host based access control is not being used, then this is a finding.
PDI:
0
:
Status Code:PART
Previously:
G152
IA Controls:
EBCR-1, EBRP-1, EBRU-1
PDI Description:
An X Windows host does not write .Xauthority files (or

equivalent).
Reference:
UNIX STIG: 4.11
2. GEN005180 .Xauthority File Permissions
Check the file permissions for the .Xauthority files by:

#
ls lL .Xauthority
If the file permissions are greater than 600, then this is finding.
PDI:
4
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-2
PDI Description:
.Xauthority files are more permissive than 600.
Reference:
UNIX STIG: 4.11
3. GEN005200 X Displays Exporting
Perform the following to determine if access to the X window system is limited to authorized clients:
#
xhost
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 215
If the above command returns:

access control disabled, clients can connect from any host, then this is a finding.
PDI:
GEN005200V000469 Category:I
7
Status Code:PART+
Previously:
V155
IA Controls:
ECIC-1
PDI Description:
A system is exporting X displays to the world.
Reference:
UNIX STIG: 4.11
4. GEN005220 X Client Authorization via X*.hosts
Perform the following to determine if the X server is running:

# ps ef |grep X
Determine if xauth is being used by:
#
xauth
xauth>
list
If the above command sequence does not show any host other than the localhost, then xauth is not being used.
Search the system for an X*.hosts files, where * is a display number that may be used to limit X window
connections. If none are found and user based access control is not being used, then this is a finding.
PDI:
6
Status Code: PART
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 216
IA Controls:
ECIC-1
PDI Description:
Authorized X clients are not listed in the X*.hosts (or equivalent)

file(s) if the .Xauthority utility is not used.
Reference:
UNIX STIG: 4.11
5. GEN005240 X Client Authorization
Perform the following to determine if access to the X window system is limited to authorized clients:
#
xauth
xauth> list
Ask the SA if the clients listed are authorized. If they are not, then this is a finding.
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
Access to the X-terminal host is not limited to authorized X

clients.
Reference:
UNIX STIG: 4.11
6. GEN005260 X Window System Not Required and Not Disabled
Determine if the X window system is running by:

# ps ef |grep X
Ask the SA if the X window system is an operational requirement. If it is not, then this is a finding.
PDI:
8
Status Code: PART
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 217
IA Controls:
ECIC-1
PDI Description:
The X Window System connections are not required and the

connections are not disabled.
Reference:
UNIX STIG: 4.11
14. UNIX to UNIX Copy Program (UUCP)
1. GEN005280 Disable UUCP
Perform the following to determine if uucp is active.

Solaris, HP-UX, AIX and IRIX
# grep uucp /etc/inetd.conf
Solaris 10
# svcs uucp
Linux
# chkconfig uucp
Or
#
chkconfig -list | grep uucp
If UUCP is found to be enabled, then this is a finding.

PDI:
6
Status Code:AUTO
Previously:
V145
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 218
IA Controls:
ECIC-1
PDI Description:
The UUCP service is enabled.
Reference:
UNIX STIG: 4.12
15. Simple Network Management Protocol (SNMP)
1. GEN005300 Changed SNMP Community Strings
Find the snmpd.conf by:

# find / -name snmpd.conf print
# more snmpd.conf
Search for the community name to check if the password was changed to something other than public, private,
snmp-trap or password and which meets the DISA requirements for password construction. The community
string will be in plain text.
PDI:
3
:
Status Code:AUTO
Previously:
G224
IA Controls:
IAIA-1, IAIA-2, IAAC-1, DCCS-1, DCCS-2
PDI Description:
SNMP community strings have not been changed from the

default.
Reference:
UNIX STIG: 4.13
2. GEN005320 snmpd.conf Permissions
Perform:
# find / -name snmpd.conf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 219
# ls lL <snmpd.conf>
If the snmpd.conf file is more permissive than 700, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G225
IA Controls:
PDI Description:
The snmpd.conf file is more permissive than 700.
Reference:
UNIX STIG: 4.13
3. GEN005340 MIB File Permissions
Perform the following to find all the Management Information Base (MIB) files on the system:
# find / -name *.mib print
# ls lL <mib file>
Any file returned with permissions greater than 640 is a finding.
PDI:
5
:
Status Code: AUTO
Previously:
G226
IA Controls:
PDI Description:
The MIB files are more permissive than 640.
Reference:
UNIX STIG: 4.13
4. GEN005360 snmpd.conf and .mib Ownership
Perform:
# find / -name snmpd.conf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 220
# ls lL <snmpd.conf>
# find / -name *.mib
If the snmpd.conf file is not owned by root and group owned by sys or the application, then this is a finding.
PDI:
9
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The snmpd.conf and .mib files are not owned by root and group
owned by sys or the application.
Reference:
UNIX STIG: 4.13
5. GEN005380 Dedicated Hardware for SNMP
To check if SNMP is used, execute the following command:

netstat -a | grep LISTEN | grep snmp .
#
#
netstat a | grep LISTEN | egrep 161|162
If there is any output, then ask the SA if this is an snmp server. If it is an snmp server, then ask what other
applications run on it. If there is anything other than network management software and DBMS software that is
used only for the storage and inquiry of snmp data, this is a finding.
PDI:
2
:
Status Code:MAN
Previously:
G655
IA Controls:
DCSW-1
PDI Description:
SNMP does not run on dedicated hardware.
Reference:
UNIX STIG: 4.13
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 221
16. System Logging Daemon
1. GEN005400 /etc/syslog.conf Assessiblity
Check /etc/syslog.conf ownership and permissions:

# ls lL /etc/syslog.conf
If /etc/syslog.conf is not owned by root or is more permissive than 640, then this is a finding.
PDI:
3
Status Code:AUTO
Previously:
G656
IA Controls:
PDI Description:
The /etc/syslog.conf file is not owned by root or is more

permissive than 640.
Reference:
UNIX STIG: 4.14
2. GEN005420 /etc/syslog.conf Group Ownership
Check /etc/syslog.conf group ownership:

# ls lL /etc/syslog.conf
If /etc/syslog.conf is not group owned by root, sys, or bin, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G657
IA Controls:
DCSW-1
PDI Description:
The /etc/syslog.conf file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 4.14
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 222
3. GEN005440 Local Loghosts
Ask the SA if a remote loghost server exists. If it does not mark this as Not A Finding
Ask the SA if the loghost server is collecting data for hosts outside the enclave. If it is, then this is a finding.
PDI:
0
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Local hosts are used as loghosts for systems outside the local
network.
Reference:
UNIX STIG: 4.14
4. GEN005460 Remote Loghost Documentation
Perform the following to determine if the system is using a remote loghost :
# grep loghost /etc/hosts

If the loghost entry is a remote machine, then ask the SA if the remote machine is documented as a loghost with
the IAO. If it is not documented then this is a finding.
PDI:
5
:
IA Controls:
Status Code:PART
Previously:
G658

DCHW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 223
PDI Description:
A system is using a remote loghost is not documented with the

IAO.
Reference:
UNIX STIG: 4.14
5. GEN005480 Syslog Accepts Remote Messages
Perform the following to determine if syslogd accepts remote messages:

Solaris
# ps ef | grep syslogd
If the -t option is not enabled, then ask the SA if it is documented.
HP-UX
#
ps ef |grep syslogd
If the -N option is not enabled, then ask the SA if it is documented.

Linux
#
ps ef | grep syslogd
If the -r is enabled, then ask the SA if it is documented.

AIX
#
If the -r is not enabled, then ask the SA if it is documented.

IRIX
#
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 224
If the -N option is not enabled, then ask the SA if it is documented.

If syslog accepts remote messages, then this is a finding.
PDI:
1
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The syslog daemon accepts remote messages and is not an IAO

documented loghost.
Reference:
UNIX STIG: 4.14
17. Secure Shell (SSH) and Equivalents
1. GEN005500 SSH Version 1 Compatibility
Locate the sshd_config file:

# find / -name sshd_config
#
more <sshd_config file location>
Examine the file. If the variables Protocol 2,1 or, Protocol 1 are defined on a line without a leading
comment, this is a finding.
If the SSH server is F-Secure, the variable name for SSH 1 compatibility is Ssh1Compatibility, not protocol.
If the variable Ssh1Compatiblity is set to yes, then this is a finding.
PDI:
5
:
IA Controls:
Status Code:AUTO
Previously:
G701

DCPR-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 225
PDI Description:
SSH, or a similar utility, is running and SSHv1 compatibility is

used.
Reference:
UNIX STIG: 4.15
2. GEN005540 Encrypted Communications IP Filtering and Banners
To determine if ssh is configured with tcp wrappers support perform the following:
#
grep sshd /etc/hosts.deny
For example:
sshd1: ALL
sshd2: ALL
sshdfwd-X11 : ALL
If the above lines or similar are not in /etc/hosts.deny , then this is a finding.
Perform the following to determine if banners are configured:
#
find / -name sshd_config
more <sshd_config file location> | grep I banner
If the above command does not return any lines, then this is a finding.
PDI:
2
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Encrypted communications are not configured for IP filtering and

logon warning banners.
Reference:
UNIX STIG: 4.15
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 226
18. UNIX Routing Vulnerabilities
1. GEN005560 Default Gateway
Perform the following to determine if a default route is defined:

#
netstat r |grep default
If a default route is not defined, then this is a finding.

PDI:
7
Status Code:AUTO
Previously:
G661
IA Controls:
DCSW-1
PDI Description:
The system is not a router and has no default gateway defined.
Reference:
UNIX STIG: 4.16
2. GEN005580 Dedicated Hardware for Routing
Perform the following to determine if the systems is used for routing:

#
netstat a | grep i listen | grep route
Ask the SA if the system is used for any other services such as web servers, file servers, DNS servers, or
applications servers. If it is used for another service, then this is a finding.
PDI:
8
:
Status Code:PART
Previously:
G662
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 227
IA Controls:
DCSW-1
PDI Description:
Routing is not implemented on dedicated hardware and not

Reference:
UNIX STIG: 4.16
3. GEN005600 Disable IP Forwarding
Perform the following to determine if IP forwarding is disabled:

Solaris
#
ls l /etc/notrouter
If the file does not exist, then this is a finding.

HP-UX
#
grep ip_forwarding /etc/rc.config.d/nddconf
If the value is not set to 0, then this is a finding.

AIX
IP forwarding is disabled by default in AIX.
IRIX
#
grep ipforward /var/sysgen/stune
If the value is not set to 0, then this is a finding.

Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 228
grep ip_forward /etc/sysctl.conf
If the value is set to 1, then this is a finding.
PDI:
3
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCC|S-2
PDI Description:
IP forwarding is not disabled.
Reference:
UNIX STIG: 4.16
19. Lotus Domino Web Application
1. GEN005620 Lotus Domino Version
To determine the version of Lotus Domino perform the following:

#
/opt/lotus/bin/server v
The version should be 5.0.6a or higher for Linux, and the transition components for AIX and Solaris should be
version 2.1.1.
If version is not one of the above, then this is a finding.
PDI:

3
:
Status
Code:
AUTO
Previously:
V5899
IA Controls:
DSCQ-1
PDI Description:
A Lotus Domino 5.0.5 Web Application was found vulnerable to

the .nsf, .box, and .ns4 directory traversal exploit.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 229
Reference:
UNIX STIG: 4.17
20. Squid Web Proxy Authentication Header
1. GEN005640 Squid Web Proxy Authentication Header Vulnerability
Perform the following to determine if the squib web proxy is a vulnerable version:
#
squid v |grep i version
If the version is not greater than 2.4STABLE6, then this is a finding.

PDI:

6
:
Status
Code:
AUTO
Previously:
V9478
IA Controls:
DSCQ-1
PDI Description:
A system running Squid Web Proxy Cache server was found

vulnerable to the authentication header forwarding exploit.
Reference:
UNIX STIG: 4.18.1
21. Squid Web Proxy MSNT Auth Helper
1. GEN005660 Squid Web Proxy MSNT Auth Helper Vulnerability
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 230
#
If the version is not greater than 2.4STABLE6, then this is a finding.

PDI:
7
:
Status
Code:
AUTO
Previously:
V9482
IA Controls:
DSCQ-1
PDI Description:
A system running Squid Web Proxy Cache was found vulnerable

to the MSNT auth helper buffer overflow exploit.
Reference:
UNIX STIG: 4.18.2
22. Squid Web Proxy Version
1. GEN005680 Squid Web Proxy Version
#
If the version number is not at least 2.7STABLE7 or later then this is a finding.
PDI:

9
:
IA Controls:
Status
Code:
AUTO
Previously:
V9730

DSCQ-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 231
PDI Description:
The SA will ensure the Squid Proxy Cache server is not a

vulnerable version.
Reference:
UNIX STIG: 4.18.3
23. iPlanet Web Server
1. GEN005700 iPlanet Web Server NS-query-pat Vulnerability
Use the following steps to determine the version number:

1. Navigate to the following directory:
server-root /bin/https/bin
2. Run the ns-httpd program with the "-v " parameter.
#
./ns-httpd v
Ask the SA for documentation showing the installation of either service pack 3 for iPlanet Web Server 6, or
service pack 10 for iPlanet Web Server 4.1.
PDI:

8
:
Status
Code:
PART
Previously:
V9517
IA Controls:
DSCQ-1
PDI Description:
An iPlanet Web Server was found with the search engine NSquery-pat file viewing vulnerability.
Reference:
UNIX STIG: 4.19
24. Network Filesytem (NFS)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 232
1. GEN005720 NFS Port Monitoring
Perform the following for each operating system to determine if NFS port monitoring is is set to 1:
Solaris
#
grep nfs_portmon /etc/system
HP-UX
#
kctune nfs_portmon
nfso o nfs_portmon
nfso o portcheck
grep nfs_portmon /var/sysgen/stune
AIX
Or
IRIX
Linux does not use nfs_portmon. By default, it exports with the secure option which is the same as nfs_
portmon. Perform the following to determine if the default has been overridden:
#
grep insecure /etc/exports
If any of the file systems are exported with the insecure option, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 233
7
Status Code:AUTO
Previously:
G177
IA Controls:
DCSL-1
PDI Description:
NFS port monitoring is not enabled.
Reference:
UNIX STIG: 4.20
2. GEN005740 Export Configuration File Ownership
Solaris
# ls lL /etc/dfs/dfstab
HP-UX
# ls lL /etc/exports
AIX
IRIX
Linux
If the export configuration file is not owned by root, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
G178
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 234
IA Controls:
ECLP-1
PDI Description:
The export configuration file is not owned by root.
Reference:
UNIX STIG: 4.20
3. GEN005760 Export Configuration File Permissions
Solaris
# ls lL /etc/dfs/dfstab
HP-UX
AIX
IRIX
Linux
If the export configuration file is more permissive than 644, then this is a finding.
PDI:

9
:
Status Code:AUTO
Previously:
G179
IA Controls:
ECLP-1
PDI Description:
The export configuration file is more permissive than 644.
Reference:
UNIX STIG: 4.20
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 235
4. GEN005780 Writable Exported File Systems Documentation
Perform the following to determine if NFS File Systems are writeable:

#
exportfs v |grep rw
If any entries are returned, ask the SA if the file systems have been approved and documented with the IAO for
export as writable.
PDI:
0
:
Status Code:PART
Previously:
G180
IA Controls:
DCSD-1
PDI Description:
NFS file systems exported as writeable have not been justified

and documented by the IAO.
Reference:
UNIX STIG: 4.20
5. GEN005800 Exported System Files and Directories Ownership
Perform the following to check for NFS exported files systems:

#
exportfs v
This will display all of the exported file systems. For each file system displayed perform and check the
ownership:
# ls lL <filesystem>
If the files and directories are not owned by root, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G181
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 236
IA Controls:
ECLP-1
PDI Description:
NFS exported system files and system directories are not owned
by root.
Reference:
UNIX STIG: 4.20
6. GEN005820 Deny NFS Client Access Without Userid
Perform the following to determine if the anon option is set correctly for exported file systems:
#
exportfs v |grep anon
Each of the exported file systems should include an entry to check for the anon= option being set to 1 or an
equivalent (60001, 65534, or 65535). Linux systems use the anonuid option instead of anon.
Note: If the anon flag is found to have a UID of 0 , this finding is elevated to a Severity Code I.
PDI:
2
Status Code:AUTO
Previously:
G182
IA Controls:
IAIA-1, IAIA-2
PDI Description:
The NFS server is not configured to deny client access requests

that do not include a userid.
Reference:
UNIX STIG: 4.20
7. GEN005840 Restrict NFS Filesystem Access to Local Hosts
Perform the following to check for access permissions:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 237
exportfs v
If the exported filesystems do not contain the rw or ro options, then this is a finding.
PDI:
3
Status Code:AUTO
Previously:
G183
IA Controls:
EBCR-1, EBRP-1, EBRU-1
PDI Description:
The NFS server is not configured to restrict filesystem access to

local hosts.
Reference:
UNIX STIG: 4.20
8. GEN005860 NFS User Authentication
This check only applies to Solaris. Perform the following on NFS servers:
#
grep ^default /etc/nfssec.conf
Check to ensure the second column does not equal 0. This would indicate the default is set to none. Perform
the following to check currently exported file systems:
#
more /etc/exports
more /etc/dfs/dfstab
Or
If the option sec=none is set on any of the exported file systems, then this is a finding.
PDI:
4
IA Controls:
Status Code:AUTO
Previously:
G184

IAIA-1, IAIA-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 238
PDI Description:
The sec option is set to none (or equivalent); additionally the

default authentication is to none .
Reference:
UNIX STIG: 4.20
9. GEN005880 Root Access Option Documentation
Perform the following to determine if the NFS server is exporting with the root access option:
#
exportfs v | grep root=
If the option is found on an exported file system, ask the SA if the access is justified and documented with the
IAO. If it is not, then this is a finding.
PDI:
5
:
Status Code:PART
Previously:
G185
IA Controls:
DCSD-1
PDI Description:
The root access option for NFS has not been justified and
Reference:
UNIX STIG: 4.20
10. GEN005900 NFS Clients Enable nosuid and nosgid
Perform the following to determine if nfs clients are mounting file systems with the nosuid and nosgid options:
#
mount v | grep " type nfs " | grep "nosuid"

#
mount v | grep " type nfs " | grep "nosgid"
If the mount ed file systems do not have the above two options, then this is a finding and it must be justified and
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 239
6
:
Status Code:PART
Previously:
G186
IA Controls:
ECLP-1
PDI Description:
The nosuid and nosgid options are not enabled on a NFS Client.
Reference:
UNIX STIG: 4.20
25. Instant Messaging (IM)
1. GEN006000 Public Instant Messaging Client is Installed
If an IM client is installed, ask the SA if it configured to communicate only with .mil IM servers. If it has access
to servers on the internet, then this is a finding.
PDI:
4
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
A public instant messaging client is installed.
Reference:
UNIX STIG: 4.22
26. Peer-to-Peer File-Sharing Utilities and Clients
1. GEN006040 Peer-to-Peer Application Authorization with DAA
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 240
Ask the SA if any peer-to-peer file-sharing applications are installed. Some examples of these applications
include:
Napster
Kazaa
ARES
Limewire
IRC Chat Relay
BitTorrent
If any of these applications are installed without an Acceptance of Risk Letter from the DAA, then this is a
finding.
PDI:
5
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
A peer-to-peer file-sharing application is installed and not

authorized and documented with the DAA.
Reference:
UNIX STIG: 4.23
27. Samba
1. GEN006060 Samba is Enabled
Perform the following to determine if the Samba server is running:

#
ps ef |grep smbd
If a process is returned as running, ask the SA if the Samba server is operationally required. If it is not, then this
is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 241
1
Status Code:PART
Previously:
L170
IA Controls:
DCPR-1
PDI Description:
Samba is running and is not operationally required.
Reference:
UNIX STIG: 4.24
2. GEN006080 Samba Web Administration with SSH Port Forwarding
SWAT must be utilized with ssh to ensure a secure connection between the client and the server. The ssh
daemon on the server must be configured to allow port forwarding. If SWAT is being utilized to administer
Samba on the server, perform the following:
#
grep AllowTcpForwarding /etc/ssh/sshd_config
If the line is commented out or set to no and SWAT is in use, then this is a finding.
PDI:
6
Status Code:PART
Previously:
L048
IA Controls:
DCPR-1
PDI Description:
The Samba Web Administration tool is not used with SSH port
forwarding.
Reference:
UNIX STIG: 4.24
3. GEN006100 smb.conf Ownership
Check /etc/samba/smb.conf ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 242
# ls lL /etc/samba/smb.conf
If /etc /samba /smb.conf is not owned by root, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
L050
IA Controls:
ECLP-1
PDI Description:
The smb.conf file is not owned by root.
Reference:
UNIX STIG: 4.24
4. GEN006120 smb.conf Group Ownership
Check /etc/samba/smb.conf permissions:

If /etc /samba /smb.conf is not group owned by root, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
L051
IA Controls:
DCPR-1
PDI Description:
The smb.conf file is not group owned by root.
Reference:
UNIX STIG: 4.24
5. GEN006140 smb.conf Permissions
Check /etc/samba/smb.conf permissions:

07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 243
If /etc /samba /smb.conf is more permissive than 644, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
L052
IA Controls:
PDI Description:
The smb.conf file is more permissive than 644.
Reference:
UNIX STIG: 4.24
6. GEN006160 smbpasswd Ownership
Check /etc/samba/smbpasswd ownership:

# ls lL /etc/samba/smbpasswd
If /etc /samba /smbpasswd is not owned by root, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
L054
IA Controls:
ECLP-1
PDI Description:
The smbpasswd file is not owned by root.
Reference:
UNIX STIG: 4.24
7. GEN006180 smbpasswd Group Ownership
Check /etc/samba/smbpasswd ownership:

If /etc /samba /smbpasswd is not group owned by root, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 244
8
Status Code:AUTO
Previously:
L055
IA Controls:
ECLP-1
PDI Description:
The smbpasswd file is not group owned by root.
Reference:
UNIX STIG: 4.24
8. GEN006200 smbpasswd Per missions
Check /etc/samba/smbpasswd permissions:

If /etc /samba /smbpasswd is more permissive than 600, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
L057
IA Controls:
PDI Description:
The smbpasswd file is more permissive than 600.
Reference:
UNIX STIG: 4.24
9. GEN006220 smb.conf Configuration
Perform:
# more /etc/samba/smb.conf
1. Confirm the hosts allow restricts connections to the local network subnet mask(s) and the loopback
address. For example:
hosts allow = 192.168.1. 192.168.2. 127.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 245
2. The security option will be set to user . For example:

security = user
3. The encrypt passwords option will be set to y es . In addition, the smb password file option will
contain the path to the smbpasswd file. For example:
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
4. All guest entries in the shares definition section of the smb.conf file will be set to No . For example:
guest ok = no
If the smb.conf file is not configured per guidance, then this is a finding.
PDI:
0
Status Code:PART
Previously:
L056
IA Controls:
DCSS-1 DCCB-1, DCCB-2
PDI Description:
The smb.conf file is not configured to:

Set the hosts allow option to contain only the local
network subnet masks and the loopback address.
Set the security option to user.
Set the encrypt passwords option to yes.
Enter the path to the smbpasswd utility in the smb
password file option.
All guest entries in the shares definition section of
the smb.conf file will be set to no.
Reference:
UNIX STIG: 4.24
28. Internet Network News (INN)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 246
1. GEN006240 INN Documentation
Perform:
# ps e | egrep innd|nntpd
If an Internet Network News server is running and not justified and documented by the IAO, then this is a
finding.
PDI:
3
Status Code:PART
Previously:
L040
IA Controls:
DCSW-1, DCSD-1
PDI Description:
An Internet Network News server is not justified and documented

by the IAO.
Reference:
UNIX STIG: 4.25
2. GEN006260 /etc/news/hosts.nntp Permissions
Check /etc/news/hosts.nntp permissions:

# ls lL /etc/news/hosts.nntp
If /etc/news/hosts.nntp is more permissive than 600, then this is a finding.
PDI:
3
Status Code:AUTO
Previously:
L154
IA Controls:
PDI Description:
The /etc/news/hosts.nntp file is more permissive than 600.
Reference:
UNIX STIG: 4.25
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 247
3. GEN006280 /etc/news/hosts.nntp.nolimit Permissions
Check /etc/news/hosts.nntp.nolimit permissions:

# ls lL /etc/news/hosts.nntp.nolimit
If /etc/news/hosts.nntp.nolimit is more permissive than 600, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
L156
IA Controls:
PDI Description:
The /etc/news/hosts.nntp.nolimit file is more permissive than 600.
Reference:
UNIX STIG: 4.25
4. GEN006300 /etc/news/nnrp.access Permissions
Check /etc/news/nnrp.access permissions:

# ls lL /etc/news/nnrp.access
If /etc/news/nnrp.access is more permissive than 600, then this is a finding.
PDI:
5
Status Code:AUTO
Previously:
L158
IA Controls:
PDI Description:
The /etc/news/nnrp.access file is more permissive than 600.
Reference:
UNIX STIG: 4.25
5. GEN006320 /etc/news/passwd.nntp Permissions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 248
Check /etc/news/passwd.nntp permissions:

# ls lL /etc/news/passwd.nntp
If /etc/news/passwd.nntp is more permissive than 600, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
L160
IA Controls:
PDI Description:
The /etc/news/passwd.nntp file is more permissive than 600.
Reference:
UNIX STIG: 4.25
6. GEN006340 /etc/news Files Ownership
Check /etc/news files ownership:

# ls al /etc/news
If /etc /news files are not owned by root or news, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
L162
IA Controls:
ECLP-1
PDI Description:
The files contained in the /etc/news directory are not owned by

root or news.
Reference:
UNIX STIG: 4.25
7. GEN006360 /etc/news Files Group Ownership
Check /etc/news files group ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 249
# ls al /etc/news
If /etc /news files are not group owned by root or news, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
L164
IA Controls:
ECLP-1
PDI Description:
The files contained in the /etc/news directory are not group

owned by root or news.
Reference:
UNIX STIG: 4.25
4. Network Based Authentication

1. Network Information Service (NIS)
1. GEN006380 NIS/NIS+ Implemented Under UDP
# rpcinfo -p | grep yp | grep udp

If NIS/NIS+ is implemented under UDP, then this is a finding.
PDI:
9
:
Status Code:AUTO
Previously:
G663
IA Controls:
DCSW-1
PDI Description:
NIS/NIS+ is implemented under UDP.
Reference:
UNIX STIG: 5.1
2. GEN006400 NIS Documentation
Peform the following to determine if NIS is active one the system:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 250
ps ef |grep ypbind
If NIS is found active on the system, ask the SA if its use is documented with the IAO. If NIS use is not
documented, this is a finding.
PDI:
7
:
Status Code:PART
Previously:
G174
IA Controls:
DCSD-1
PDI Description:
The NIS protocol is in use and not justified and documented with
the IAO.
Reference:
UNIX STIG: 5.1
3. GEN006420 NIS Maps Domain Names
To view the domainname for the NIS Maps to be stored under, perform the following:
# domainname
If the name returned is simple to guess, such as the organization name, building or room name, etc., then this is a
finding.
PDI:
6
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
NIS maps are not protected through hard-to-guess domain names.
Reference:
UNIX STIG: 5.1
2. Network Information Service Plus (NIS+)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 251
1. GEN006440 NIS Used as Opposed to NIS+
To determine if NIS is running on the system perform the following:

#
ps -ef | grep ypbind
If ypbind is running, then NIS running and this is a finding.

PDI:
6
Status Code:AUTO
Previously:
G173
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The NIS protocol is used while the NIS+ protocol is available.
Reference:
UNIX STIG: 5.2
2. GEN006460 NIS+ Server at Security Level 2
Perform the following to determine if security level two is implemented:

# niscat cred.org_dir
If the second column does not contain DES, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
G176
IA Controls:
DCSL-1
PDI Description:
The NIS+ server is not operating at security level 2.
Reference:
UNIX STIG: 5.2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 252
5. UNIX Security Tools
1. UNIX Security Tools
1. GEN006480 Host-Based Intrusion Detection Tool
A few applications that provide host-based network intrusion protection are:
Dragon Squire by Enterasys Networks

ITA by Symantec
Hostsentry by Psionic Software
Logcheck by Psionic Software
RealSecure agent by ISS
Swatch by Stanford University
Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. Use the command:
#
find / -name <daemon name> -print
(where <daemon name> is the name of the primary application daemon) to determine if the application is loaded
on the system. Use the command:
#
ps ef | grep <daemon name>
to determine if the application is active on the system.

PDI:
2
:
Status Code:PART
Previously:
G031
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 253
IA Controls:
ECID-1
PDI Description:
There is no host-based intrusion detection tool.
Reference:
UNIX STIG: 6
2. GEN006540 System Vulnerabiltiy Assessment Tool
Perform the following to check for a security tool executing monthly:

#
crontab l
Check for the existence of a vulnerability assessment tool being scheduled and run monthly. If no entries exist in
the crontab, ask the SA if a vulnerability tool is run monthly . In addition, if the tool is run monthly, ask to see
any reports that may have been generated from the tool. If a tool is not run monthly, then this a finding.
PDI:
9
:
Status Code:PART
Previously:
G190
IA Controls:
VIVM-1
PDI Description:
A system vulnerability assessment tool is not being run on the

system monthly.
Reference:
UNIX STIG: 6
3. GEN006560 Security Tool Notifications
Perform:
find / -name (program name) print
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 254
to check for the existence of security tools on the system. Ask the SA if the program is configured to notify the
IAO and SA if a breach is detected. This check must be justified and documented with the IAO.
PDI:
8
Status Code: PART
Previously:
N/A
IA Controls:
ECAT-1, ECAT-2
PDI Description:
The system vulnerability assessment tool, host-based intrusion

detection tool, and file system integrity baseline tool does not
notify the SA and the IAO of a security breach or a suspected
security breach.
Reference:
UNIX STIG: 6
2. Access Control Programs and TCP_WRAPPERS
1. GEN006580 Access Control Program
To determine if tcp wrappers is installed perform the following:

Solaris, HP-UX , AIX and IRIX
# grep tcpd /etc/inetd.conf
Solaris 10
#
svcprop p defaults inetd | grep tcp_wrappers
This should return a line with the following:
http://news.tbo.com/news/metro/MGB3WNDK34F.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 255
defaults/tcp_wrappers boolean true

If the above line contains the word false, then this is a finding on Solaris 10.
Solaris 8 or 9
# grep i enable_tcpwrappers /etc/default/inetd
If the value returned is not set to yes and /etc/inetd.conf does not contain tcpd, then this is a finding.
Linux
# rpm qa |grep tcpd
or
Check the services in the /etc/xinetd.d directory that are not disabled for an entry containing noaccess or only_
from.
Ensure an entry returns specifically for tcpd, not tcpdump .
PDI:
0
Status Code:AUTO
Previously:
G196
IA Controls:
EBCR-1, EBRP-1, EBRU-1, IAAC-1
PDI Description:
An access control program is not being used.
Reference:
UNIX STIG: 6.6
2. GEN006600 Access Control Program Logging
Normally tcpd logs to the mail or daemon facility in /etc/syslog.conf.

determine if syslog is configured to log events by tcpd.
Perform the following to
# more /etc/syslog.conf
Look for entries similar to the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 256
mail.debug
/var/adm/maillog
mail.none
/var/adm/maillog
mail.*
/var/log/mail
auth.info
/var/log/messages
daemon.*
/var/log/messages
The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not
logging and this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G197
IA Controls:
ECAN-1, ECAT-1, ECAT-2
PDI Description:
The access control program does not log each system access
attempt.
Reference:
UNIX STIG: 6.6
3. GEN006620 Access Control Program Control System Access
Check for the existence of /etc/hosts.allow and /etc/hosts.deny:

#
ls la /etc/hosts.allow
ls la /etc/hosts.deny
# grep ALL: ALL /etc/hosts.deny

If the ALL: ALL is in the /etc/hosts.deny file, then any tcp service from a host or network not listed in
the /etc/hosts.allow file will not be allowed access. If the entry is not in /etc/hosts.deny or if
either of the two files do not exist, then this is a finding.
PDI:
0
IA Controls:
Status Code: AUTO
Previously:
N/A

EBCR-1, EBRP-1, EBRU-1, IAAC-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 257
PDI Description:
The access control program is not configured to grant and deny

system access to specific hosts.
Reference:
UNIX STIG: 6.6
4. GEN006640 Virus Protection Software
Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file. The
Mcafee command line scanner is available for most Unix/Linux operating systems. Additional tools specific for
each operating system are also available and will have to be manually reviewed if they are installed. In addition,
the defintions file should not be older than 14 days. Anti-Virus software can be obtained from https://
www.cert.mil.
Check if uvscan scheduled to run:
Solaris
# grep uvscan /var/spool/cron/crontabs/*
HP-UX
AIX
IRIX
Linux
# grep uvscan /var/spool/cron/*
# grep uvscan /etc/cron.d/*
# grep uvscan /etc/cron.daily/*
# grep uvscan /etc/cron.hourly/*
# grep uvscan /etc/cron.monthly/*
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 258
# grep uvscan /etc/cron.weekly/*

Perform the following to ensure the virus definition signature files are not older than 14 days.
# ls la clean.dat names.dat scan.dat
If a virus scanner is not being run weekly or the virus definitions are older than 14 days, then this is a finding.
PDI:
5
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECVP-1
PDI Description:
An approved DOD virus scan program is not used and/or

updated.
Reference:
CTO 06-12
6. SUN SOLARIS
1. Removable Media
1. SOL00020 /etc/rmmount.conf Configuration
# grep mount /etc/rmmount.conf

Confirm the nosuid option is configured, for example:
mount * hsgs udgs ufs o nosuid
If the nosuid option is not configured in the /etc/rmmount.conf file, then this is a finding and must be
PDI:
SOL00020V001203 Category II
1
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 259
IA Controls:
PDI Description:
The nosuid option is not configured in the /etc/rmmount.conf file.
Reference:
UNIX STIG: 8.1
2. The audit_user File

1. SOL00040 audit_user User Auditing Levels
Perform:
#
more /etc/security/audit_user
If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the
same flags as all users as defined in /etc/security/audit_control file.
PDI:
SOL00040V000435 Category:II
3
Status Code: PART
Previously:
G677
IA Controls:
DCSW-1
PDI Description:
The audit_user file has a different auditing level for specific users.
Reference:
UNIX STIG: 8.2
2. SOL00060 audit_user Ownership
Check /etc/security/audit_user ownership:

# ls lL /etc/security/audit_user
If / etc/security/audit_user is not owned by root, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 260
2
Status Code: AUTO
Previously:
G678
IA Controls:
ECTP-1
PDI Description:
The audit_user file is not owned by root.
Reference:
UNIX STIG: 8.2
3. SOL00080 audit_user Group Ownership
Check /etc/security/audit_user group ownership:

If / etc/security/audit_user is not group owned by root, sys, or bin, then this is a finding.
PDI:
1
Status Code: AUTO
Previously:
G679
IA Controls:
ECTP-1
PDI Description:
The audit_user file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 8.2
4. SOL00100 audit_user Permissions
Check /etc/security/audit_user permissions:

If / etc/security/audit_user is more permissive than 640, then this is a finding.
PDI:
5
Status Code: AUTO
Previously:
G680
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 261
IA Controls:
ECTP-1
PDI Description:
The audit_user file is more permissive than 640.
Reference:
UNIX STIG: 8.2
3. Automated Security Enhancement Tool (ASET)
1. SOL00120 Aset Master Files Location
Verify that ASET is being used by:

#
crontab l |grep aset
If there is an out put, then check to make sure that the files in question are in the /usr/aset/masters
directory by performing:
#
ls l /usr/aset/masters
The following files should be in the listing: tune.high , tune.low , tune.med , and uid_aliases . If
the all of the files are not in the directory listing, then this is a finding.
PDI:
3
Status Code: AUTO
Previously:
G681
IA Controls:
DCSW-1
PDI Description:
Aset master files are not located in the /usr/aset/masters directory.
Reference:
UNIX STIG: 8.3
4. The uid_aliases File
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 262
1. SOL00140 /usr/asset/masters/uid_aliases Content
# more /usr/aset/masters/uid_aliases
If fhe /usr/aset/masters/uid_aliases file is not empty or all contents are not commented out, then
this is a finding.
PDI:
2
Status Code: AUTO
Previously:
G682
IA Controls:
DCSW-1
PDI Description:
The /usr/aset/masters/uid_aliases file is not empty.
Reference:
UNIX STIG: 8.3.1
5. The asetenv File
1. SOL00160 ASET Used on a Firewall
Peform the following to determine if ASET is being used:

#
crontab l |grep aset
An a returned entry would indicate ASET is being utilized. Determine if ASET is configured to check firewall
settings by:
#
grep TASKS /usr/aset/asetenv | grep firewall
If an entry is not returned, then this is a finding.

PDI:
9
Status Code: PART
Previously:
G685
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 263
IA Controls:
DCSW-1
PDI Description:
ASET is used on a firewall system and the firewall parameters are

not in
/usr/aset/asetenv.
Reference:
UNIX STIG: 8.3.2
2. SOL00180 ASET Environment Variables
Determine is ASET is being used by:

#
crontab l | grep aset
Check the configuration of ASET by:

#
more /usr/aset/asetenv
If there are any changes below the following two lines that are not comments, this is a finding:
# Don't change from here on down ...
# there shouldn't be any reason to.
In addition, if any of the following lines do not match, this is a finding.

TASKS="firewall env sysconf usrgrp tune cklist eeprom"
CKLISTPATH_LOW=${ASETDIR}/tasks:#${ASETDIR} \
/util:${ASETDIR}/masters:/etc
CKLISTPATH_MED=${CKLISTPATH_LOW};/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin: \
/usr/sbin:/usr/ucblib
YPCHECK=false
PERIODIC_SCHEDULE="0 0 * * *"
UID_ALIASES=${ASETDIR}/masters/uid_aliases
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 264
3
Status Code: PART
Previously:
SO05
IA Controls:
DCSW-1
PDI Description:
ASET environment variables in the asetenv file are not correct.
Reference:
UNIX STIG: 8.3.2
6. Running ASET
1. SOL00200 NIS+ and YPCHECK
Perform the following to determine if ASET is configured to check NIS+:

#
grep YPCHECK /usr/aset/asetenv
If NIS+ is running and the YPCHECK variable is set to false, then this is a finding.
PDI:
4
Status Code: AUTO
Previously:
SO06
IA Controls:
DCSW-1
PDI Description:
NIS+ is configured on the Solaris system and YPCHECK is not set

to true.
Reference:
UNIX STIG: 8.3.3
2. SOL00220 /usr/aset/userlist Content
Perform the following to determine if ASET is scheduled to run:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 265
crontab l | grep aset
The default user list is /usr/aset/userlist. If the u option is specified in the crontab entry, then the
userlist file is the argument supplied to the u option. Perform:
#
more /usr/aset/userlist
If the file does not exist or if the file does not contain a list of the system usernames, then this is a finding.
PDI:
5
Status Code: AUTO
Previously:
SO07
IA Controls:
DCSW-1
PDI Description:
The /usr/aset/userlist file does not contain a list of all system users.
Reference:
UNIX STIG: 8.3.3
3. SOL00240 /usr/asset/userlist Ownership
# ls lL /usr/aset/userlist
If /usr/asset/userlist is not owned by root, then this is a finding.
PDI:
6
Status Code: AUTO
Previously:
SO08
IA Controls:
ECLP-1
PDI Description:
The /usr/aset/userlist file is not owned by root.
Reference:
UNIX STIG: 8.3.3
4. SOL00260 /usr/asset/userlist Permissions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 266
# ls lL /usr/aset/userlist
If /usr/aset/userlist is more permissive than 600, then this is a finding.
PDI:
7
Status Code: AUTO
Previously:
SO09
IA Controls:
ECLP-1, IAAC-1, ECPA-1
PDI Description:
The /usr/aset/userlist file is more permissive than 600.
Reference:
UNIX STIG: 8.3.3
7. Electrically Erasable Programmable Read-only Memory (EEPROM)
1. SOL00300 EEPROM security-mode Parameter
# eeprom | grep security-mode

If the EEPROM security-more parameter is not set to full or command , then this is a finding.
PDI:
8
Status Code: AUTO
Previously:
SO10
IA Controls:
PDI Description:
The EEPROM security-mode parameter is not set to full or

command mode.
Reference:
UNIX STIG: 8.4
8. Sun Answerbook2
1. SOL00360 Sun Answerbook2 Script Access
Applicable to Solaris 2.5.1 through Solaris 5.8.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 267
# find / -name dhttpwd

If the Answerbook binary is found, p erform procedures in Appendix F, Patch Control, to check for the following
patches:
Solaris 5.5.1
110532-01
Solaris 5.5.1_x86
110538-01
Solaris 5.6
110532-01
Solaris 5.6_x86
110538-01
Solaris 5.7
110532-01
Solaris 5.7_x86
110538-01
Solaris 5.8
110532-01
Solaris 5.8_x86
110538-01
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
SOL00360V000471 Category III

0
:
Status Code: AUTO
Previously:
V9756
IA Controls:
DSCQ-1
PDI Description:
A version of Sun AnswerBook2 allows unauthorized scripts

access.
Reference:
UNIX STIG: 8.5.1
2. SOL00380 Sun Answerbook2 dwhttpd Format String
Applicable to Solaris 2.5.1 through Solaris 5.8.

# find / -name dhttpwd
If the Answerbook binary is found, p erform procedures in Appendix F, Patch Control, to check for the following
patches:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 268
Solaris 5.5.1
110531-01
Solaris 5.5.1_x86
110537-01
Solaris 5.6
110531-01
Solaris 5.6_x86
110537-01
Solaris 5.7
110531-01
Solaris 5.7_x86
110537-01
Solaris 5.8
110531-01
Solaris 5.8_x86
110537-01
PDI:
1
:
Status Code: AUTO
Previously:
V9758
IA Controls:
DCSQ-1
PDI Description:
A version of Sun AnswerBook2 was found vulnerable to the

dwhttpd format string vulnerability.
Reference:
UNIX STIG: 8.5.2
9. NFS Server Logging

1. SOL00400 NFS Server Logging
To enable NFS server logging the log option must be applied to all exported files systems in the /etc/dfs/
dfstab. Perform the following to verify NFS is enabled:
#
share
The preceding command will display all exported filesystems. Each line should contain a log entry to indicate
logging is enabled. If the log entry is not present then this is a finding. If the share command does not return
anything, then this is not an NFS server and this is considered Not Applicable.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 269
0
Status Code: AUTO
Previously:
G696
IA Controls:
DCHW-1
PDI Description:
An NFS server does not have logging implemented.
Reference:
UNIX STIG: 8.6
10. Extended File Attributes
1. SOL00420 Hidden Extended File Attributes
This is applicable to Solaris 9, and later.

# find / -xattr print -exec runat {} ls al \;
If hidden extended file attributes exist, then this is a finding.
PDI:
2
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Hidden extended file attributes exist.
Reference:
UNIX STIG: 8.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 270
11. Root Default Group
1. SOL00440 Group Account with gid of 0
This is applicable to Solaris 10, and later.

# more /etc/passwd
# more /etc/group
Confirm the only account with a group id of 0 is root.
If the root account is not the only account with gid of 0, then this is a finding.
PDI:
SOL00440V001203 Category I
3
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-2
PDI Description:
The root account is not the only account with gid of 0.
Reference:
UNIX STIG: 8.7
7. HEWLETT PACKARD UNIX (HP-UX)
1. Trusted Mode
1. HPUX0020 Operating in Trusted Mode
To check if the system is in Trusted Mode the following file structure should exist:
# ls la /tcb/files/auth/r/root
If the file does not exist, this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 271
HPUX0020V000096 Category II
0
:
Status Code: AUTO
Previously:
HP02
IA Controls:
DCSW-1
PDI Description:
System is not operating in trusted mode.
Reference:
UNIX STIG: 9.1
2. Trusted System Auditing
1. HPUX0040 AUDMON_ARGS Flag Configuration
Determine if the following flags are set for auditing:

# tail /etc/rc.config.d/auditing
The AUDOMON_ARGS flag should be the last line in the file. Look at the arguments and compare them to -p
20, -t 1, -w 90. If any of these differ, this a finding.
PDI:
0
:
Status Code: AUTO
Previously:
HP14
IA Controls:
ECAT-1, ECAR-1
PDI Description:
HP-UX AUDOMON_ARGS flag is not set to STIG requirements:

-p 20, -t 1, -w 90.
Reference:
UNIX STIG: 9.1.1
3. The /etc/securetty File
1. HPUX0060 /etc/securetty Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 272
# ls lL /etc/securetty
If /etc/securetty is not owned root, then this is a finding.
PDI:
6
:
Status Code: AUTO
Previously:
HP08
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not owned by root.
Reference:
UNIX STIG: 9.1.1
2. HPUX0080 / etc/securetty Group Owner
If /etc/securetty is not grup owned by root, sys, or bin, then this is a finding.
PDI:
5
:
Status Code: AUTO
Previously:
HP07
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 9.1.1
3. HPUX0100 /etc/securetty Permissions
If /etc/securetty is more permissive than 640, then this is a finding.
PDI:
7
:
Status Code: AUTO
Previously:
HP09
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 273
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is more permissive than 640.
Reference:
UNIX STIG: 9.1.1
8. IBM ADVANCED INTERACTIVE EXECUTIVE (AIX)

1. Security Structure
1. AIX00020 TCB Software
Perform:
# /bin/tcbck
If TCB is not installed, the output will show an error code of 3001-101 and/or a text message that indicates TCB
is not installed. This will result in a finding.
PDI:
AIX00020V000096 Category II
9
:
Status Code: AUTO
Previously:
AIX02
IA Controls:
DCCS-1, DCCS-2
PDI Description:
TCB software is not implemented.
Reference:
UNIX STIG: 10.0
2. Network Security
1. AIX00040 securetcpip Command
The securetcpip command is in /etc . If it is not there, this is a finding.

Perform:
# more /etc/security/config
If the stanza:
tcpip:
netrc = ftp, rexec
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 274
is not there, then this is a finding. The stanza indicates the securetcpip command, which disables all the
unsafe tcpip commands, (e.g., rsh, rlogin, tftp) has been executed.
PDI:
AIX00040
V0004284
Category II
:
Status Code: AUTO
Previously:
AIX07
MAC/Confidentiality Levels:MAC I CSP, MAC II CSP, MAC III CSP

IA Controls:
DCSW-1
PDI Description:
The securetcpip command has not been used.
Reference:
UNIX STIG: 10.2
3. System Commands
1. AIX00060 System Baseline for Files with TCB Bit Set
Perform the following command with no parameters to ensure the system is in trusted mode:
#
/bin/tcbck
If TCB is not installed, the output will show an error code of 3001-101 and/or a text message that indicates TCB
is not installed. If the output from the command indicates that it is not in trusted mode, mark this item Not
Reviewed. Otherwise, check the root crontab to verify tcbck is executed weekly. If it is not in the crontab,
ask the SA if the check is run manually and to see the results of the check.
PDI:
AIX00060
V0004287
Category II
:
Status Code: PART
Previously:
AIX10

IA Controls:
DCPR-1, VIVM-1
PDI Description:
A baseline of AIX files with the TCB bit set is not checked weekly.
Reference:
UNIX STIG: 10.3
4. Authentication
1. AIX00080 SYSTEM Attribute
Examine the /etc/security/user file:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 275
grep SYSTEM /etc/security/user
If the line contains SYSTEM=NONE then this is a finding.

PDI:
AIX00080V001203 Category I
5
:
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The SYSTEM attribute is set to NONE.
Reference:
UNIX STIG: 10.4
9. SILICON GRAPHICS (SGI) IRIX
10. Xfsmd
1. IRIX0020 The xmfsmd Service is Enabled
Check for the following line by performing:

#
more /etc/inetd.conf
sgi_xfsmd/1 stream rpc/tcp wait
root
/usr/etc/xfsmd
xfsmd
If this line is uncommented then this is a finding.

PDI:
IRIX0020
V0004705
Category I
:
Status Code: AUTO
Previously:
V9402
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 276
IA Controls:
DSCQ-1
PDI Description:
The xfsmd service is enabled.
Reference:
UNIX STIG: 11.1
11. LINUX
1. System BIOS Configuration
1. LNX00040 Disable Boot From Removable Media
If the CM OS is not configured to disable the capability to boot from removable media (e.g., diskette), then this is
a finding.
PDI:
LNX00040V000101 Category:I
3
Status Code: MAN
Previously:
L007
IA Controls:
ECSC-1
PDI Description:
The CMOS is not configured to disable the capability to boot from

removable media (e.g., diskette).
Reference:
UNIX STIG: 12.2
2. Restricting the Boot Process
1. LNX00060 Password Configuration Table Configuration
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 277
On x86 systems enter the system BIOS and confirm that a supervisor password is enabled. Some systems will
have only one password setting, while others may have both user and supervisor settings. On those with two
settings, ensure the supervisor password is enabled and set. If the system cannot be rebooted to confirm the
settings, ask the system administrator if a BIOS password is enabled. If it is not, then this is a finding.
PDI:
LNX00060V000424 Category II
6
:
Status Code: MAN
Previously:
L064
IA Controls:
DCPR-1
PDI Description:
The Password Configuration Table has the Supervisor Password

set to OFF or the User Password set to ON.
Reference:
UNIX STIG: 12.3
3. Boot Loaders
1. LNX00080 Boot Diskette
Confirm /etc/lilo.conf or /boot/grub/grub.conf exist, if neither exists, ask the SA if they are
using a boot diskette as the boot loader.
If a boot diskette is implemented as the boot loader, then this is a finding.
PDI:
LNX00080V000424 Category I
7
:
Status Code: AUTO
Previously:
L066
IA Controls:
DCCB-1, DCCB-2
PDI Description:
A boot diskette is implemented as the boot loader.
Reference:
UNIX STIG: 12.4
2. LNX00100 Default Boot Loader
Check for the presence of boot loader configuration files by:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 278
# test f /etc/grub.conf
# echo $?
# test f /etc/lilo.conf
# echo $?
If either of the echo statements return 1, the preceding file is not on the system. Grub is the preferred boot loader
for the system. If the LILO is being utilized, check for the presence of /etc/lilo.conf.crc which should
contain a hashed password. If it does not contain a hashed password or another third party boot loader is utilized
PDI:
8
:
Status Code: AUTO
Previously:
L068
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The default boot loader does not support journeling and the
password cannot be encrypted and the host is not located in a
controlled access area accessible only by SAs and justified and
Reference:
UNIX STIG: 12.4
3. LNX00120 /boot Partition
Ask the SA if the Linux /boot partition resides on removable media (e.g., cdrom, diskette). If so, ask the SA to
verify if it is stored securely under the direction of the security officer and is only used in emergencies. This is a
finding if the media is not stored in a secure location.
PDI:
5
Status Code: MAN
Previously:
L084
IA Controls:
PESS-1
PDI Description:
The /boot partition is on removable media and is not stored in a

secure container.
Reference:
UNIX STIG: 12.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 279
4. Password Protecting the GRUB Console Boot Loader
1. LNX00140 GRUB Boot Loader Encrypted Password
Perform the following to /etc/grub.conf or /boot/grub/menu.lst :

# more /boot/grub/menu.lst
timeout=10
password --md5 <password-hash>
This line should be just below the line that begins with timeout. Please note that <password-hash> will be
replaced by the actual md5 encrypted password. If the password line is not in either of the files, this is a finding.
PDI:
9
:
Status Code: AUTO
Previously:
L072
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The GRUB Boot Loader does not use an MD5 encrypted

password.
Reference:
UNIX STIG: 12.4.1.1
2. LNX00160 grub.conf Permissions
Check /etc/grub.conf permissions:

# ls lL /etc/grub.conf
If /etc/grub.conf is more permissive than 600, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 280
LNX00160V000425 Category:II
0
Status Code: AUTO
Previously:
L074
IA Controls:
PDI Description:
The grub.conf is more permissive than 600.
Reference:
UNIX STIG: 12.4.1.2
5. Password Protecting the LILO Boot Loader
1. LNX00180 LILO Global Password
Check for the password to precede the first image stanza in /etc/lilo.conf :
#
more /etc/lilo.conf
password=
image=/boot/vmlinuz-2.4.20-6smp
If a password is not found, then this is a finding.

PDI:
2
:
Status Code: AUTO
Previously:
L078
IA Controls:
DCCB-1, DCCB-2, DCCS-1, DCCS-2
PDI Description:
LILO does not have a global password in the /etc/lilo.conf file.
Reference:
UNIX STIG: 12.4.1.2
2. LNX00200 LILO Boot Loader Encrypted Password

On newer linux systems, the lilo password can be hashed in a separate file. To determine if the lilo password is
encrypted perform the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 281
# grep password /etc/lilo.conf

If the returned line contains password= , then perform the following:
# more /etc/lilo.conf.crc
If the file does not exist, this is a finding.
PDI:
6
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The LILO Boot Loader password is not encrypted.
Reference:
UNIX STIG: 12.4.1.2
3. LNX00220 /etc/lilo.conf Permissions
Check /etc/lilo.conf permissions:

# ls lL /etc/lilo.conf
If /etc/lilo.conf is more permissive than 600, then this is a finding.
PDI:
3
:
Status Code: AUTO
Previously:
L080
IA Controls:
PDI Description:
The /etc/lilo.conf file is more permissive than 600.
Reference:
UNIX STIG: 12.4.1.2
6. Filesystems
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 282
1. LNX00240 Journaling
Perform the following to check for journaling:

# more /etc/fstab
Valid filesystem types that include journaling are ext3, reiserfs, jfs and xfs.
Note: the CD, floppy drives, proc, and, swap entries do not support ext3 .
PDI:
5
:
Status Code: PART
Previously:
L017
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Journaling is not configured on the primary filesystem partitions

or journaling is not supported and not justified and documented
with the IAO.
Reference:
UNIX STIG: 12.5
7. Red Hat Kickstart and SuSE AutoYaST
1. LNX00260 Kickstart or AutoYaST
On SuSE systems tftp must be running for AutoYaST to work properly. Check for tftp by:
#
chkconfig -list tftp
If tftp is found, as the SA if the server is configured for AutoYaST.

Redhat systems utilize nfs and bootp to assist Kickstart. Perform:
# more /etc/exports
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 283
# more /etc/bootptab
and ask the SA if any of the exported file systems contain Kickstart images to be installed on a client.
PDI:
6
Status Code: MAN
Previously:
L088
IA Controls:
ECSD-1, ECSD-2
PDI Description:
Kickstart or AutoYaST are used outside an isolated development

LAN.
Reference:
UNIX STIG: 12.6
8. Dual Boot
1. LNX00280 Capable of Dual Boot
Review the applicable boot loader configuration file to ensure it is capable of booting only one operating system.
For the grub boot loader, /etc/grub.conf should be reviewed. For the lilo boot loader, /etc/
lilo.conf should be reviewed. Locations for these file may differ on older versions of linux.
PDI:
6
:
Status Code: MAN
Previously:
L022
IA Controls:
DCPR-1
PDI Description:
A Linux system capable of booting multiple operating systems is

not justified and documented with the IAO.
Reference:
UNIX STIG: 12.7
9. Ugidd RPC Daemon
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 284
1. LNX00300 The rpc.ugidd Daemon is Enabled
To check for the rpc.ugidd daemon perform:

#
chkconfig list rpc.ugidd
Or
# ps ef | grep i ugidd
If the daemon is running or installed this is a finding.
PDI:
2
Status Code: AUTO
Previously:
L128
IA Controls:
DCPR-1
PDI Description:
The rpc.ugidd daemon is enabled.
Reference:
UNIX STIG: 12.8
10. Default Accounts
1. LNX00320 Special Privileged Accounts
Perform the following to check for unnecessary privileged accounts:

# more /etc/passwd
Some examples of unnecessary privileged accounts include halt, shutdown, reboot and who.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 285
8
:
Status Code: AUTO
Previously:
L140
IA Controls:
IAAC-1, ECPA-1
PDI Description:
Special privilege accounts, such as shutdown and halt, have not

been deleted.
Reference:
UNIX STIG: 12.9
2. LNX00340 Unnecessary Accounts

Perform the following to check for unnecessary user accounts:
# more /etc/passwd
Some examples of unnecessary accounts includes games, news, gopher, ftp.
PDI:
9
Status Code: AUTO
Previously:
L142
IA Controls:
IAAC-1
PDI Description:
Unnecessary accounts (e.g., games, news) and associated software

have not been deleted.
Reference:
UNIX STIG: 12.9
11. X Windows
1. LNX00360 X Server Options Enabled
X servers get started several ways, such as xdm, gdm or xinit . Perform:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 286
ps ef |grep X
Output for example:

/usr/X11R6/bin/X nolisten ctp br vt7 auth /var/lib/xdm/authdir/
authfiles/A:0
Check the Xservers file to ensure the following options are enabled:
-audit, -auth .
Xserver files can found in:
/etc/X11/xdm/Xservers
/etc/opt/kde3/share/config/kdm/Xservers
/etc/X11/gdm/Xservers
PDI:
1
Status Code: AUTO
Previously:
L032
IA Controls:
DCPR-1
PDI Description:
The X server does not have the correct options enabled.
Reference:
UNIX STIG: 12.10
2. LNX00380 X Server Options Not Enabled
X servers get started several ways, such as xdm, gdm or xinit . Perform:
#
ps ef |grep X
Output for example:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 287
/usr/X11R6/bin/X nolisten ctp br vt7 auth /var/lib/xdm/authdir/

authfiles/A:0
The above example show xdm is controlling the Xserver.
Check the Xservers file to ensure the following options are not enabled:
-ac, -core, and -nolock .
Xserver files can found in:
/etc/X11/xdm/Xservers
/etc/opt/kde3/share/config/kdm/Xservers
/etc/X11/gdm/Xservers
PDI:
2
Status Code: AUTO
Previously:
L034
IA Controls:
DCPR-1
PDI Description:
The X server has one of the following options enabled: -ac, -core
(except for debugging purposes), or -nolock.
Reference:
UNIX STIG: 12.10
12. Console Access
1. LNX00400 Access File Ownership
Chec k file applicable to the system, login.access or access.conf.

Check /etc/login.access ownership:
# ls lL /etc/login.access
Check /etc/ security/access.conf ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 288
# ls lL /etc/security/access.conf
If /etc/login.access or /etc/security/access.conf is not owned by root, then this is a finding.
PDI:
5
Status Code: AUTO
Previously:
L044
IA Controls:
ECLP-1
PDI Description:
The /etc/login.access or /etc/security/access.conf file is not owned

by root.
Reference:
UNIX STIG: 12.11
2. LNX00420 Access File Group Ownership
Check file applicable to the system , login.access or access.conf.

.
If /etc/login.access or /etc/security/access.conf is not group owned by root, then this is a
finding.
PDI:
4
Status Code: AUTO
Previously:
L045
IA Controls:
ECLP-1
PDI Description:
The /etc/login.access or /etc/security/access.conf file is not group

owned by root.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 289
Reference:
UNIX STIG: 12.11
3. LNX00440 Access File Permissions
Check file applicable to your system , login.access or access.conf.

.
If /etc/login.access or /etc/security/access.conf is more permissive than 640, then this is a
finding.
PDI:
5
Status Code: AUTO
Previously:
L046
IA Controls:
PDI Description:
The /etc/login.access or /etc/security/access.conf file is more

permissive than 640.
Reference:
UNIX STIG: 12.11
13. Kernel Configuration File
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 290
1. LNX00480 /etc/sysctl.conf Ownership
Check /etc/sysctl.conf ownership:

# ls lL /etc/sysctl.conf
or
# ls lL /etc/sysconfig/sysctl
If /etc/sysctl.conf is not owned by root, then this is a finding.
PDI:
4
Status Code: AUTO
Previously:
L204
IA Controls:
ECLP-1
PDI Description:
The /etc/sysctl.conf file is not owned by root.
Reference:
UNIX STIG: 12.12
2. LNX00500 /etc/sysctl.conf Group Ownership
Check /etc/sysctl.conf group ownership:

If /etc/sysctl.conf is not group owned by root, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 291
5
Status Code: AUTO
Previously:
L206
IA Controls:
ECLP-1
PDI Description:
The /etc/sysctl.conf file is not group owned by root.
Reference:
UNIX STIG: 12.12
3. LNX00520 / etc/sysctl.conf Permissions
Check /etc/sysctl.conf permissions:

If /etc/sysctl.conf is more permissive than 600, then this is a finding.
PDI:
6
Status Code: AUTO
Previously:
L208
IA Controls:
PDI Description:
The /etc/sysctl.conf file is more permissive than 600.
Reference:
UNIX STIG: 12.12
14. NFS Server
1. LNX00540 The insecure Option
Determine if an NFS server is running on the system by:

#
ps ef |grep nfsd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 292
If an NFS server is running, confirm that it is not configured with the insecure option by:
#
exportfs v
The example below would be a finding:

/misc/export
PDI:
speedy.redhat.com(rw,insecure)
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCPR-1
PDI Description:
The insecure option is set.
Reference:
UNIX STIG: 12.13
2. LNX00560 The insecure_locks Option
Determine if an NFS server is running on the system by:

#
ps ef |grep nfsd
If an NFS server is running, confirm that it is not configured with the insecure_locks option by:
#
exportfs v
The example below would be a finding:

/misc/export
PDI:
speedy.redhat.com(rw,insecure_locks)
9
:
Status Code: AUTO
Previously:
L214
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 293
IA Controls:
DCPR-1
PDI Description:
The insecure_locks option is set.
Reference:
UNIX STIG: 12.13
15. The /etc/inittab File
1. LNX00580 Ctrl-Alt-Delete Sequence
Verify that Linux systems have disabled the <CTRL><ALT><DELETE> key sequence by performing:
# grep ctrlaltdel /etc/inittab
If the line returned is not commented out then this is a finding.
PDI:
2
Status Code: MAN
Previously:
L222
IA Controls:
DCPR-1
PDI Description:
The Ctrl-Alt-Delete sequence is not disabled and the system is not

located in a controlled access area accessible only by SAs.
Reference:
UNIX STIG: 12.14
16. Administrative Controls
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 294
1. LNX00600 PAM Configuration
Ensure the pam_console.so module is not configured in any files in /etc/pam.d by:
#
cd /etc/pam.d
grep pam_console.so *
Or
#
ls la /etc/security/console.perms
If either the pam_console.so entry or the file /etc/security/console.perms is found then this is a
finding.
PDI:
6
Status Code: AUTO
Previously:
L230
IA Controls:
DCCS-1, DCCS-2
PDI Description:
PAM grants sole access to admin privileges to the first user who
logs into the console.
Reference:
UNIX STIG: 12.16
17. The /etc/securetty File
1. LNX00620 /etc/securetty Group Ownership
Check /etc/securetty group ownership:

If /etc/securetty is not group owned by root, sys, or bin, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 295
8
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 12.17
2. LNX00640 /etc/securetty Ownership
Check /etc/securetty ownership:

If /etc/securetty is not owned by root, then this is a finding.
PDI:
9
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not owned by root.
Reference:
UNIX STIG: 12.17
3. LNX00660 /etc/securetty Permissions
Check /etc/securetty permissions:

If /etc/securetty is more permissive than 640, then this is a finding.
PDI:
0
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 296
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is more permissive than 640.
Reference:
UNIX STIG: 12.17
18. RealPlayer
1. LNX00680 RealPlayer Version
Check the Real Player version:

#
rpm q RealPlayer
If the version returned is 8, then remove RealPlayer by:

#
PDI:
rpm e RealPlayer
1
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1
PDI Description:
A vulnerable RealPlayer version is installed.
Reference:
UNIX STIG: 12.19
12. Information Assurance Vulnerability Management (IAVM)
1. IAVA0005 2001-A-0011 Format String Vulnerability in CDE ToolTalk
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 297
Vulnerable Systems:
HP HP-UX 10.10
HP HP-UX 10.20
HP HP-UX 10.24
HP HP-UX 11.00
HP HP-UX 11.04
HP HP-UX 11.11
IBM AIX 4.3
IBM AIX 5.1
SGI IRIX 5.2-6.4
Compaq Tru64 DIGITAL UNIX v4.0f
Compaq Tru64 DIGITAL UNIX v4.0g
Compaq Tru64 DIGITAL UNIX v5.0a
Compaq Tru64 DIGITAL UNIX v5.1
Compaq Tru64 DIGITAL UNIX v5.1a
Sun Solaris 1.1-1.2
Sun Solaris 2.0-2.7
Sun Solaris 7
Sun Solaris 8
Open Group
Caldera (SCO)
Xi Graphics
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
Solaris
2.5.1
104489-15
Solaris
2.5.1_x86
105496-12
Solaris
2.6
Solaris
2.6x86
Solaris
2.7
Solaris
2.7x86
Solaris
2.8
Solaris
2.8x86
105802-19
105803-21
107893-21
107894-20
110286-14
110287-14
HP-UX
10.10
PHSS_26488
HP-UX
10.20
PHSS_29201
HP-UX
10.24
PHSS_29201
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 298
HP-UX
10.30
PHSS_16151
HP-UX
11.00
PHSS_32539
HP-UX
11.11
PHSS_33325
IRIX
6.5 and above
SG0004416
AIX
4.3
IY24387
AIX
5.1
IY23846
Remediation Guidelines:
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0005V000099 Category I
8
:
Status Code: AUTO
Previously:
G345
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of ToolTalk is running.
Reference:
IAVA 2001-A-0011
2. IAVA0010 1999-0002 TCP Wrappers Trojan Vulnerability
Vulnerable Systems:
Any system with a recent installation of TCP Wrappers
(primarily UNIX systems)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 299
Look in the TCP Wrappers source code for the following added line:
#
grep "/bin/csh" tcpd.c
Or
Review the binary code for the following signature
#
strings tcpd |grep csh
Any output from the above commands is considered a finding.

Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
PDI:
2
:
Status Code: AUTO
Previously:
G357
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A TCP_WRAPPERS Trojan exists on the system.
Reference:
IAVA 1999-0002
3. IAVA0015 98-06 Qpopper Vulnerability
Vulnerable Systems:
Any OS running a POP server based on QUALCOMM's Qpopper
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 300
To determine if a system is vulnerable, first telnet to port 110 on
that host. If it is running a POP server, the banner will show the
version. For example:
# telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
In the above example, the POP server is QUALCOMM's Qpopper version 2.4, which is known to be a
vulnerable version.
IRIX
Check to see if the vulnerable subsystem is installed.
Versions 2.41 and prior of fw_BSDqpopper are vulnerable.
# versions -b fw_BSDqpopper
Name
Date
Description
I fw_BSDqpopper 07/01/97 BSD/Qualcomm POP (Post Office Protocol)

Server version 2.1.4
Upgrade to a BSDqpopper version greater than 2.1.4.
finding.
PDI:
IAVA0015V000100 Category II
5
:
Status Code: AUTO
Previously:
G361
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 301
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A QUALCOMM Post Office Protocol (POP) server is vulnerable.
Reference:
IAVA 98-06
4. IAVA0020 1998-A-0011 General Internet Message Access Protocol
Vulnerable Systems:
All platforms running IMAP or POP servers.
Perform the following to check if the mail servers are running:
# netstat -a | grep LISTEN | egrep \
imap|pop|pop3|\.143|\.110
An authorized user could type the

following to determine the version of IMAP:
#
telnet hostname 143
Likewise the following command can be used to check for POP-3 Servers:
#
telnet hostname 110
Use the procedures in Appendix F, Patch Control , to check if the following patches have been loaded:
Solaris Internet Mail Server
3.2
105935-09
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 302
3.2_x86
105936-09
2.0
105346-07
2.0_x86
105347-07
AIX 4.2.x
IX80446
AIX 4.3.x
IX80447
Red Hat
imap-4.1.final-1.i386.rpm
IRIX
Check to see if the vulnerable subsystem is installed.
4.1-BETA and prior of fw_imap are vulnerable.
# versions -b fw_imap
I fw_imap
07/31/98 imap-4.1.BETA U. of Washington
finding.
PDI:
6
:
Status Code: AUTO
Previously:
G363
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are Internet Message Protocol (IMAP) or Post Office

Protocol (POP) vulnerabilities.
Reference:
IAVA 1998-A-0011
5. IAVA0025 98-07 Buffer Overflow in Mail and News Clients
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 303
Vulnerable Systems:
Any OS running a vulnerable mail or news client, including
Netscape Messenger.
Use the procedures in Appendix F, Patch Control, to determine the following:
SOLARIS
2.5.1
104178-04
SOLARIS
2.5.1_x86
104185-04
SOLARIS
2.6
SOLARIS
2.6x86
SOLARIS
2.7
SOLARIS
2.7x86
HP-UX
10.10
105338-27
105339-25
107200-16
107201-16
PHSS_26488
HP-UX
10.20
PHSS_29202
HP-UX
10.24
PHSS_28173
HP-UX
10.30
PHSS_16151
HP-UX
11.00
PHSS_32539
HP-UX
11.04
PHSS_30807
HP-UX
11.11
PHSS_33325
PDI:
7
:
Status Code: AUTO
Previously:
G365
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 304
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerability exists in mime-aware mail and news clients.
Reference:
IAVA 98-07
6. IAVA0030 2000-A-0003 Gauntlet Firewall Buffer Overflow
Vulnerable Systems:
Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5
WebShield 300 series E-ppliance
WebShield For Solaris 4.0
WebShield 100 series E-ppliance
Ask the SA or IAO if they are running Gauntlet software, and which version. If the system is running less
than version 5.5 patch level 14 or version 6.0 patch level 4, this is a finding.
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
cyber.patch
.
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
PDI:
8
:
Status Code: AUTO
Previously:
G371
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 305
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Gauntlet Firewall for UNIX and WebShield Cyberdaemon has the

buffer overflow vulnerability.
Reference:
IAVA 2000-A-0003
7. IAVA0035 2001-T-0004 MySQLd Vulnerability
Vulnerable Systems:
MySQLd 3.23.32 and all previous versions
Perform the following to determine the version:
#
mysql V
The version should be at least 3.23.38.

finding.
PDI:
4
:
Status Code: AUTO
Previously:
G373
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A system has a vulnerable version of MySQLD.
Reference:
IAVA 2001-T-0004
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 306
8. IAVA0040 2001-A-0007 iPlanet
Vulnerable Systems:
IPlanet
versions 4.1, service pack 8 and lower
#
./ns-httpd v
finding.
PDI:
IAVA0040V000106 Category:I
7
Status Code: PART
Previously:
G505
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
iPlanet WEB servers expose sensitive data via a buffer overflow.
Reference:
IAVA 2001-A-0007
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 307
9. IAVA0045 2001-T-0008 BSD Telnet Daemon
Vulnerable Systems:
All current versions of BSD/OS are vulnerable.
OpenLinux 2.3
FreeBSD, Inc.
HP-UX 10.20
IBM AIX
Solaris
SuSE
Solaris
2.6
Solaris
2.6x86
Solaris
2.7
Solaris
2.7x86
Solaris
2.8
Solaris
2.8x86
HP-UX
10.01
PHNE_24820
HP-UX
10.10
PHNE_24820
HP-UX
10.20
PHNE_24821
HP-UX
SIS 10.20
HP-UX
10.24
AIX
4.3.3
AIX
5.1
106049-05
106050-05
107475-05
107476-05
110668-05
110669-05
PHNE_24822
PHNE_25217
IY22029
IY22021
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
IRIX
Page 308
6.5
SG0004354
PDI:
9
:
Status Code: AUTO
Previously:
G507
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The telnet daemon telrcv function is vulnerable to a buffer

overflow.
Reference:
IAVA 2001-T-0008
10. IAVA0050 2004-B-0015 Sun JRE Bypass Vulnerability
Vulnerable Systems:
SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier
on the following platforms:
Solaris
Linux
To determine the version of Java on a system, the following command can be run:
#
java fullversion
Or
#
java version
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 309
The version should be at least 1.4.2_06 or 1.3.1_13.

finding.
PDI:
6
:
Status Code: MAN
Previously:
G508
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Vulnerability in Sun Java Runtime Environment Java Plug-in

JavaScript Security Restriction .
Reference:
IAVA 2004-B-0015
11. IAVA0055 2001-B-0002 HP OpenView and Tivoli NetView
Vulnerable Systems:
HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:
HP -UX releases 10.20 and 11.00 (only).
Sun Microsystems SOLARIS releases 2.X
Tivoli NetView Versions 5.x and 6.x on the following platforms:
IBM AIX
Sun Microsystems SOLARIS
Compaq Tru64 Unix
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 310
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded for
OpenView:
HP-UX 10.20
PHSS_24797
HP-UX 11.00
PHSS_24798
Solaris
PSOV_02988
To view the Tivoli Netview version:

The Tivoli Netview standard toolbar contains an About NetView(R) icon which displays the full name,
version number, and copyright information for the Tivoli NetView program. Upgrade to version 5.1.3 and 6.0.2
and apply patches from Tivoli.
Upgrade to, at the least, the required software release about icon, apply the applicable patch, or remove the
binary/application to remediate this finding.
PDI:
6
:
Status Code: AUTO
Previously:
G509
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Vulnerability in HP OpenView and IBM Tivoli NetView.
Reference:
IAVA 2001-B-0002
12. IAVA0060 2004-T-0038 Sun Remote Denial of Service
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 311
Sun Java System Application Server 7.0.0 2004Q2

Sun Java System Application Server 7.0.0 Platform Edition Update 4 and earlier
Sun Java System Application Server 7.0.0 Standard Edition Update 4 and earlier
Sun Java System Web Server 6.0.0
Sun Java System Web Server 6.0.0 SP1, SP2, SP3, SP4, SP5, SP6, SP7
Sun Java System Web Server 6.1.0
Sun Java System Web Server 6.1.0 SP1
Sun Java System Web Server:
#
./ns-httpd v
To determine the version of Sun Java System Application server, the following command can be run:
# <AS_INSTALL>/bin/asadmin version verbose
(Where <AS_INSTALL> is the installation directory of the Application Server)
finding.
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
IAVA0060V000501 Category III

7
:
Status Code: PART
Previously:
G510
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Remote denial of service vulnerability in Sun Java Web and

Application Servers.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 312
Reference:
IAVA 2004-T-0038
13. IAVA0065 2001-A-0013 SSH V1
Vulnerable Systems:
SSH1.5: 1.2.24 - 1.2.31
SSH1.5: 1.3.6 - 1.3.10
OpenSSH 1.2, 1.2.1 - 1.2.3
OpenSSH 2.1, 2.1.1, 2.2.0
SSH Communications Security SSH 1.2.23 through 1.2.31
SSH Communications Security SSH 2.x and 3.x (Version 1 fallback is enabled)
F-Secure SSH versions prior to 1.3.11-2
OSSH 1.5.7
Debian
FreeBSD
To get the version, perform:
#
telnet localhost 22
Or
#
strings (ssh or sshd) | grep I version
Or
# ssh V
OpenSSH 3.4 (required by IAVA0080)

SSH Communications Security SSH
SOLARIS 9 Integrated OpenSSH
SOLARIS 9_x86 Integrated OpenSSH
3.0.1 (required by IAVA0125)

113273-11
114858-08
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 313
PDI:
1
:
Status Code: AUTO
Previously:
G513
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SSH is vulnerable to a remote integer overflow.
Reference:
IAVA 2001-A-0013
14. IAVA0075 2001-A-0009 Gauntlet SMAP/SMAPD Buffer Overflow
Vulnerable Systems:
Gauntlet for Unix versions 5.x
PGP e-ppliance 300 series version 1.0
McAfee e-ppliance 100 and 120 series
Gauntlet for Unix version 6.0
PGP e-ppliance 300 series versions 1.5, 2.0
PGP e-ppliance 1000 series versions 1.5, 2.0
McAfee WebShield for Solaris v4.1
Solaris
HP-UX
cyber.patch
PHCO_16723 or later
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 314
PDI:
2
Status Code: PART
Previously:
G515
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Gauntlet Firewall, WebShield CSMAP, and smap/smapd have a

buffer overflow vulnerability.
Reference:
IAVA 2001-A-0009
15. IAVA0080 2001-T-0017 OpenSSH
Vulnerable Systems:
OpenSSH versions prior to 2.1.1
OpenBSD
OpenSSH
FreeBSD
IBM
#
telnet localhost 22
Or
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 315
Or
# ssh V
Upgrade to OpenSSH 3.0.2 or later.
finding.
PDI:
3
:
Status Code: AUTO
Previously:
G517
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The OpenSSH UseLogin feature has Multiple Vulnerabilities.
Reference:
IAVA 2001-T-0017
16. IAVA0085 2005-A-0014 Oracle E-Business Suite Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite 11.0.0
Oracle E-Business Suite 11i 11.5.0
Oracle E-Business Suite 11i 11.5.0 .10
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 316
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for multiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Switch user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
# $ORACLE_HOME/bin/runInstaller
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle Collaboration suite is listed, then expand it view any installed patches.
Please ensure one of the below mentioned patches is installed;
4135540
4193286
4193293
4193299
4193301
4193307
4193312
4201702
4217570
4266635
4312525
Note: Repeat for each Oracle installation.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 317
PDI:
7
:
Status Code: MAN
Previously:
G518
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Oracle E-Business and

Application Suite.
Reference:
IAVA 2005-A-0014
17. IAVA0090 2002-A-0001 CDE Buffer Overflow
Vulnerable Systems:
All Unix operating systems running CDE.
Solaris
2.5.1
108363-02
Solaris
2.5.1_x86
108364-02
Solaris
2.6
105669-11
Solaris
2.6_x86
Solaris
2.7
Solaris
2.7_x86
Solaris
2.8
Solaris
2.8_x86
105670-10
106934-04
106935-04
108949-07
108950-07
HP-UX 10.10
PHSS_25785
HP-UX 10.20
PHSS_25786
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
HP-UX 10.24
HP-UX 11.0
Page 318
PHSS_26029
PHSS_25787
HP-UX 11.04
PHSS_26030
HP-UX 11.11
PHSS_25788
IRIX 5.3
Patch will not be produced
IRIX 6.2 6.5.2

IRIX 6.5.3.1.1
SG0004416
SG0004416
AIX 4.3
IY06694
AIX 5.1
IX89419
PDI:
4
:
Status Code: AUTO
Previously:
G519
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The CDE Subprocess Control Service has a buffer overflow

vulnerability.
Reference:
IAVA 2002-A-0001
18. IAVA0095 2001-T-0015 LPD Vulnerabilities
Vulnerable Systems:
BSDi BSD/OS Version 4.1 and earlier
Debian GNU/Linux 2.1 and 2.1r4
All released versions of FreeBSD 3.x and 4.x prior to 4.4-RELEASE; FreeBSD 4.3-STABLE and 3.5.1-
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 319
STABLE prior to the correction date.

Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20, 11.00, and 11.11
IBM AIX Versions 4.3 and AIX 5.1
Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
NetBSD 1.5.2 and earlier
OpenBSD Version 2.9 and earlier
Red Hat Linux 6.0, 6.2 all architectures
SCO OpenServer Version 5.0.6a and earlier
SGI IRIX 6.5-6.5.13
Sun Solaris 2.6, 7 and 8
SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Solaris 2.6
Solaris 2.6x86
Solaris 2.7
Solaris 2.7x86
Solaris 2.8
Solaris 2.8x86
106235-10
106236-10
107115-10
107116-10
109320-05
109321-05
HP-UX 10.01
PHCO_25107
HP-UX 10.10
PHCO_25108
HP-UX 10.20
PHCO_25109
HP-UX 11.00
PHCO_25110
HP-UX 11.11
PHCO_25111
HP-UX 11.20
PHCO_24868
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 320
IRIX 6.2 6.5.2
Patch not available
IRIX 6.5.3.1.1
Patch not available
AIX 4.3
IY23037
AIX 5.1
IY23041
Linux ALL
lpr package of version 0.48 or greater
PDI:
5
:
Status Code: AUTO
Previously:
G521
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are Multiple Vulnerabilities in the BSD line printer daemon.
Reference:
IAVA 2001-T-0015
19. IAVA0100 2005-T-0014 Multiple Vulnerabilities in Mozilla Firefox
Vulnerable Systems:
Mozilla Firefox 1.0.3 and earlier.
# find / -name firefox
If Firefox is found, confirm the version is 1.0.4 or later.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 321
# /<firefox_binary> -v
finding.
PDI:
9
:
Status Code: MAN
Previously:
G522
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Mozilla Firefox.
Reference:
IAVA 2005-T-0014
20. IAVA0105 2001-A-0014 Login Daemon
Vulnerable Systems:
Sun Solaris 8/SunOS 5.8 and earlier
IBM 4.3 and 5.1
SCO OpenServer 5.0.6a and earlier
SGI 3.x
Solaris
2.5.1
106160-02
Solaris
2.5.1_x86
106161-02
Solaris
2.6
105665-04
Solaris
2.6_x86
105666-04
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Solaris
2.7
Solaris
2.7_x86
Solaris
2.8
Solaris
2.8_x86
Page 322
112300-01
112301-01
111085-02 Obsoleted by 108993-02
111086-02 Obsoleted by 108994-02
IRIX 3.x
Patch will not be available upgrade to 6.5.13
AIX 4.3
IY26443
AIX 5.1
IY26221
PDI:
6
:
Status Code: AUTO
Previously:
G523
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The login utility has a buffer overflow vulnerability.
Reference:
IAVA 2001-A-0014
21. IAVA0110 2005-B-0012 PAWS DoS Vulnerability
Vulnerable Systems:
FreeBSD FreeBSD prior to 5.4.0
OpenBSD OpenBSD 3.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 323
SCO Open Server 6.0.0

SCO Unixware 7.1.3
SCO Unixware 7.1.4
Ensure the SA has installed the applicable patch or upgraded to the latest non-vulnerable version of FreeBSD
and/or OpenBSD.
Patch OpenBSD with patch 015_tcp.patch.
FreeBSD
Download the relevant patch from the location below.
FreeBSD 4.x
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc
FreeBSD 5.x
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/
tcp.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/
tcp.patch.asc
SCO
Upgrade the affected binaries from:
#
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.64
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 324
0
:
Status Code: MAN
Previously:
G524
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a DoS PAWS vulnerability.
Reference:
IAVA 2005-B-0012
22. IAVA0115 2002-A-SNMP-0002, 2002-A-SNMP-003 SNMP
Vulnerable Systems:
CacheOS 3.1.22, 4.0.15, 4.1.02
Compaq
NonStop Himalaya Servers
TCP/ip Services for OpenVMS
Tru64 Unix
Insight Management Suite
Deskpro
Professional Workstation (Armada)
SANworks
Hewlett-Packard Company
HP 9000 Series 700 and Series 800 running HP-UX releases 10.X,11.X
HP Procurve switches
JetDirect Firmware (older versions only)
MC/ServiceGuard, EMS HA Monitors
iPlanet
Netscape Directory Server V4.12-V4.16 for Unix
iPlanet Directory Server V5.0SP1 & 5.1 for Unix
iPlanet Web Proxy Server V3.6 for Unix
Oracle
Oracle7 Database, Release 7.3.x
Oracle8 Database, Releases 8.0.x
Oracle8i Database, Releases 8.1.x
Oracle9i Database, Release 9.0.1.x
Sun Microsystems, Inc.
Solstice Enterprise Agents (SEA)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 325
Concord Communications
eHealth Console version 5.0.2 P1
eHealth Console version 4.8 P8
eHealth TrapEXPLODER 1.3
Netscreen
ScreenOS - all versions
Solaris 2.6
Solaris 2.6_x86
Solaris 2.7
Solaris 2.7_x86
Solaris 2.8
Solaris 2.8_x86
106787-18
106872-18
107709-19
107710-19
108869-16
108870-16
HP-UX 10.20
PHSS_26137
HP-UX 11.00
PHSS_26138
AIX 4.3
IY17630
AIX 5.1
IY20943
Initially, this is a CAT I if the IAVA has not been applied. Additional requirements have been added:
If the snmp version is 3 or greater, this is not a finding .
If the snmp version is 1 or 2, or does not have all the patches, or has open IAVAs for snmp it is a CAT I.
If it is version 1 or 2, fully patched, with no snmp IAVAs open, but there is no formally documented plan to
migrate to version 3, it is a CAT II.
If it is version 1 or 2, is fully patched, and all IAVAs are applied, and there is a formally documented plan to
migrate to version 3, this is a CAT III.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 326
To check the version of snmpd :

1. Locate the snmpd daemon:
Solaris
/usr/lib/snmp/ snmpdx
HP-UX
/usr/sbin/ snmpd
Linux
/usr/sbin/ snmpd
AIX
/usr/sbin/ snmpdm
2. Find the version:

Solaris and HP-UX perform:
# strings SNMPDPROGRAM | grep snmpV
The version will show up as snmpV2 or snmpV3 . If it is version 1, no value is returned.
PDI:
5
Status Code: PART
Previously:
G525
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SNMPv1 has vulnerable trap handling in the GetRequest and

GetnRequest routines.
Reference:
IAVA 2002-A-SNMP-002, 2002-A-SNMP-003
23. IAVA0120 2005-A-0005 Multiple Vulnerabilities in BIND
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 327
ISC BIND 9.3.0

ISC BIND 8.4.4
ISC BIND 8.4.5
To examine the version number of named perform:
#
find / -name named
find / -name in.named
what in.named/named | grep i version
strings in.named/named | grep i version
named v
#
named d0
BIND 8.4.4, 8.4.5, and 9.3.0 are vulnerable, if any of these versions of BIND are installed and/or running, then
this is a finding.
Upgrade to BIND 8.4.6 or later, or BIND 9.3.1 or later.
PDI:
7
Status Code: PART
Previously:
G526
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of BIND is installed.
Reference:
IAVA 2005-A-0005
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 328
24. IAVA0125 2001-T-0018 SSH Short Password Vulnerability
Vulnerable Systems:
SSH Communications Security 3.0.0
SSH Communications Security 2.3 and 2.4, for HPUX 10.20 and 11.00 in (TCB)
Red Hat 6.2 Linux 6.1 thru 7.1
Solaris 2.6 thru 2.8
Caldera Linux 2.4
SuSE Linux 6.4 thru 7.0
This check only applies to SSH by Communications Security.
#
telnet localhost 22
Or
#
Or
# ssh V
Upgrade to SSH Secure Shell 3.0.1 or later.
finding.
PDI:
6
:
IA Controls:
Status Code: PART
Previously:
G527

DCSQ-1, VIVM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 329
PDI Description:
SSH, by Communications Security, has a short password

vulnerability.
Reference:
IAVA 2001-T-0018
25. IAVA0135 2001-B-0004 WU-FTPD
Vulnerable Systems:
Caldera thru 3.1
Cobalt QUBE 1.0
Connectiva thru 7.0
Debian thru 2.2
Mandrake thru 8.1
Red Hat thru 7.2
SuSE thru 7.3
immunix thru 7.0
and any other system using WU-FTPD or derivatives of it.
To determine the version of ftpd, issue the following command:
# strings /usr/sbin/in.ftpd | grep I version
The version must be 2.6.2, or later, or this is a finding.
finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 330
7
Status Code: PART
Previously:
G529
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
WUFTPD Has A Remote Code Execution Vulnerability.
Reference:
IAVA 2001-B-0004
26. IAVA0140 2005-T-0008 Multiple Vulnerabilities in Ethereal Software
Vulnerable Systems:
All Linux and Solaris operating systems with Ethereal prior to 0.10.10 are vulnerable.
To determine the version of Ethereal, issue one of the following commands:
Load Ethereal and go to the Help->About Ethereal... menu item.

# ethereal v
# tethereal -v
The version must be 0.10.10 or later, or this is a finding.
finding.
PDI:
9
:
Status Code: AUTO
Previously:
G530
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 331
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Ethereal Software.
Reference:
IAVA 2005-A-0008
27. IAVA0145 2002-T-0004 KTH Kerberos IV and V
Vulnerable Systems:
KTH Kerberos Development Team
BSDi
OpenBSD
FreeBSD
NetBSD
This check is only applicable to KTH Kerberos version IV and V. MIT Kerberos is not vulnerable to this
condition. Patches are not available from the vendor at this time. Strictly enforce the client's preferences and
abort the connection if authentication or encryption cannot be negotiated. Reference OpenBSD and FreeBSD
man pages for telnet syntax to abort the connection if authentication or encryption cannot be negotiated.
Patches distributed by third parties other than KTH Kerberos are not recommended solutions due to the potential
for unreliability/interoperability issues and insecure or malicious coding.
PDI:

5
:
Status Code: PART
Previously:
G531
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Kerberos IV and V implementations have a telnet encryption

vulnerability.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 332
Reference:
IAVA 2002-T-0004
28. IAVA0150 2005-T-0010 Multiple Vulnerabilities in Sybase Software
Vulnerable Systems:
Sybase Adaptive Server Enterprise 12.5.3 and prior.
To determine the version of Sybase, perform the following:
#
/usr/sybase/ASE-12_5/bin/dataserver v
Upgrade to ASE 12.5.3 ESD#1 or later.

finding.
PDI:
0
:
Status Code: MAN
Previously:
G532
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Sybase Software.
Reference:
IAVA 2005-T-0010
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 333
29. IAVA0155 2002-T-0008 Cachefsd Daemon
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
Solaris 5.9_x86
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
104849-09
104848-09
105693-13
105694-13
Solaris 5.7
108800-02
Solaris 5.7_x86
108801-02
Solaris 5.8
110896-02
Solaris 5.8_x86
110897-02
Solaris 5.9
114008-01
Solaris 5.9_x86
114009-01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 334
PDI:
9
:
Status Code: AUTO
Previously:
G533
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A buffer overflow vulnerability exists in the Sun Solaris cachefsd

daemon.
Reference:
IAVA 2002-T-0008
30. IAVA0160 2005-T-0017 IBM WebSphere Application Server
Vulnerable Systems:
IBM Websphere Application Server 5.0.2
IBM Websphere Application Server 5.0.2 .1
To determine the version of IBM Websphere Application Server, perform one of the following:
#
versionInfo
Or
#
genVersionReport
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 335
Generates the versionReport.html report file in the bin directory on Linux and UNIX-based platforms, or on
Windows platforms. The report includes the list of components, fixes, and fix packs.
Upgrade to version 5.0.2.11 or later.
finding.
PDI:
1
:
Status Code: PART
Previously:
G534
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
IBM WebSphere Application Server Administrative Console

Buffer Overflow Vulnerability.
Reference:
IAVA 2005-T-0017
31. IAVA0165 2002-T-0009 Rpc.walld Service
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 336
Solaris 5.9
Solaris 5.5.1
112891-01
Solaris 5.5.1_x86
112892-01
Solaris 5.6
112893-01
Solaris 5.6_x86
112894-01
Solaris 5.7
112899-01
Solaris 5.7_x86
112900-01
Solaris 5.8
112846-01
Solaris 5.8_x86
112847-01
Solaris 5.9
112875-01
PDI:
3
:
Status Code: AUTO
Previously:
G535
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Solaris rpc.rwall daemon service has a message format string

vulnerability.
Reference:
IAVA 2002-T-0009
32. IAVA0170 2005-T-0024 Sun JRE Privilege Escalation Vulnerability
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 337
Blackdown Java 2 Runtime Environment 1.4.1

Blackdown Java 2 Runtime Environment 1.4.2
Blackdown Java 2 Runtime Environment 1.4.2 -01
Blackdown Java 2 Standard Edition SDK 1.4.1
Blackdown Java 2 Standard Edition SDK 1.4.2
Blackdown Java 2 Standard Edition SDK 1.4.2 -01
Conectiva Linux 10.0.0
Gentoo Linux
S.u.S.E. Linux Desktop 1.0.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Enterprise Server for S/390 9.0.0
S.u.S.E. Linux Personal 8.2.0
S.u.S.E. Linux Personal 9.0.0 x86_64
S.u.S.E. Linux Professional 8.2.0
S.u.S.E. Linux Professional 9.0.0 x86_64
S.u.S.E. Novell Linux Desktop 9.0.0
S.u.S.E. Open-Enterprise-Server 9.0.0
Slackware Linux -current
Slackware Linux 8.1.0
Sun Java 2 Runtime Environment 1.4.2
Sun Java 2 Runtime Environment 1.4.2 _01
Sun Java 2 Runtime Environment 1.5.0
Sun Java 2 Runtime Environment 1.5.0 .0_01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 338
Sun Java 2 Standard Edition SDK 1.4.2

Sun Java 2 Standard Edition SDK 1.4.2 _01
Sun Java 2 Standard Edition SDK 1.5.0
Sun Java 2 Standard Edition SDK 1.5.0 .0_01
# java fullversion
Or
#
java version
The version for 1.5 systems should be at least 1.5.0_02. The version for 1.4.2 systems should be at least 1.4.2_
08.
finding.
PDI:
2
:
Status Code: MAN
Previously:
G536
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a Sun JRE Privilege Escalation Vulnerability.
Reference:
IAVA 2005-T-0024
33. IAVA0175 2002-T-0011 OpenSSH Challenge Response
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 339
Vulnerable Systems:
OpenSSH: Versions 2.3.1p1 through version 3.3 are vulnerable.
OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2
CONECTIVA LINUX
Debian
6.0, 7.0, 8
FreeBSD
HP-UX Secure Shell A.03.10
HP-UX 11.11
HP-UX 11.0
Mandrake 7.1, 7.2, 8.0, 8.1, 8.2
Mandrake Corporate Server 1.0.1, Single Network Firewall 7.2
NetBSD-1.6_BETAx
NetBSD-1.5.2
NetBSD-1.5.1
NetBSD-1.5
OpenBSD
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
SuSE
Trustix Secure Linux 1.1, 1.2, 1.5
OpenSSH versions 2.9.9 through 3.3 are vulnerable if the challenge response handling mechanism is
enabled. 2.3.1p1 through version 3.3 are susceptible to the vulnerability involving the PAM module using
interactive keyboard authentication.
To determine the version:
#
ssh V
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 340
If the version of OpenSSH is less than 3.4, find and view the sshd_config file to make sure the
KbdInteractiveAuthentication and ChallengeResponseAuthentication options are set to no . If either one is yes,
or if the options are not in the sshd_config file, then this is a finding.
For SUN SSH distributed with Solaris 9:
The version of OpenSSH that is in Solaris 9 is not believed to be vulnerable if the default configuration is used. If
sshd_config (4) has been updated so that BOTH of the following entries are present then it is vulnerable.
PAMAuthenticationViaKBDInt yes
KbdInteractiveAuthentication yes
Use the procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
Solaris 5.9
113273-01
Solaris 5.9x86
114858-01
RedHat
openssh-3.1p1-5.src.rpm
SuSE
openssh-3.3p1-6.src.rpm
PDI:
6
:
Status Code: AUTO
Previously:
G537
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are vulnerabilities in the OpenSSH Challenge Response

Handling routine.
Reference:
IAVA 2002-T-0011
34. IAVA0180 2005-T-0025 Vulnerabilities in Adobe Reader
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 341
Vulnerable Systems:
Adobe Acrobat Reader (UNIX) 5.0.9
Linux (all versions)
Solaris (all versions)
HP-UX (all versions)
IBM-AIX (all versions)
To determine the version perform the following:
1. Launch Acrobat Reader by executing /bin/acroread
2. Select "help" menu option, and
3. Select "about Acrobat Reader."
Linux and Solaris Platforms

Update to Adobe Reader 7.0.1
IBM-AIX and HP-UX Platforms
Update to Adobe Acrobat Reader 5.0.11
finding.
PDI:
5
:
IA Controls:
Status Code: PART
Previously:
G538

DCSQ-1, VIVM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 342
PDI Description:
There are multiple vulnerabilities in Adobe Acrobat/Adobe Reader

Software.
Reference:
IAVA 2005-T-0025
35. IAVA0185 2005-T-0027 MIT Kerberos Multiple Vulnerabilities
Vulnerable Systems:
All MIT Kerberos 5 releases up to and including krb5-1.4.1 are vulnerable. Third party application servers
employing Kerberos 5 may be vulnerable as well.
To determine the Kerberos version:
#
strings libkrb5.so | grep BRAND
Solaris 5.8
112237-13
Solaris 5.8_x86
112240-10
Solaris 5.9
112908-20
Solaris 5.9_x86
Solaris 5.10
115168-08
120469-01
Solaris 5.10_x86
RedHat
120470-01
krb5-workstation-1.4.1-5.i386.rpm
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 343
3
:
Status Code: AUTO
Previously:
G539
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a MIT Kerberos vulnerability that causes a denial of

service.
Reference:
IAVA 2005-T-0027
36. IAVA0190 2005-T-0033 Adobe Reader Buffer Overflow
Vulnerable Systems:
Adobe Acrobat
Adobe Acrobat 5.0.0
Adobe Acrobat 5.0.5
Adobe Acrobat 6.0.0
Adobe Acrobat 6.0.1
Adobe Acrobat 6.0.2
Adobe Acrobat 6.0.3
Adobe Acrobat 7.0.0
Adobe Acrobat 7.0.1
Adobe Acrobat 7.0.2
Adobe Acrobat Reader
Adobe Acrobat Reader 5.1.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 344
4. Select "about Acrobat Reader."
The version for all unix systems should be at least 7.0.1.

finding.
PDI:
4
:
Status Code: PART
Previously:
G540
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Adobe Acrobat and Adobe Reader Remote Buffer Overflow

Vulnerability.
Reference:
IAVA 2005-T-0033
37. IAVA0195 2002-T-0012 CDE Vulnerability
Vulnerable Systems:
All Unix operating systems running CDE ToolTalk
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 345
Use the procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
SOLARIS
Solaris 2.5.1
104489-15
Solaris 2.5.1_x86
105496-13
Solaris 2.6
105802-19
Solaris 2.6x86
Solaris 2.7
Solaris 2.7x86
Solaris 2.8
Solaris 2.8x86
Solaris 2.9
105803-21
107893-20
107894-19
110286-10
110287-10
112808-03
HP-UX
HP-UX 10.10
Replace daemon
HP-UX 10.20
PHSS_27426
HP-UX 11.00
PHSS_27427
HP-UX 11.11
Replace daemon
IRIX
IRIX 6.2 6.5.2
IRIX 6.5.3.1.1
Patch 4799
Patch 4799
AIX
AIX 4.3.3
IY32368
AIX5.1.1.
IY32370
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 346
PDI:
2
:
Status Code: AUTO
Previously:
G541
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in the Common Desktop

Environment Tooltalk database server, rpc.ttdbserverd.
Reference:
IAVA 2002-T-0012
38. IAVA0210 2005-T-0038 Java System Server JAR Disclosure
Vulnerable Systems:
SPARC Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1
Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch
119169-01 or (SVR4) patch 119166-06
x86 Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch
119170-01 or (SVR4) patch 119167-06
Linux Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 347
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch
119171-01 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-05
To determine the version of Sun Java System Application server, the following command can be run:
# <AS_INSTALL>/bin/asadmin version --verbose
(Where <AS_INSTALL> is the installation directory of the Application Server)
Perform procedures in Appendix F, Patch Control, to check for one of the patches:
SPARC Platform
x86 Platform
Linux
119169-01
119170-01
119171-01
or
or
or
119166-06
119167-06
119168-05
PDI:
7
:
Status Code: PART
Previously:
G544
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun Java System Application Server information disclosure

vulnerability.
Reference:
IAVA 2005-T-0038
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 348
39. IAVA0215 2002-A-0004 OpenSSL Vulnerability
Vulnerable Systems:
Any product using one of the following:
OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2
OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled
SSLeay library
Locate the binary openssl:
# find / -name openssl
# ./openssl version
The required version must be 0.9.6e or 0.9.7-beta3 or higher.
finding.
PDI:
6
:
Status Code: AUTO
Previously:
G545
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
OpenSSL has multiple vulnerabilities.
Reference:
IAVA 2002-A-0004
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 349
40. IAVA0225 2002-B-0003 PHP Vulnerabilities
Vulnerable Systems:
PHP 3.0.10-3.0.18
PHP 4.0.1-4.0.3pl1
PHP 4.0.2-4.0.5
PHP 4.0.6-4.0.7RC2
PHP 4.0.7RC3-4.1.1
PHP 4.2.0 and 4.2.1
Locate the directory where the web server html documents are stored. Create a file by:
#
echo <? phpinfo(); ?>>fso.php
Direct a web browser to http://localhost/fso.php and examine the screen for the version. Under the HTTP
Response Headers, the X-Powered-By row will show the PHP version.
Or
#
php -v
The required version is PHP-4.2.3 or higher.

finding.
PDI:
7
:
Status Code: PART
Previously:
G547
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 350
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Hypertext Preprocessor - PHP versions 4.2.0 and 4.2.1 - has

multiple vulnerabilities.
Reference:
IAVA 2002-B-0003
41. IAVA0235 2002-T-0015 XDR-Libraries
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
HP-UX 10.01
HP-UX 10.10
HP-UX 10.20
HP-UX 11.00
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
103640-42
103641-42
105401-39
105402-39
PLUS
PLUS
106639-07
106640-07
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 351
Solaris 5.7
106942-22
PLUS
108451-06
Solaris 5.7_x86
106943-22
PLUS
108452-06
Solaris 5.8
108827-30 Obsoleted by 108993-18
PLUS
108901-06 Obsoleted by 108528-24

Solaris 5.8_x86
108828-31 Obsoleted by 108994-18
PLUS
108902-05 Obsoleted by 108529-24

Solaris 5.9
HP-UX 10.01
113319-01
PLUS
112233-02
Patch will not be available upgrade to 11.0 or higher
HP-UX 10.10
Patch will not be available upgrade to 11.0 or higher
HP-UX 10.20
PHNE_25234
HP-UX 11.00
PHNE_26387
PDI:
8
:
Status Code: AUTO
Previously:
G549
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun remote procedure call (Sun-Rpc) derived external data

representation (XDR) libraries contain an integer overflow
vulnerability.
Reference:
IAVA 2002-T-0015
42. IAVA0245 2002-T-0016 KAdmind
Vulnerable Systems:
Conectiva Linux 8.0 running MIT Kerberos 5 1.2.3
Debian GNU/Linux 3.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 352
FreeBSD 4.4
FreeBSD 4.5
FreeBSD 4.6
FreeBSD 4.7
Kerberos 4 Release 1.2
Kerberos 5
MandrakeSoft 8.1
MandrakeSoft 8.2
MandrakeSoft 9.0
MIT Kerberos 5, up to and including krb5-1.2.6.
All Kerberos 4 implementations derived from MIT Kerberos 4
OpenBSD 3.0
OpenBSD 3.1
OpenBSD 3.2
Red Hat 6.2
Red Hat 7.0
Red Hat 7.1
Red Hat 7.2
Red Hat 7.3
Red Hat 8.0
The version for Kerberos can be checked either with:
# krb5-config version
Or
#
strings libkrb5.so | grep i brand
The version must be 1.2.5-7 or higher.

finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 353
PDI:
9
Status Code: PART
Previously:
G551
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Kadmind has a remote buffer overflow vulnerability.
Reference:
IAVA 2002-T-0016
43. IAVA0250 2005-A-0019 Oracle Applications Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Workflow, versions 11.5.1 through 11.5.9.5
spot checks for mulitiple-patch requirements based on version and platform. Please note whether each check is
Swith user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
$ORACLE_HOME/bin/runInstaller
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 354
each Oracle Home. If Oracle Database Server, Oracle Application Server, or Oracle HTTP Server is/are listed,
then expand the Oneoffs selection and view the installed patches.
3966175
4074867

PDI:
4
:
Status Code: MAN
Previously:
G552
IA Controls:
DCSQ-1, VIVM-1
PDI Description:

Applications Suite.
Reference:
IAVA 2005-A-0019
44. IAVA0255 2002-T-0017 X Font Server
Vulnerable Systems:
Solaris 5.6
Solaris 5.6x86
Solaris 5.7
Solaris 5.7x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 355
Solaris 5.8
Solaris 5.8x86
Solaris 5.9
HP-UX 10.20
HP-UX 11.0
HP-UX 11.11
HP-UX 11.12
AIX 4.3.3
AIX 5.1.0
AIX 5.2.0
Use the procedures in Appendix F, Patch Control, to check for these patches or versions:
Solaris 5.6
Solaris 5.6x86
Solaris 5.7
Solaris 5.7x86
Solaris 5.8
Solaris 5.8x86
Solaris 5.9
108129-05
108130-05
108117-06
108118-06
109862-03
109863-03
113923-02
HP-UX 10.20
PHSS_28468
HP-UX 11.0
PHSS_28469
HP-UX 11.11
PHSS_28470
HP-UX 11.12
PHSS_28471
AIX 4.3.3
IY37888
AIX 5.1.0
IY37886
AIX 5.2.0
IY37889
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 356
PDI:

4
:
Status Code: PART
Previously:
G553
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is an X Font server buffer overflow vulnerability.
Reference:
IAVA 2002-T-0017
45. IAVA0260 2005-A-0034 Oracle Applications Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Workflow, versions 11.5.1 through 11.5.9.5
spot checks for mulitiple-patch requirements based on version and platform. Please note whether each check is
correctly.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 357
each Oracle Home. If Oracle Database Server, Oracle Application Server, or Oracle HTTP Server is/are listed,
then expand the Oneoffs selection and view the installed patches.
3904641
4613714

PDI:
5
:
Status Code: MAN
Previously:
G554
IA Controls:
DCSQ-1, VIVM-1
PDI Description:

Applications Suite.
Reference:
IAVA 2005-A-0034
46. IAVA0270 2000-B-0008 BIND 8.2.2-P6 DoS Vulnerabilities
Vulnerable Systems:
Caldera OpenLinux Desktop 2.3
Caldera UnixWare 7.1.1
Conectiva Linux 6.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 358
Conectiva Linux 5.1

Conectiva Linux 5.0
Conectiva Linux 4.2
Conectiva Linux 4.1
Conectiva Linux 4.0 es
Conectiva Linux 4.0
Debian Linux 2.3
Debian Linux 2.2
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Single Network Firewall 7.2
RedHat Linux 7.0 J
RedHat Linux 6.2
RedHat Linux 6.1
RedHat Linux 6.0
RedHat Linux 6.0
RedHat Linux 5.2
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.0
SCO eDesktop 2.4
SCO eServer 2.3
Trustix Trustix Secure Linux 1.1
Trustix Trustix Secure Linux 1.0
#
find / -name named
#
#

07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 359
BIND 8.2.2 through 8.2.2P6 (BIND 8.2.2P7 and 8.2.3 are not vulnerable) is vulnerable.
Upgrade to BIND 8.2.3 or later.
finding.
PDI:
8
Status Code: PART
Previously:
G556
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0008
47. IAVA0275 2001-A-0001 Buffer Overflows in ISC BIND
Vulnerable Systems:
BIND 8.2.2
BIND 4.9.5 - 4.9.7
BIND 4.9.3 - 4.9.5-P1
#
find / -name named
named v
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 360
named d0
Users of BIND 4.9.x or 8.2.2 must upgrade to BIND 8.2.3 or later, or BIND 9.1 or later.
Because BIND 4 is no longer actively maintained, users must upgrade to either BIND 8.2.3 or later, or BIND 9.1
or later
finding.
PDI:
9
Status Code: PART
Previously:
G557
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0001
48. IAVA0280 2002-A-0006 Multiple Vulnerabilities in ISC BIND 4 and 8
Vulnerable Systems:
BIND versions 4.9.2 to 4.9.10
BIND versions 8.1
BIND versions 8.2 to 8.2.6
BIND versions 8.3.0 to 8.3.3
Conectiva Linux 6.0
Debian Linux 3.0
Debian Linux 2.2
Secure Linux 1.0.1
FreeBSD 4.4, 4.5, 4.6, 4.7
Mandrake Linux 7.2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 361
OpenBSD 3.0, 3.1, 3.2

OpenPKG 1.0, 1.1
Openwall GNU/*/Linux
SuSE 7.0, 7.1, 7.2, 7.3, 8.0, 8.1
SuSE Linux Database Server
SuSE eMail Server III, 3.1
SuSE Firewall
SuSE Linux Enterprise Server for S/390
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7
SuSE Linux Office Server
Trustix Secure Linux 1.5
Trustix Secure Linux 1.2
#
find / -name named
named v
named d0
Upgrade to BIND 8.4.6 or later, or 9.2.1 or later.

finding.
PDI:
0
Status Code: PART
Previously:
G558
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 362
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-0006
49. IAVA0285 2003-B-0001 DNS Vulnerabilities Various Libraries
Vulnerable Systems:
Caldera
Compaq
Conectiva
Debian
Engarde
FreeBSD
GNU
Hewlett-Packard (HP)
IBM AIX
Internet Software Consortium (ISC) BIND
Mandrake
NetBSD
OpenBSD
Red Hat
SCO
Sun Microsystems
Trustix
#
find / -name named
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 363
#
#

Solaris
Solaris 2.5.1
103663-19
Solaris 2.5.1_x86
103664-19
Solaris 2.6
105755-12
Solaris 2.6_x86
105756-12
Solaris 7
106938-06
Solaris 7_x86
Solaris 8
Solaris 8_x86
Solaris 9
106939-06
109326-09
109327-09
112970-02
HP-UX
HP-UX 10.10
PHNE_27792
HP-UX 10.20
PHNE_27792
HP-UX 11.0
PHNE_27793
HP-UX 11.04
PHNE_28415
HP-UX 11.11
PHNE_27794
AIX 4.3
ISC BIND 8.2.2 p5
AIX
AIX 4.3.1
ISC BIND 8.2.2 p5
AIX 4.3.2
ISC BIND 8.2.2 p5
AIX 4.3.3
ISC BIND 8.2.2 p5
AIX 5.1
glibc 2.1.1-2.1.6
glibc 2.1.1-2.1.6
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 364
Red Hat
glibc-2.1.3-24.rpm
bind-9.2.1-0.6x.3.rpm
Apply the applicable patch, upgrade to, at the least, the required software release, or remove the
PDI:
9
:
Status Code: AUTO
Previously:
G559
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple buffer overflow vulnerabilities in various DNS

libraries.
Reference:
IAVA 2003-B-0001
50. IAVA0295 2003-T-0001 Multiple SSH Vulnerabilities
Vulnerable Systems:
F-Secure SSH versions 3.1.0 build 11 and earlier
Pragma SecureShell 2.0
To determine the ssh version:
#
ssh V
Pragma Secure Shell

F-Secure
Upgrade to 3.0
Upgrade to a higher release than 3.1.0 build 11
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 365
finding.
PDI:

2
:
Status Code: AUTO
Previously:
G561
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple SSH vulnerabilities.
Reference:
IAVA 2003-T-0001
51. IAVA0305 2003-T-0002 Solaris UUCP
Vulnerable Systems:
Solaris 8
Solaris 5.8_x86
Solaris 5.8
111571-04
111570-04
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 366

3
:
Status Code: AUTO
Previously:
G563
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a Solaris UUCP local buffer overflow vulnerability.
Reference:
IAVA 2003-T-0002
52. IAVA0310 2005-T-0043 SMC HTTP TRACE Vulnerability
Vulnerable Systems:
Solaris 10.0 _x86
Solaris 10.0
Solaris 9.0 _x86
Solaris 9.0
Solaris 8.0 _x86
Solaris 8.0
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:
Solaris
5.8
5.8_x86
5.9
5.9_x86
5.10
5.10_x86
111313-03
111314-03
116807-02
116808-02
121308-01
121309-01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 367
PDI:
4
:
Status Code: AUTO
Previously:
G564
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is an SMC HTTP TRACE Information Discloser

Vulnerability .
Reference:
IAVA 2005-T-0043
53. IAVA0315 2003-T-0004 Oracle 9i Vulnerabilities
Vulnerable Systems:
Oracle 9i Release 9.0.2 and 9.0.3
correctly.
each Oracle Home to find the version.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 368
PDI:

6
:
Status Code: PART
Previously:
G567
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are Multiple Vulnerabilities in Oracle 9i Application Server.
Reference:
IAVA 2003-T-0004
54. IAVA0320 2003-T-0007 Sun XDR Library Buffer Overflow
Vulnerable Systems:
Debian with Kerberos krb4 and krb5

EnGarde
1.0.1
FreeBSD
4.6, 4.7, 5.0
GNU
glibc versions 2.2 - 2.2.5, 2.1.3
HP-UX with Kerberos - 9000/700 and 9000/800 series 10.20, 11.00, 11.04, 11.11, and 11.22
NETBSD 1.4 - 1.5.3
Red Hat Linux 6.2 - i386, 7.0 - i386 i686, 7.1 - i386 i686, 7.2 - i386 i686 ia4, 7.3 - i386 i686, 8.0 - i386
i686
Sun Solaris
2.5.1 - 9.0 both sparc and x86
Trustix 1.1 1.2 and 1.5
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:
Solaris
5.6
5.6_x86
5.7
105401-44
105402-44
106942-27
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
5.7_x86
5.8
5.8_x86
5.9
5.9_x86
Page 369
106943-27
108993-18
108994-18
113319-11
113719-04
HP-UX
B.10.20
PHCO_26158 or PHCO_31920
B.10.24
PHCO_27882 or PHNE_30377 or PHNE_30660 or PHNE_31096
B.11.00P
B.11.11
PHNE_28567 or PHNE_28982 or PHNE_29210 or PHNE_29785 or PHNE_

29882 or PHNE_30377 or PHNE_30660 or PHNE_31096
PHNE_28568 or PHNE_28983 or PHNE_29211 or PHNE_29783 or PHNE_29883
or PHNE_30378 or PHNE_30380 or PHNE_30661
Red Hat
6.2
glibc-2.1.3-29.i386.rpm
7.0
glibc-2.2.4-18.7.0.9.i386.rpm
7.1
glibc-2.2.4-32.i386.rpm
7.2
glibc-2.2.4-32.i386.rpm
7.3
glibc-2.2.5-43.i386.rpm
8. glibc-2.3.2-4.80.i386.rpm
9. krb5-libs-1.2.7-14.i386.rpm
SuSE
1. glibc-2.2-26.i386.rpm
2. glibc-2.2.2-68.i386.rpm
3. glibc-2.2.4-78.i386.rpm
8.0
8.1
glibc-2.2.5-177.i386.rpm
glibc-2.2.5-177.i686.rpm
IRIX
6.5.15m
6.5.15f
6.5.16m
4986
4987
4988
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 370
6.5.16f
6.5.17m
4989
4990
6.5.17f
6.5.18m
4991
5014
6.5.18f
6.5.19m
5015
4992
6.5.19f
4993
PDI:
5
:
Status Code: AUTO
Previously:
G569
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Sun XDR Library has an integer overflow vulnerability.
Reference:
IAVA 2003-T-0007
55. IAVA0330 2003-B-0003 Sendmail - Memory Corruption Vulnerability
Vulnerable Systems:
Sendmail Versions 8.12.8 and earlier
Conectiva Linux 9.0
Conectiva Linux 8.0
Conectiva Linux 7.0
Conectiva Linux 6.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 371
Debian Linux 3.0

FreeBSD 5.0
FreeBSD 4.7
FreeBSD 4.6
HP TRU64 5.1
HP-UX 10.10
HP-UX 10.20
HP-UX 11.00
HP-UX 11.04
HP-UX 11.11
HP-UX 11.22
ImmunixOS 6.2
ImmunixOS 7.0
ImmunixOS 7+
AIX 4.3.3
AIX 5.1.0
AIX 5.2.0
NetBSD 1.6
NetBSD 1.5.3
NetBSD 1.5.2
NetBSD 1.5.1
NetBSD 1.5
OpenBSD 3.2
OpenBSD 3.1
OpenPKG Current
OpenPKG 1.2
OpenPKG 1.1
Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9.0
OpenLinux 3.1.1
OpenLinux 3.1
UnixWare 7.1.3
Open UNIX 8.0.0
IRIX 6.5.15
IRIX 6.5.16
IRIX 6.5.17
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 372
IRIX 6.5.18
IRIX 6.5.19
Solaris 2.6
Solaris 7
Solaris 8
Solaris 9
SuSE Linux 7.1, 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Slackware 8.0
Slackware 8.1
Slackware 9.0
To determine the version of sendmail, use the following command:
# sendmail -d0 -bt < /dev/null | grep -i Version
Systems using sendmail below version 8.12.9, or are not patched, are affected.
Upgrade to 8.12.9 or check for the following patches utilizing Appendix F:
Solaris
Solaris 2.6
Solaris 2.6_x86
Solaris 7
Solaris 7_x86
105395-09
105396-09
107684-09
107685-09
Solaris 8
110615-09
Solaris 8_x86
110616-09
Solaris 9
Solaris 9_x86
113575-04
114137-03
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 373
HP-UX
If a fix has been installed the following command will list a 'version.c" line:
#
what /usr/sbin/sendmail | grep JAGae58098
Install HPSecurityBul246.depot with swinstall for all versions.

Red Hat
Red Hat Linux 6.2
sendmail-8.11.6-1.62.3.i386.rpm
Red Hat Linux 7.0
sendmail-8.11.6-25.70.i386.rpm
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
sendmail-8.11.6-25.73. i386.rpm
Red Hat Linux 8.0
Red Hat Linux 9
AIX
AIX 4.3.3
IY42629
AIX 5.1.0
IY42630
AIX 5.2.0
IY42631
SuSE-7.1
sendmail-8.11.2-45.i386.rpm
SuSE
SuSE-7.2
SuSE-7.3
SuSE-8.0
SuSE-8.1
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
All Version
Page 374
patch #5045
PDI:
1
:
Status Code: AUTO
Previously:
G575
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sendmail memory corruption Vulnerability.
Reference:
IAVA 2003-B-0003
56. IAVA0335 2003-T-0015 PDF Writers
Vulnerable Systems:
Adobe Acrobat Reader (UNIX) 5.0.0 6
Xpdf Xpdf 1.0.0 1
MandrakeSoft Linux Mandrake 7.2.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9
Sun Linux 5.0 (LX50) with xpdf-0.92-9 or earlier
For both Red Hat and Sun Linux sytems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 375
# rpm qa |grep xpdf

Apply the appropriate rpm for the operating system version contained in the IAVA.
PDI:
9
:
Status Code: PART
Previously:
G577
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A PDF viewer has a Hyperlink arbitrary command vulnerability.
Reference:
IAVA 2003-T-0015
57. IAVA0345 2003-T-0018 Real Networks Helix Server
Vulnerable Systems:
Helix Universal Server 9
Real Server 5
Real Server 6
Real Server 7
Real Server 9
Real Server G2
Use the following command to verify if the Real Server plug-in is installed:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 376
find / -name *vsrcplin.so*

If the find returns either vsrcplin.so.9.0 or vsrcplin.so.6.0, then this is a finding. Versions prior to
9.0.2.802 are affected, including Helix Universal Server 9, RealSystem Server 8, 7, and RealServer G2.
Upgrade to the latest software.
finding.
PDI:

6
:
Status Code: PART
Previously:
G579
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The RealNetworks Helix Server is vulnerable.
Reference:
IAVA 2003-T-0018
58. IAVA0350 2003-T-0020 OpenSSH Prior to 3.7.1
Vulnerable Systems:
Systems running versions of OpenSSH prior to 3.7.1
Systems that use or derive code from vulnerable versions of OpenSSH
If Secure Shell is running, verify it is OpenSSH. If it is OpenSSH, check the version by locating the ssh
command and performing:
#
./ssh V
The command will return the version. If it is less than 3.7.1, this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 377
PDI:

7
:
Status Code: AUTO
Previously:
G580
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a buffer mismanagement vulnerability in OpenSSH prior to

version 3.7.1.
Reference:
IAVA 2003-T-0020
59. IAVA0355 2003-A-0013 SADMIND
Vulnerable Systems:
This vulnerability applies only to Sun systems running the Solstice AdminSuite with sadmind implemented.
The patches listed apply only to version 2.3 and later. If a version earlier than 2.3 is running, the site must
upgrade to 2.3 before installing any of the patches. To upgrade to Solstice 2.3 install the following patches:
Solstice AdminSuite patches to upgrade to Solstice 2.3:
Solaris 2.3
104468-20
Solaris 2.3_x86
104469-20
To resolve the vulnerability on the following and on systems with older AdminSuite installations, install patches
listed below immediately. Systems with versions prior to 2.3 must upgrade to 2.3 before installing patches, as
noted above.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 378
Solaris 5.9
116453-01
Soalris 5.9_x86
116454-01
Solaris 5.8
116455-01
Solaris 5.8_x86
116442-01
Trusted_Solaris_8
Solaris 7
116455-01
108662-01
Solaris 7_x86
Solaris 2.6
Solaris 2.6_x86
Solaris 2.5.1
108663-01
108660-01
108661-01
108658-02
Solaris 2.5.1_x86
108659-02
Solaris 2.5
108656-02
Solaris 2.5_x86
108657-02
60. IAVA0360 2003-A-0015 OpenSSL
Vulnerable Systems:
Any product using one of the following:
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.6 a
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 d
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 j
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 379
OpenSSL Project OpenSSL 0.9.7 a

OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 beta1
Perform the following to determine the version:
# openssl version -v
# find / -name libssl.so.0.9.7
# find / -name libcrypt o .so.0.9.7
To resolve the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or OpenSSL 0.9.6k. Alternatively, apply
a patch as directed by your vendor.
61. IAVA0365 2003-T-0022 - JAVA RUNTIME and Virtual Machine
Vulnerable Systems:
SDK and JRE 1.4.1_03 and earlier
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 380
To tell what version of Java you are running, from the directory Java is loaded, run:
#
./java version
Upgrade to the following versions:

SDK and JRE 1.4.1_04 and later
finding.
PDI:

1
:
Status Code: MAN
Previously:
G583
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun Java Virtual Machine Slash Path Security Model

Circumvention Vulnerability.
Reference:
IAVA 2003-T-0022
62. IAVA0370 2003-T-0024 - RSYNC DAEMON
Vulnerable Systems:
EnGarde
EnGarde Secure Linux 1.0.1
RedHat Linux 6.2.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 381
RedHat Linux 7.0.0

RedHat Linux 7.1.0
RedHat Linux 7.2.0
RedHat Linux 7.3.0
RedHat Linux 8.0.0
RedHat Linux 9.0.0
RedHat Fedora Core1
Caldera OpenLinux eBuilder 3.0.0
Caldera OpenLinux 2.3.0
Caldera OpenLinux 3.1.0 -IA64
Caldera OpenLinux Server 3.1.0
Caldera OpenLinux Workstation 3.1.0
Conectiva Linux ecommerce
Conectiva Linux graficas
SCO eDesktop 2.4.0
SCO eServer 2.3.1
S.u.S.E. Linux 6.4.0
Trustix Secure Linux 1.0.0 1
Trustix Secure Linux 1.1.0
HP Secure OS software for Linux 1.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 382

MandrakeSoft Single Network Firewall 7.2.0
MandrakeSoft Multi Network Firewall 8.2.0
Debian Linux 3.0.0
OpenPKG OpenPKG Current
OpenPKG OpenPKG 1.2.0
OpenPKG OpenPKG 1.3.0
First, determine if the system is running rsyncd by performing:
#
netstat a | egrep 843|rsync
If it is rsync is running on the system then:

# grep chroot /etc/rsyncd.conf
If it is not there, or it is set to no, this is a finding. Obtain patches from the vendor in accordance with the IAVA.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 383

2
:
Status Code: AUTO
Previously:
G584
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The rsync daemon is vulnerable to a heap memory overflow.
Reference:
IAVA 2003-T-0024
63. IAVA0375 2004-A-0002 - Check Point Firewall-1
Vulnerable Systems:
Check Point Software Firewall-1 4.1.0
Check Point Software Firewall-1 4.1.0 SP1
Check Point Software Next Generation
Check Point Software Next Generation FP1
Check Point Software Next Generation FP3 HF1
Check Point Software NG-AI
Check Point Software NG-AI R54
Check Point Software NG-AI R55
Check Point Software Firewall-1 4.1.0 SP5a
Check Point Software FireWall-1 Next Generation FP0
Check Point Software FireWall-1 Next Generation FP1
Check Point Software VPN-1 4.1.0
Check Point Software VPN-1 4.1.0 SP1
Check Point Software VPN-1 4.1.0 SP5a
Check Point Software VPN-1 Next Generation FP0
Check Point Software VPN-1 Next Generation FP1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 384
To determine the version number of the Check Point that your are running, use the following command:
#
$FWDIR/bin/fw ver
where $FWDIR is the directory where Check Point is installed.

System Administrators who use the HTTP Security Servers of Check Point Firewall-1 must download and apply
the following update:
http://www.checkpoint.com/techsupport/downloads/bin/firewall1/security_server_hotfix_cpsc.zip
System Administrators who use VPN capabilities on VPN-1/FireWall-1 4.1 SP5a and prior, Next Generation FP0
and FP1 must upgrade to the latest non-vulnerable version provided below:
http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html
PDI:
6
Status Code: PART
Previously:
G585
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of Check Point Firewall-1 is in use.
Reference:
IAVA 2004-A-0002
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 385
64. IAVA0380 2004-B-0002 - H.323 Protocol
Vulnerable Systems:
Debian GNU/Linux 3.0
Red Hat Linux 9
Check Point Software Firewall-1 4.1.0
Check Point Software Firewall-1 [VPN+DES+STRONG] 4.1.0 Build 41439
Check Point Software Firewall-1 [VPN+DES+STRONG] 4.1.0 SP2 Build 41716
Check Point Software Firewall-1 [VPN+DES] 4.1.0
Check Point Software Next Generation
Check Point Software Next Generation with Application Intelligence
Debian
pwlib1.2.5-5woody1
Redhat
pwlib-1.4.7-4.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 386
PDI:
7
:
Status Code: PART
Previously:
G586
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of the H.323 Protocol is in use.
Reference:
IAVA 2004-B-0002
65. IAVA0385 2004-A-0004 - ISS Real Secure
Vulnerable Systems:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
Running on the following Operating Systems:
Solaris 8
Solaris 9
RedHat Linux Professional
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 387
RedHat Enterprise
IBM AIX
Hewlett-Packard HP-UX
Locate the issDaemon:
#
find / -name issDaemon depth -print

#
./issDaemon v
The daemon should be upgraded to the following non-vulnerable versions:

RealSecure Network 7.0, XPU 22.12
RealSecure Server Sensor 7.0 XPU 22.12
Proventia A Series XPU 22.12
Proventia G Series XPU 22.12
Proventia M Series XPU 1.10
RealSecure Desktop 7.0 ebm
RealSecure Desktop 3.6 ecg
RealSecure Guard 3.6 ecg
RealSecure Sentry 3.6 ecg
BlackICE Agent for Server 3.6 ecg
finding.
PDI:
4
Status Code: PART
Previously:
G587
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The ISS RealSecure protocol analysis module ICQ parsing routines

has a buffer overflow.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 388
Reference:
IAVA 2004-A-0004
66. IAVA0390 2004-T-0003 Apache SSL Certificate Forging
Vulnerable Systems:
Apache-SSL 1.3.28+1.52 and earlier versions.
To check the version:
#
httpd v
The version should be at least 1.3.29+1.53.
finding..
PDI:
7
:
Status Code: MAN
Previously:
G588
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected an Apache-Secure Socket Layer Client Certificate

Forging Vulnerability.
Reference:
IAVA 2004-T-0003
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 389
67. IAVA0395 2004-T-0008 TCPDUMP Buffer Overflows
Vulnerable Systems:
tcpdump
Apple
Caldera
Debian
EnGarde
FreeBSD
Mandrake
Redhat
SCO
SGI
SuSE
Trustix
Turbolinux
To check the version of tcpdump on most systems:
#
tcpdump -version
The version should be at least 3.8.3. If it is not, then upgrade both tcpdump to at least 3.8.3 and libpcap
to 0.8.3. Check the IAVA for specific vendor patches or upgrades.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 390
8
:
Status Code: AUTO
Previously:
G589
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
TCPDUMP has multiple buffer overflows and vulnerabilities from

malformed ISAKMP packets.
Reference:
IAVA 2004-T-0008
68. IAVA0400 2004-B-0005 FreeBSD/Juniper Denial of Service
Vulnerable Systems:
FreeBSD 4.6.2
FreeBSD 4.7.0
FreeBSD 4.8.0
FreeBSD 4.9.0
FreeBSD 5.0.0
FreeBSD 5.1.0
FreeBSD 5.2.0
OpenBSD 3.3
OpenBSD 3.4
Upgrade to the FreeBSD stable branch (4-STABLE) or to the RELENG_5_2, RELENG_4_9, or RELENG_
4_8 security branch or apply the applicable patch.
FreeBSD 4.8
tcp47.patch
FreeBSD 4.9
tcp47.patch
FreeBSD 5.2
tcp52.patch
OpenBSD 3.3
018_tcp.patch
OpenBSD 3.4
013_tcp.patch
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 391
PDI:

9
:
Status Code: PART
Previously:
G590
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a FreeBSD/Juniper BSD TCP out-of-sequence packets

denial of service.
Reference:
IAVA 2004-B-0005
69. IAVA0405 2004-T-0006 Solaris Password Utility
Vulnerable Systems:
Solaris 8.0
Solaris 8.0_x86
Solaris 9.0
Solaris 9.0_x86
Solaris 8.0
Solaris 8.0_x86
Solaris 9.0
Solaris 9.0_x86
108993-32 or later
108994-32 or later
113476-11 or later
114242-07 or later
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 392
PDI:

0
:
Status Code: AUTO
Previously:
G591
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a vulnerable passwd utility on Solaris 5.8 or 5.9.
Reference:
IAVA 2004-T-0006
70. IAVA0410 2004-B-0006 OpenSSL Denial of Service
Vulnerable Systems:
Apple
Avaya
Check Point
Cisco
Citrix
FreeBSD
Hewlett Packard
NetScreen
Novell
OpenBSD
OpenSSL
OpenSSL Project OpenSSL 0.9.6 c
Debian Linux 3.0.0
S.u.S.E. Linux 8.0.0 i386
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 393
OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 e
FreeBSD 4.6.0
FreeBSD 4.6.0 -RELEASE
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 g
FreeBSD 4.7.0
FreeBSD 4.7.0 -RELEASE
HP Apache-Based Web Server 2.0.43 .00
HP Webmin-Based Admin 1.0.0 .01
Immunix OS 7+
NetBSD 1.6.0
OpenPKG 1.1.0
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 i
HP-UX Apache-Based Web Server 1.0.0 .01
HP-UX Apache-Based Web Server 1.0.0 .02.01
HP-UX Apache-Based Web Server 1.0.1 .01
MandrakeSoft Corporate Server 2.1.0 x86_64
MandrakeSoft Linux Mandrake 9.1.0 ppc
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 k
BlueCoat Systems CacheOS CA/SA 4.1.10
BlueCoat Systems Security Gateway OS 2.0.0
BlueCoat Systems Security Gateway OS 2.1.5001 SP1
OpenSSL Project OpenSSL 0.9.7 Caldera OpenUnix 8.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 394
FreeBSD 5.0.0
Redhat Linux
RSA
SCO
SGI
Stonesoft
Tarantella
All versions from 0.9.6c to 0.9.6l and versions 0.9.7a to 0.9.7c are affected. This vulnerability requires
multiple updates. Ensure OpenSSL libraries are, at least, 0.9.7d or 0.9.6m. Check for the correct version of
OpenSSL libraries by performing either, of these commands:
#
openssl version v
#
ls lLd /usr/lib/*ssl*
or
#
ls lLd /usr/local/lib/*ssl*
finding.
PDI:
1
:
Status Code: AUTO
Previously:
G592
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected an OpenSSL denial-of-service-vulnerability.
Reference:
IAVA 2004-B-0006
71. IAVA0415 2004-B-0007 Linux JetAdmin Vulnerability
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 395
Vulnerable Systems:
Linux systems with:
HP Web Jetadmin 6.5.0 and prior
HP Web Jetadmin 7.0.0
#
find / -name Jetadmin -o -name jetadmin
If found, execute the Jetadmin binary to display the version.

#
./jetadmin
To display the version.
If it is less than version 7.5, this is a finding. If it is 7.5 or higher, this is not a finding.
Upgrade or remove the binary/application to remediate this finding.

PDI:
1
:
Status Code: AUTO
Previously:
G593
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a vulnerable HP WEB JetAdmin version on Linux.
Reference:
IAVA 2004-B-0007
72. IAVA0420 2004-T-0014 CDE Remote Login
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 396
HP HP-UX 11.0.0
HP HP-UX 11.0.0 4
HP HP-UX 11.11.0
HP HP-UX 11.22.0
HP HP-UX 11.23.0
IBM AIX 4.3.3
IBM AIX 5.1.0
IBM AIX 5.2.0
SCO Unixware 7.1.1
SGI3
http://www .sgi.com/support/security/advisories.html
Solaris 7.0.0
Solaris 7.0.0 _x86
Sun Solaris 8.0.0
Sun Solaris 8.0.0 _x86
Sun Solaris 9.0.0
Sun Solaris 9.0.0 _x86 Update 2
Open Group CDE Common Desktop Environment 2.1.0 Sun Solaris 9
Sun Solaris 9 _x86
Sun 7.0 107180-31
Sun 7.0_x86 107171-31
Sun 8.0 108919-21
Sun 8.0_x86 108920-21
Sun 9.0 112807-09
Sun 9.0_x86 114210-08
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 397

0
:
Status Code: MAN
Previously:
G594
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected A Common Desktop Environment DTLogin Remote

Double Free Vulnerability.
Reference:
IAVA 2004-T-00 14
73. IAVA0425 2003-B-0005 Sendmail Prescan Variant Vulnerability
Vulnerable Systems:
All systems with Sendmail.
Solaris 7.0
107684-11 or later
Solaris 7.0_x86
Solaris 8.0
107685-11 or later
110615-11 or later
Solaris 8.0_x86
110616-11 or later
Solaris 9.0
113575-05 or later
Solaris 9.0_x86
114137-04 or later
HPUX:
#
/usr/sbin/sendmail -d0.1 < /dev/null | grep -i version
The display will show the sendmail version number.

Download and install the appropriate file for the operating system revision and sendmail version.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 398
HP-UX B.11.00:
SMAIL-811.INETSVCS-SMAIL
InternetSrvcs.INETSVCS-RUN
Install sendmail.811.11.00.r4 file

HP-UX B.11.04:
HP-UX B.11.11:
SMAIL-811.INETSVCS-SMAIL

HP-UX B.11.22:
AIX 4.3.3
IY48659
AIX 5.1.0
IY48658
AIX 5.2.0
IY48657
Linux
ftp://updates.Red Hat.com/7.1/en/os/i386/sendmail-8.11.6-27.71.i386.rpm
ftp://updates.Red Hat.com/9/en/os/i386/sendmail-8.12.8-9.90.i386.rpm
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 399
6
:
Status Code: AUTO
Previously:
G595
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected A Sendmail Prescan Variant Remote Buffer Overrun

Vulnerability.
Reference:
IAVA 2003-B-0005
74. IAVA0430 2004-T-0016 Solaris Management Console Vulnerability
Vulnerable Systems:
Sun Solaris 8
Sun Solaris 8 _x86
Sun Solaris 9
Sun Solaris 9 _x86
Sun Solaris 8
Sun Solaris 8 _x86
Sun Solaris 9
Sun Solaris 9 _x86
111313-02 or later
111314-02 or later
116807-01 or later
116808-01 or later
PDI:

7
:
Status Code: AUTO
Previously:
G596
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 400
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected A Sun Solaris Management Console Information

Disclosure Vulnerability.
Reference:
IAVA 2004-T-0016
75. IAVA0435 2004-T-0017 MIT Kerberos Multiple Vulnerabilities
Vulnerable Systems:
All releases of MIT Kerberos 5, up to and including krb5-1.3.3.
Debian Linux 3.0.0
Debian Linux 3.0.0 alpha
Debian Linux 3.0.0 arm
Debian Linux 3.0.0 hppa
Debian Linux 3.0.0 ia-32
Debian Linux 3.0.0 ia-64
Debian Linux 3.0.0 m68k
Debian Linux 3.0.0 mips
Debian Linux 3.0.0 mipsel
Debian Linux 3.0.0 ppc
Debian Linux 3.0.0 s/390
Debian Linux 3.0.0 sparc
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Multi Network Firewall 8.2.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 401
RedHat Linux 6.2.0

RedHat Linux 6.2.0 alpha
RedHat Linux 6.2.0 i386
RedHat Linux 6.2.0 sparc
RedHat Linux 7.0.0
RedHat Linux 7.1.0
RedHat Linux 7.1.0 ia64
RedHat Linux 7.2.0
RedHat Linux 7.2.0 ia64
RedHat Linux 7.3.0
RedHat Linux 8.0.0
SGI ProPack 3.0.0
Sun SEAM 1.0.0
Sun Solaris 2.6.0
Sun Solaris 7.0.0
Sun SEAM 1.0.1
Sun Solaris 8.0.0
Sun SEAM 1.0.2
Sun Solaris 9.0.0
Sun Solaris 8.0.0
Sun Solaris 9.0.0
MIT Kerberos 5 5.0.0 -1.3.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 402
Solaris 5.7
112536-05
Solaris 5.7_x86
112537-05
Solaris 5.8
112237-11 and 112390-09
Solaris 5.8_x86
112240-08 and 112238-19
Solaris 5.9
112908-15
Solaris 5.9_x86
115168-05
Redhat
# rpm qa | grep krb5-workstation
The version in the second field should be at least 1.3.3-7.
Debian
Upgrade to at least kerberos version 5, release 1.2.4-5 or 1.3.3-2
Mandrake
Upgrade to at least Kerberos version 5, release 1.3.3-4
PDI:

8
:
Status Code: AUTO
Previously:
G597
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a MIT Kerberos multiple buffer overrun vulnerability.
Reference:
IAVA 2004-T-0017
76. IAVA0440 2004-T-0018 Multiple Vulnerabilities in ISC DHCP 3
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 403
ISC DHCPD 3.0.1 rc12

ISC DHCPD 3.0.1 rc13
RedHat Fedora Core2
S.u.S.E. Linux 8.0.0 i386
S.u.S.E. Linux 9.0.0 x86_64
S.u.S.E. Linux Admin-CD for Firewall
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Database Server
S.u.S.E. Linux Firewall on CD
S.u.S.E. Linux Office Server
S.u.S.E. SuSE eMail Server III
Solaris
The dhcpd binary should be:
/usr/lib/inet/in.dhcpd
# strings <dhcpd_binary> | grep "Internet Software Consortium
HP-UX
The dhcpd binary should be: /usr/lbin/dhcpserverd
AIX
The dhcpd binary should be: /usr/sbin/dhcpsd
IRIX
The dhcpd binary should be: /usr/sbin/dhcpd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 404
Linux
The dhcpd binary should be: /usr/sbin/dhcpd
If the string "Internet Software Consortium is found, confirm the version is 3.0.1 rc14 or later.
# <dhcpd_binary> | more
finding.
PDI:

9
:
Status Code: AUTO
Previously:
G598
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected Vulnerabilities in The ISC version of DHCP 3.
Reference:
IAVA 2004-T-0018
77. IAVA0445 2004-T-0032 Vulnerabilities in Apache Web Server
Vulnerable Systems:
Apache 2.0.51 and prior versions
Apache 1.3.31 and prior versions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 405
Confirm the version is 2.0.52 or later, or 1.3.33 or later, respectively.

# <httpd> -v
Or
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
Solaris 5.9_x86
116973-01
116974-01
113146-05
114145-04
PDI:
4
:
Status Code: AUTO
Previously:
G599
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in the Apache Web server.
Reference:
IAVA 2004-T-0032
78. IAVA0455 2000-B-0005 Input Validation Problem in rpc.statd
Vulnerable Systems:
Debian 2.2
Redhat 6.x
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 406
Debian
nfs-common_0.1.9.1-1.deb
Redhat
nfs-utils-0.1.9.1-1.i386.rpm
PDI:
4
:
Status Code: MAN++ Previously:
L010
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Linux system has the input validation problem in rpc.statd.
Reference:
IAVA 2000-B-0005
79. IAVA0460 2001-A-0002 IRIX Telnet
Vulnerable Systems:
IRIX versions 3.x through 6.5.9
To check the version:
# uname R
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 407
Or
IRIX 3.x through 6.4 (except 6.2) Upgrade to IRIX 6.5.10 or higher
IRIX 6.2 apply patch #4050 or upgrade to 6.5.10
IRIX 6.5 through 6.5.9 apply patch #4060 or upgrade to 6.5.10
PDI:
9
:
Status Code: PART
Previously:
SG01
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
IRIX telnetd is vulnerable.
Reference:
IAVA 2001-A-0002
80. IAVA0465 1999-B-0002 SGI Array Services
Vulnerable Systems:
IRIX
# grep AUTHENTICATION /usr/lib/array/arrayd.auth
Confirm AUTHENTICATION NONE is commented out.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 408
PDI:
0
:
Status Code: PART
Previously:
SG03
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SGI array services has the default configuration vulnerability.
Reference:
IAVA 1999-B-0002
81.
IAVA0470 1998-A-0010 SGI Buffer Overflow Vulnerability
Vulnerable Systems:
IRIX 3.x
IRIX 4.x
IRIX 5.0.x
IRIX 5.1.x
IRIX 5.2
IRIX 5.3
IRIX 6.0.x
IRIX 6.1
IRIX 6.2
IRIX 6.3
IRIX 6.4
IRIX 6.5
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 409
Execute: versions IM | grep patch#

For xlock:
Patch
5.3
2090
6.2
2090
6.3
2090
6.4
2091
5.3
3463
6.2
3289
For df:
6.3
3722
6.4
3883
For pset:
3. 2176
6.2
3704
6.3
2792
For eject:
3. 3191
6.2
3722
6.4
3883
For login:
5.3
2216
6.1
1010
6.2
2181
6.3
3183
For ordist:
5.3
6.2-6.4
2212
2213
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 410
PDI:
1
Status Code: PART
Previously:
SG05
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SGI buffer overflow vulnerabilities exist.
Reference:
IAVA 1998-A-0010
82. IAVA0475 1999-A-0006 Statd and Automountd
Vulnerable Systems:
For rpc.statd:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
For automountd:
Solaris 5.5.1
Solaris 5.5.1_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 411
For rpc.statd:
Solaris 5.5.1
104166-05
Solaris 5.5.1_x86
104167-05
Solaris 5.6
106592-04
Solaris 5.6_x86
106593-04
For automountd:
Solaris 5.5.1
Solaris 5.5.1_x86
104654-05
104655-05
PDI:
3
:
Status Code: AUTO
Previously:
SO25
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Solaris system has statd and automountd vulnerabilities.
Reference:
IAVA 1999-A-0006
83. IAVA0485 2001-T-0002 IRDP
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 412
Solaris 5.7
Solaris 5.7_x86
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
109721-01
109722-01
109719-01
109720-01
109709-01
109710-01
PDI:
5
:
Status Code: AUTO
Previously:
SO27
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Solaris system has a vulnerable version of ARP.
Reference:
IAVA 2001-T-0002
84. IAVA0490 2001-A-0003 SNMP to DMI Mapper Daemon
Vulnerable Systems:
Solaris 5.7
Solaris 5.7_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 413
Solaris 5.8
Solaris 5.8_x86
Solaris 5.7
Solaris 5.7_x86
107709-19
107710-19
Solaris 5.8
108869-17
Solaris 5.8_x86
108870-17
PDI:
6
Status Code: PART
Previously:
SO28
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Solaris system has a SNMP to DMI mapper daemon

(snmpXdmid) vulnerability.
Reference:
IAVA 2001-A-0003
85. IAVA0495 2001-T-007 Solaris Line Printer Daemon
Vulnerable Systems:
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 414
Solaris 5.8
Solaris 5.8_x86
Solaris 5.6
Solaris 5.6_x86
106235-10
106236-10
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
107115-10
107116-10
109320-05
109321-05
PDI:
8
:
Status Code: AUTO
Previously:
SO29
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Solaris line printer daemon (in.lpd) is vulnerable to a buffer

overflow.
Reference:
IAVA 2001-T-0007
86. IAVA0500 2000-B-0003 KDC Vulnerablity
Vulnerable Systems:
MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
MIT Kerberos 4 patch 10, and likely earlier releases as well
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 415
KerbNet (Cygnus implementation of Kerberos 5)

Cygnus Network Security (CNS -- Cygnus implementation of
Kerberos 4)
Use the command:
#
find /etc name krb5.conf
to look for the presence of a Kerberos 5 configuration file on the system. If the file is found, look for the
presence of the default domain and v4_instance_convert configuration variables in the [realms]
section of the file. If these two variables are present and configured then this is a finding as Kerberos is working
in Version IV compatibility mode. If /etc/krb4.conf exists this is also a finding without the applied
patches. Upgrade to version 5-1.0.X and apply the patch provided by MIT. Only the patches for the krb_rd_req()
vulnerability need to be applied to version 4 to address the issues described in this advisory.
PDI:
4
:
Status Code: PART
Previously:
V064
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A system has a vulnerable version of KDC.
Reference:
IAVA 2000-B-0003
87. IAVA0510 1999-A-0003 FTP RNFR Command Vulnerability
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
ProFTPD
wu-ftpd
Page 416
1.2.Oprel
All versions prior to 2.4.2
Confirm the version is 1.2.Opre2or later, or 2.4.2 or later, respectively.
# /usr/ccs/bin/what <ftp_daemon>
Or
# strings <ftp_daemon>
PDI:
9
Status Code: PART
Previously:
V324
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A BSD system has the FTP RNFR command vulnerability.
Reference:
IAVA 1999-A-0003
88. IAVA0515 1999-B-0003, 2000-B-0004, 2001-B-0004 WU-FTPd
Vulnerable Systems:
wu-ftpd
2.6.0 or earlier
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 417
Confirm the version is 2.6.1 or later, respectively.

# /usr/ccs/bin/what <ftp_daemon>
Or
# strings <ftp_daemon>
If all patches have been applied to the 2.6.0 version, it is not a finding.
PDI:
0
:
Status Code: AUTO
Previously:
V3375
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A server is running a vulnerable version of wu-ftpd.
Reference:
IAVA 1999-B-0003, 2000-B-0004, 2001-B-0004

89. IAVA0520 2006-A-0013 Sendmail remote execution vulnerability.
Vulnerable Systems:
Sendmail prior to 8.13.6
Within certain operating system architectures, a remote attacker may be able to force certain timing conditions
that would allow execution of arbitrary code or commands on a vulnerable system. Systems running an MTA are
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 418
typically deployed in the DMZ as a gateway for delivering inbound and outbound email, though they may also be
used for internal email delivery between systems or applications.. A system is vulnerable to this IAVA if the
sendmail version is less than 8.13.6 or does not contain up-to-date patches. To check for the vulnerability check
the version of sendmail the system is running. There are two easy methods: 1. Perform the following command;
telnet hostname 25. That connects to the sendmail server port and the server usually tells its version. Since we
tell everybody to hide the version, though, the alternate is the following command; cd to the sendmail binary
directory, usually /usr/lib , and execute echo \$Z | sendmail -bt -d0 . Sendmail will return some extraneous
information including the version number, i.e., Version 8.13.6. Obtain the latest version of sendmail. The
acceptable version to answer this IAVA is 8.13.6, or higher or a version patched to fix the vulnerability.
Solaris
5.8_x86
110616-14
5.8
110615-14
5.9_x86
5.9
5.10_x86
5.10
114137-05
113575-06
122857-01
122856-01
HPUX
AIX
IRIX
B.11.00
sendmail-811_01.006.depot
B.11.11
sendmail-8.13_1111.depot
B.11.23
sendmail-8.13_1123.depot
5.1.0
IY82992
5.2.0
IY82993
5.3.0
IY82994
6.5
patch 7082
Linux
Redhat
SuSe
sendmail-8.12.11-4
sendmail-8.13.3-5.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 419
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a sendmail remote execution vulnerability
Reference:
IAVA 2006-A-0013
90. IAVA0530 2006-A-0007 Oracle E-Business Suite Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
correctly.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 420
# $ORACLE_HOME/bin/runInstaller
each Oracle Home. If Oracle E-Business Suite is listed, then expand it to view any installed patches.
Please ensure all of the patches listed for the installed version are installed;
11.5.10 CU2: 4865928, 4756429
11.5.10: 4333555, 4756429
11.5.9: 4666822, 4710802. 3453273, 3428504, 4756429, 4690594
11.5.8 through 11.5.4: 4746210. 3453273, 4756429, 4690594
11.5.3 and 11.5.2: 4746210. 4756429, 4690594
11.5.1: 4746210. 4690594
11.5.0: none
PDI:
7
:
Status Code: MAN
Previously:
G566
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Oracle E-Business Suite and

Applications.
Reference:
IAVA 2006-A-0007
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 421
91. IAVA0545 2005-B-0019 Vulnerabilities in IKE Packet Processing
Vulnerable Systems:
Solaris 5.9
Solaris 5.9_x86
Solaris 10
Solaris 10_x86
HP-UX B.11.00 IPSec.IPSEC2-KRN
HP-UX B.11.11 IPSec.IPSEC2-KRN,revision=A.02.00
Solaris
Solaris 5.9
113451-10
Solaris 5.9_x86
114435-09
Solaris 10
118371-06
Solaris 10_x86
118372-06
HPUX
To determine if an HP-UX system has an affected version, search the command output for one of the filesets
listed below.
# swlist -a revision -l fileset
B.11.00 IPSec.IPSEC2-KRN
install revision A.01.05.01 or subsequent
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 422
install revision A.01.07.02 or subsequent
B.11.11 IPSec.IPSEC2-KRN,revision=A.02.00
install revision A.02.01 or subsequent
install revision A.02.01 or subsequent
PDI:
0
Status Code: PART
Previously:
G571
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are vulnerabilities in IKE Packet Processing.
Reference:
IAVA 2005-B-0019
92. IAVA0550 2006-A-0011 Vulnerabilities in Oracle E-Business Suite
Vulnerable Systems:
Oracle Diagnostics, versions 2.3 and lower *
* Available only on:
Oracle E-Business Suite Release 11i, versions 11.5.4 and higher
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 423
correctly.
each Oracle Home. If Oracle E-Business Suite is listed, then expand it to discover any entry for Oracle
Diagnostics. If listed, search for any entry indicating the Oracle Diagnostics 2.3 Rollup Patch (RUP) A is
installed.
Note: Repeat for each Oracle Diagnostics installation.
PDI:
1
:
Status Code: MAN
Previously:
G572
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are vulnerabilities in Oracle E-Business Suite.
Reference:
IAVA 2006-A-0011
93. IAVA0555 2006-A-0020 Vulnerabilities in Oracle E-Business Suite

Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 424
Oracle E-Business Suite 11.0.0

Oracle E-Business Suite 11i 11.5.10 CU2
The Oracle OPatch utility may also be used to review installed versions and patches. Have the Oracle DBA run
the OPatch utility and send the text output to a file for the reviewer to use. The utility may be installed anywhere
on the system.
Check for compliance by using the Oracle Installer, the GUI interface for
installation. Please note that some checks for minor components are not included.
On Windows the command is %ORACLE_HOME%\bin\setup.exe or it can be run
from the Start>Programs>Oracle Installation Products>Universal Installer
or Start>Programs>Oracle-%ORACLE_HOME_NAME%>Oracle Installation
Prodcuts>Universal Installer.
On the Welcome screen, click on the Installed Products button at the
bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If required patches listed are not listed
or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed:
11.5.10 CU2: 4150288, 5077660, 4969592, 4332440, 5074725, 5021981, 4712852
11.5.10 and CU1: 4150288, 5077660, 4969592, 4332440, 5021850, 5074725, 5021981, 4712852
11.5.9: 4150288, 5083114, 4969592, 4970474, 3483921, 5074725, 5021981, 4712852
11.5.8: 4150288, 2665762, 4969592, 5074725, 5021981, 5083111, 4712852
11..5.4 through 11.5.7: 4150288, 4969592, 5074725, 5021981, 4712852
11.5.1, 11.5.2, and 11.5.3: 4969592, 5074725, 5021981, 4712852
11.5.0: none
11.0: 4970432
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 425
PDI:
8
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in E Business Suite.
Reference:
IAVA 2006-A-0020
94. IAVA0570 2006-A-0032 Multiple Vulnerabilities in Oracle E-Business Suite

Vulnerable Systems:
All versions.
(The Oracle OPatch utility may also be used to review installed versions and patches. Have the Oracle DBA run
the OPatch utility and send the text output to a file for the reviewer to use. The text file may be searched for the
required patch numbers listed below. The utility may be installed anywhere on the system. )
Check for compliance by using the Oracle Installer, the GUI interface for
installation. Please note that some checks for minor components are not included.
On the Welcome screen, click on the Installed Products button at the
bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If required patches listed are not listed
or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed:
11.5.10 CU2: 5083302, 5088058, 4380242, 5127737, 5161758, 5183582
11.5.10 and CU1: 5083302, 5088058, 4380242, 5127737, 5161758, 5183582
11.5.7 thru 11.5.9: 4068388, 4359261, 4380242, 5183582
If Oracle Financials is installed, one of the following patches must be applied if the
instance is NOT at level 11i.FIN_PF.D thru 11i.FIN_PF.G:
4155556, 4058603, 4317421, 4317421
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 426
Versions earlier than 11.5.7 are no longer supported.

PDI:
IAVA0570
V0012321
Category I
:
Status Code: MAN
Previously:
N/A

IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Oracle E-Business Suite
Reference:
IAVA 2006-A-00 32
95. IAVA0590 2006-T-0020 Mozilla Firefox/Thunderbird Vulnerabilities
Vulnerable Systems:
Firefox versions prior to 1.5.0.6
Thunderbird versions prior to 1.5.0.5
SeaMonkey versions prior to 1.0.4
Perform the following to check the Firefox version:
# ./firefox v
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 427
If the version is not at least 1.5.0.6, then this is a finding.

Perform the following to check the Thunderbird version:
# ./thunderbird v
If the version is not at least 1.5.0.5 then this is a finding.
PDI:
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Mozilla Firefox/Thunderbird Vulnerabilities
Reference:
IAVA 2006-T-0020
96. IAVA0595 2006-T-0016 Sun Java Application Server Vulnerabilities
Vulnerable Systems:
SPARC Platform
Sun ONE Application Server 7 without Update 9
Sun Java System Application Server 7 2004Q2 without Update 5
Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-08
or (SVR4) patch 119166-16
x86 Platform
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 428

Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119170-08
or (SVR4) patch 119167-16
Linux Platform
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119171-08
or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-16
To determine the version of Sun Java System Application server on a system, the following command can be run:
# <AS_INSTALL>/bin/asadmin version verbose
If the version is one of those listed in the vulnerable systems, then this is a finding.
PDI:
5
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun Java Application Server Vulnerabilities
Reference:
IAVA 2006-T-0016
97. IAVA0600 1998-0011 General Internet Message Access Protocol (IMAP) and Post
Office Protocol (POP) Vulnerabilities
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 429
Vulnerable Systems:
All platforms running IMAP or POP servers
Perform the following to determine if the IMAP or POP is installed and listening:
# netstat a |grep LISTEN
If port 110 or port 143 are shown, then the mail servers are enabled. If the mail servers are enabled and are not
a required service, then this is a finding. If the service is required and SSL is not being utilized, then this is also
a finding. Ask the SA if SSL is being utilized with the mail server connections.
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
General Internet Message Access Protocol (IMAP) and Post Office

Protocol (POP) Vulnerabilities
Reference:
IAVA 1998-0011
98. IAVA0605 1999-0001 Mountd Remote Buffer Overflow Vulnerability
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 430
Legacy versions of Red Hat Linux

Caldera
Check the nfs server version by executing the following:
# rpm qa |grep nfs-server
If the version displayed is not at least 2.2, then this is a finding.

PDI:
9
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Mountd Remote Buffer Overflow Vulnerability
Reference:
IAVA 1999-0001
99. IAVA0610 1999-0003 Remote FTP Vulnerability
Vulnerable Systems:
UNIX systems running the WU-FTPD daemon or its
derivatives.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 431
To determine the version of ftpd, issue the following command:

# strings /usr/sbin/in.ftpd | grep I version
The version must be 2.6.0, or later, or this is a finding.
PDI:
1
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Remote FTP Vulnerability
Reference:
IAVA 1999-0003
100. IAVA0615 2000-T-0015 BMC Best/1 Version 6.3 Performance Management System
Vulnerability
Vulnerable Systems:
BMC Best/1 Version 6.3 Performance Management System
Ask the system administrator if the BMC Best/1 product is installed on the system. If the product is installed and
less than version 6.5, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 432
PDI:
8
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
BMC Best/1 Version 6.3 Performance Management System

Vulnerability
Reference:
IAVA 2000-T-0015
101. IAVA0620 2000-B-0001 BIND NXT Buffer Overflow
Vulnerable Systems:
BIND v8.2.1
Perform the following to determine the version of BIND.
# named v
Or
# what /usr/sbin/named -v
If the version of BIND is not greater than 8.2.1, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 433
0
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Bind NXT Buffer Overflow
Reference:
IAVA 2000-B-0001
102. IAVA0625 2000-B-0002 Netscape Navigator Improperly Validates SSL Sessions
Vulnerable Systems:
Netscape Navigator prior to version 4.72
If a Netscape browser is installed, check the browser version by opening the browser application and selecting
Help/About Netscape to obtain the version. If the version is not at least 4.73, then this is a finding.
PDI:
1
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Netscape Navigator Improperly Validates SSL Sessions
Reference:
IAVA 2000-B-0002
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 434
103. IAVA0630 2000-A-0001 Cross-Site Scripting Vulnerability
Vulnerable Systems:
All web servers and browsers
If a web browser is installed, view the advanced options and ensure to disable any scripting such as javascript.
Web server software such as Apache and the Sun Java web server and associated web pages should be reviewed
for dynamic content that may become vulnerable to malicious scripting by the web server administrator and web
site developers.
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Cross-Site Scripting Vulnerability
Reference:
IAVA 2000-A-0001
104. IAVA0635 2001-B-0003 U Encoding Intrusion Detection System Bypass Vulnerability
Vulnerable Systems:
Snort prior to 1.8.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 435
To determine the version of snort, issue the following command:

# snort -V
If the version of snort is not at least 1.8.1, then this is a finding.
PDI:
1
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
U Encoding Intrusion Detection System Bypass Vulnerability
Reference:
IAVA 2001-B-0003
105. IAVA0640 2002-T-0005 Multiple Vulnerabilities in Oracle Database Server
Vulnerable Systems:
Oracle9i Database Server
Oracle8i Database Server
Oracle8 Database Server
Check that the Oracle9i Database Server has had the patches applied. To check for patches, execute the
following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click on the Installed Products button at
the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view the installed
patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. Version 9.2.0.3
patch 3056404 Version 9.2.0.3 patch 2973634 .
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 436
PDI:
2
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Oracle Database Server
Reference:
IAVA 2002-T-0005
106. IAVA0645 2002-T-0006 Multiple Vulnerabilities in Oracle9i Application Server
Vulnerable Systems:
Oracle9i Application Server
Check that the Oracle9i Application Server has had the patches applied. To check for patches, execute the
following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click on the Installed Products button at
the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view the installed
patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. Version 1.2.0.x
Patch 2128936, 2209455
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 437
PDI:
3
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Oracle9i Application Server
Reference:
IAVA 2002-T-0006
107. IAVA0650 2002-T-0010 Denial of Service Vulnerability in ISC-BIND 9
Vulnerable Systems:
ISC BIND 9.0 through 9.2
Execute the following command to check the version of BIND.
# /usr/sbin/named v
If the version output of the preceeding command is not at least 9.2.1, then this is a finding.
PDI:
7
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 438
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Denial of Service Vulnerability in ISC-BIND 9
Reference:
IAVA 2002-T-0010
108. IAVA0655 2002-T-SNMP-003 Multiple Simple Network Management Protocol

Vulnerable Systems:
Ncipher Nfast800 NET-SNMP for Linux/Solaris
Ask the systems administrator if the ncipher product is installed. If the product is installed, ask the
systems administrator to verify the patches have been downloaded and installed from : http://www.ncipher.com/
members/download.php?resource_id=55 . If the system administrator does not have a login to the above website,
then this is a good indication that the product has not been patched. If the product has been installed and patched
properly, then this is not a finding.
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Simple Network Management Protocol Vulnerabilities in

Servers and Applications
Reference:
IAVA 2002-T-SNMP-003
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 439
109. IAVA0660 2002-A-SNMP-004 Multiple Simple Network Management Protocol

Vulnerabilities in Perimeter Devices
Vulnerable Systems:
DNCP-HPUX
DNCP( Distributed Network Control Platform) manufactures edge devices utilizing the HP-UX operating
systems. Check this device for the following patch with the procedures listed in Appendix F.
PHSS_26138
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:

Perimeter Devices
Reference:
IAVA 2002- A-SNMP-004

Vulnerabilities in Enclave Devices
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 440
BMC Patrol Agent for Unix v3.4.11, v3.4.00, v3.3.00

Ask the SA if the BMC Patrol agent is installed on the system. If the agent is installed on the system and one of
the vulnerable versions listed, then check: http://www.bmc.com/info_center_support/snmp_cert_
advise041802.html to ensure the correct patches are installed. If the correct patches are not installed, then this is
a finding. Legacy version systems such as 3.400 and 3.3.00 need to contact BMC support for resolution.
PDI:
9
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:

Enclave Devices
Reference:
IAVA 2002-A-SNMP-005

Vulnerable Systems:
IRIX versions 5.3 to 6.4
Tivoli v7.1 NetView for UNIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 441
Irix
If the Irix operating system version is not at least 6.5, then this is a finding. Perform the following to
determine the operating system version:
# uname a
Tivoli
If Tivoli Netview 7.1 is installed, ask the SA if they have applied all vendor patches for SNMP
vulnerabilities. If the patches have not been installed, then this is a finding. The IAVA and vendor do not list
specific patches to install.
PDI:
0
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:

Servers and Applications
Reference:
IAVA 2002-A-SNMP-006
112. IAVA0675 2003-A-0006 Multiple Vulnerabilities in Multiple Versions of Oracle

Database Server
Vulnerable Systems:
Oracle 8 8.0.6
Oracle 8i 8.0.x
Oracle 8i 8.1.7
Oracle 8i 8.1.x
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 442
Oracle 9i 9.0.2
Oracle 9i 9.0.1.3
Oracle 9i 9.0.1.2
Oracle 9i 9.0.1
Oracle 9i 9.0
Oracle 9i Release 1, 9.0.x
Oracle 9i Release 2, 9.2.2
Oracle 9i Release 2, 9.2.x
Oracle 9i Release 2, 9.2.1
To check for patches, execute the following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click
on the Installed Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If patches listed are not there or the Oneoffs selection is not there, then
this is a Finding.
Ensure the following patches are installed:
2642117 Oracle Database Server DIRECTORY Buffer Overflow Vulnerability
2642267 Oracle Database Server TZ_OFFSET Buffer Overflow Vulnerability
2642439 Oracle Database Server TO_TIMESTAMP_TZ Buffer Overflow Vulnerability
2620726 Oracle Database Server ORACLE.EXE Buffer Overflow Vulnerability
PDI:
3
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Multiple Versions of Oracle Database

Server
Reference:
IAVA 2003-A-0006
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 443
113. IAVA0680 2004-T-0002 Oracle 9i Application/Database Server Denial Of Service

Vulnerability
Vulnerable Systems:
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle9i Application Server Release 2, version 9.0.2.1 and earlier versions
Oracle9i Application Server Release 2, version 9.0.3.0 and 9.0.3.1Oracle9i Database Server Release 2,
version 9.2.0.2
Oracle9i Database Server Release 1, version 9.0.1.4
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory detail command. Patches
required are 2701372 or 2701717.
PDI:
4
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle 9i Application/Database Server Denial Of Service

Vulnerability
Reference:
IAVA 2004-T-0002
114. IAVA0685 2004-T-0005 Oracle9i Lite Mobile Server Multiple Vulnerabilities
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 444
Oracle9i Lite 5.0.0.0.0

Use the Oracle opatch utility to list the installed patches with the opatch lsinventory detail command. Patch
3369291 must be installed. If the patche is not installed, then this a finding.
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle9i Lite Mobile Server Multiple Vulnerabilities
Reference:
IAVA 2004-T-0005
115. IAVA0690 2004-T-0011 Oracle Application Server Web Cache HTTP Request Method
Vulnerable Systems:
Oracle Application Server Web Cache 10g 9.0.4 .0
Oracle Application Server 10g 9.0.4 .0
Oracle Oracle9i Application Server Web Cache 2.0.0 .0.4
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server Web Cache 9.0.2 .2
Oracle iStore 11i 11i.IBE.O
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 445
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory command to include at least
one of the following patches: Patch 3319824 (10g), 3621435 (9iAS WC 9.0.3.1.0), 3573405 (9iAS WC 9.0.2.3.0)
, 3611297 (9iAS WC 2.0.0.4.0)
PDI:
0
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle Application Server Web Cache HTTP Request Method

Reference:
IAVA 2004-T-0011
116. IAVA0695 2004-T-0022 Check Point VPN-1 ASN.1 Buffer Overflow Vulnerabil ity
Vulnerable Systems:
Linux and Solaris running Checkpoint Firewall products
Each specific firewall product provided by Checkpoint contains a different patch to be applied. Due to the
large number of patches to be applied for each product, it is best to refer to https://www.jtfgno.mil/bulletins/
dodcert2004/2004-t-0022.htm to check for compliance.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 446
PDI:
4
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Check Point VPN-1 ASN.1 Buffer Overflow Vulnerabil ity
Reference:
IAVA 2004-T-0022
117. IAVA0700 2004-T-0026 Mozilla Network Security Services Library Remote Heap
Overflow Vulnerability
Vulnerable Systems:
HP-UX B.11.23 and prior
Mozilla Network Security Services (NSS) 3.9.0 and prior
Mozilla Browser 1.4.0-1.5.0
Sun ONE Application Server 7.0.0 and prior
Sun ONE Directory Server 5.2.0 and prior
Sun ONE Web Server 6.1.0 and prior
Sun Java Enterprise System
HP-UX
To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an
affected fileset. The following filesets should be checked for:
NetscapeDirSvr6.NDS-SLAPD
NetscapeDirSvr6.NDS-ADM
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 447
No patches exist for this vulnerability, but the IAVA does list specific work around procedures. If the
workaround has not been applied, then this is a finding.
Sun Java System

Check the version number of the Sun Java system component. If the version is not at least one of the
versions listed below, then this is a finding.
Sun Java System Web Server 6.0 SP 9 and later
Sun Java System Web Server 6.1 SP 3 and later
Sun Java System Application Server 7 2004Q2 Update 1 and later
Sun Java System Application Server 7 Update 5 and later
Sun Java Enterprise System
For Solaris 8 sparc check for the following patches with procedures in Appendix F:
114045-12 or later
115924-09 or later
For Solaris 9 sparc check for the following patches with procedures in Appendix F:
114049-12 or later
115926-10 or later
For Solaris 9 x86 check for the following patches with procedures in Appendix F:
114050-12 or later
115927-10 or later
Mozilla Network Security Services
Check the version of the Mozilla NSS. If the version is not at 3.9.2, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 448
PDI:
9
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Mozilla Network Security Services Library Remote Heap Overflow

Vulnerability
Reference:
IAVA 2004-T-0026
118. IAVA0705 2004-T-0027 Multiple Vulnerabilities in MIT Kerberos V
Vulnerable Systems:
Kerberos V
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux WS 3
Sun SEAM 1.0.2
Sun Solaris 9.0.0
Redhat
# rpm qa |grep krb5
If any of the Kerberos packages are installed, then either the workstation or server package with its version
number should be returned from the preceeding command. If the package version is not at least 1.3.4-5, then
this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 449
Solaris 9
# grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm ___
If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for
Kerberos and this check is not applicable. Otherwise, perform procedures in Appendix F, Patch Control, to check
for the following patches:
Sparc- 112908-16 or later
x86- 115168-05 or later
If the patches are not found on the system and Kerberos is utilized, then this is a finding.
PDI:
0
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in MIT Kerberos V
Reference:
IAVA 2004-T-00 27
119. IAVA0710 2004-B-0009 Oracle E-Business Suite Mult iple SQL Injection
Vulnerable Systems:
Oracle Applications 11.0 (all releases)
Oracle E-Business Suite Release 11i, 11.5.1 through 11.5.8
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 450
To check for patches, open the Oracle Universal Installer: On the Welcome screen, click on the Installed
Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view
the installed patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. At
least one of the patches should be listed for each occurrence of an installed component: E-business suite patch
3644626, Applications suite patch 3648066.
PDI:
4
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle E-Business Suite Multiple SQL Injection Vulnerability
Reference:
IAVA 2004-B-0009
120. IAVA0715 2005-T-0031 Multiple Vulnerabilities in Computer Associates Message

Queuing
Vulnerable Systems:
Computer Associates Advantage Data Transport 3.0.0
Computer Associates AdviseIT 2.4.0
Computer Associates BrightStor Portal 11.1.0
Computer Associates BrightStor SAN Manager 1.1.0
Computer Associates BrightStor SAN Manager 1.1.0 SP1
Computer Associates BrightStor SAN Manager 1.1.0 SP2
Computer Associates BrightStor SAN Manager 11.1.0
Computer Associates CAM 1.5.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 451
Computer Associates CleverPath Aion 10.0.0

Computer Associates CleverPath ECM 3.5.0
Computer Associates CleverPath OLAP 5.1.0
Computer Associates CleverPath Predictive Analysis Server 2.0.0
Computer Associates CleverPath Predictive Analysis Server 3.0.0
Computer Associates eTrust Admin 2.1.0
Computer Associates Unicenter Application Performance Monitor 3.0.0
Computer Associates Unicenter Application Performance Monitor 3.5.0
Computer Associates Unicenter Asset Manager
Computer Associates Unicenter Data Transport Option 2.0.0
Computer Associates Unicenter Enterprise Job Manager 1.0.0 SP1
Computer Associates Unicenter Enterprise Job Manager 1.0.0 SP2
Computer Associates Unicenter Jasmine 3.0.0
Computer Associates Unicenter Management for Lotus Notes/Domino 4.0.0
Computer Associates Unicenter Management for Web Servers 5.0.0
Computer Associates Unicenter Management for Web Servers 5.0.1
Computer Associates Unicenter Management for WebSphere MQ 3.5.0
Computer Associates Unicenter Management Portal 2.0.0
Computer Associates Unicenter Management Portal 3.1.0
Computer Associates Unicenter Network and Systems Management 3.0.0
Computer Associates Unicenter Network and Systems Management 3.1.0
Computer Associates Unicenter NSM Wireless Network Management Option 3.0.0
Computer Associates Unicenter Performance Management for OpenVMS 2.4.0 SP3
Computer Associates Unicenter Remote Control 6.0.0
Computer Associates Unicenter Remote Control 6.0.0 SP1
Computer Associates Unicenter Service Level Management 3.0.0
Computer Associates Unicenter Software Delivery 3.0.0
Computer Associates Unicenter Software Delivery 3.1.0 SP1
Computer Associates Unicenter TNG 2.1.0
Computer Associates Unicenter TNG JPN 2.2.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 452
Simply running camstat will return the version information in the top line of the output on any platform. The
camstat command is located in the bin subfolder of the installation directory.
The /etc/catngcampath text file holds the CAM install location
The version should be at least CAM 1.07 Build 220_13 or CAM 1.11 Build 29_13 depending on the installation
major release number.
PDI:
0
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Computer Associates Message Queuing
Reference:
IAVA 2005-T-0031
121. IAVA0720 2005-B-0007 Symantec UPX Parsing Engine Re mote Heap
Vulnerable Systems:
Symantec AntiVirus Corporate Edition 8.0.0 1
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 9.0.0
Symantec AntiVirus for Caching
Symantec AntiVirus for Network Attached Storage
Symantec AntiVirus for SMTP 3.1.0
Symantec AntiVirus Scan Engine 4.0.0
Symantec AntiVirus Scan Engine 4.3.0
Symantec AntiVirus Scan Engine for Bluecoat 4.0.0
Symantec AntiVirus Scan Engine for Bluecoat 4.3.0
Symantec AntiVirus Scan Engine for Caching 4.3.0
Symantec AntiVirus Scan Engine for Filers 4.3.0
Symantec AntiVirus Scan Engine for ISA 4.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 453
Symantec AntiVirus Scan Engine for ISA 4.3.0

Symantec AntiVirus Scan Engine for Netapp Filer 4.0.0
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.0
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0.0
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.0
Symantec AntiVirus/Filtering for Domino Ports 3.0.0 (AIX) build 3.0.5
Symantec AntiVirus/Filtering for Domino Ports 3.0.0 (Linux) build 3.0.5
Symantec Brightmail Anti-Spam 4.0.0
Symantec Brightmail Anti-Spam 5.5.0
Symantec Client Security 1.0.1
Symantec Client Security 1.1.1
Symantec Gateway Security 5300 1.0.0
Symantec Mail Security for SMTP 4.0.0
Symantec Norton AntiVirus 2004
Symantec Norton Internet Security 2004 Professional Edition
Symantec Norton System Works 2004
Symantec Web Security 3.0.0
Ask the system administrator if any of the products listed in the vulnerable systems are installed on the system.
Ask the administrator if the most current product update which is available from https://www.jtfgno.mil has been
installed. This is a finding if the most recent software has not been installed.
PDI:
5
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Symantec UPX Parsing Engine Remote Heap Overflow

Vulnerability
Reference:
IAVA 2005-B-0007
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 454
122. IAVA0725 2005-B-0008 Trend Micro VSAPI ARJ Hand ling Heap Overflow
Vulnerable Systems:
Trend Micro InterScan Messaging Security Suite for Linux
Trend Micro InterScan Messaging Security Suite for Solaris
Trend Micro InterScan VirusWall for Linux
Trend Micro InterScan VirusWall for HP-UX
Trend Micro InterScan VirusWall for AIX
Trend Micro InterScan VirusWall for Solaris
Trend Micro InterScan Web Security Suite for Linux
Trend Micro InterScan Web Security Suite for Solaris
Trend Micro ServerProtect for Linux
Ask the system administrator if any of the above products are installed on the machine. If any of the above
products are installed, ask the system administrator if an appropriate vendor patch has been installed from https://
www.jtfgno.mil. If the specific patch listed in the IAVA has not been installed, then this is a finding.
Control Manager
File
Program
Platform
Version
vsapi-solaris-7.510- Solaris
1002.tar.z
Engine
Version
2.0 and above 7.510
Size
Release
Date
992.0KBFeb 24,
2005
InterScan Messaging Security Suite
File
vsapi-x86-linux7.510-1002.tar.z
Program
Platform
Version
Linux
Engine
Version
5.5 and above 7.510
Size
Release
Date
892.0KBFeb 24,
2005
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
vsapi-solaris-7.5101002.tar.z
Page 455
Solaris
5.0 and above 7.510
992.0KBFeb 24,
2005
InterScan VirusWall
Program
Platform
Version
Engine
Version
Linux
3.01 and
above
7.510
892.0KBFeb 24,
2005
Solaris
3.0 and above 7.510
992.0KBFeb 24,
2005
vsapi-hpux-7.5101002.tar.z
HP-UX 3.0 and above 7.510
1.1MB Feb 24,

2005
vsapi-aix-7.5101002.tar.z
AIX
1.2MB Feb 24,

2005
File
3.6
7.510
Size
Release
Date
InterScan Web Security Suite
File
Program
Platform
Version
Engine
Version
Size
Release
Date
Linux
2.0 and above 7.510
892.0KBFeb 24,
2005
Solaris
1.0 and above 7.510
992.0KBFeb 24,
2005
ServerProtect for Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 456
Program
Platform
Version
File
Linux
Engine
Version
1.0 and above 7.510
Size
Release
Date
892.0KBFeb 24,
2005
123. IAVA0730 2005-A-0043 Symantec AntiVirus Library RAR Decompression
Vulnerable Systems:
Symantec AntiVirus/Filtering for Domino (AIX, Linux, Solaris)3.0.11
Symantec Scan Engine 5.0
Symantec AntiVirus Scan Engine 4.1.8 4.3.12
Symantec AntiVirus for Messaging 4.3.12
Symantec AntiVirus for NAS 4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer 4.0 4.3
Symantec AntiVirus Scan Engine for NetApp NetCache 4.0 4.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0 4.3
Symantec AntiVirus for Clearswift 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3.12
Symantec AntiVirus for SMTP 3.1 4.1.9
Symantec Client Security 3.X
Symantec Web Security 3.0.1
Symantec Gateway Security 5000 Series 3.0
Symantec Gateway Security 5400 Series 2.0
Symantec Gateway Security 1.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 457
Symantec BrightMail AntiSpam 4.0 5.5 6.0

Symantec AntiVirus Corporate Edition 10.X
If any of the above specific product versions are installed, then this is a finding.
124. IAVA0735 2006-T-0002 Multiple Vulnerabilities within BEA WebLogic Software
Vulnerable Systems:
BEA Systems WebLogic Express 6.1.0
BEA Systems WebLogic Express 6.1.0 SP 1-8
BEA Systems WebLogic Express 7.0.0
BEA Systems Weblogic Server 6.1.0 SP 1-7
BEA Systems Weblogic Server 7.0.0
BEA Systems Weblogic Server 7.0.0 .0.1
BEA Systems Weblogic Server 7.0.0 .0.1 SP 1-4
BEA Systems Weblogic Server 8.1.0
BEA Systems Weblogic Server 9.0
To determine the version number run the setEnv.sh script which is under:
# WL_HOME/config/{your-domain}/setEnv.sh
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 458
Then run java weblogic.version which should produce version string output.
This can also be checked from the weblogic console directly by:
Mydomain > Servers > myserver and select the Monitoring/Versions tab.
125. IAVA0740 2006-T-0005 Multiple Vulnerabilities in Mozilla Products
Vulnerable Systems:
Firefox and Thunderbird prior to version 1.5.0.1
Seamonkey prior to version 1.0.
Check that FireFox and Thunderbird has been updated to version 1.5.0.1 or higher. Seamonkey should be at v
ersion 1.0 or higher. The versions can usually be checked from the Help|About menu within the graphical menu
toolbar.
126. IAVA0745 2006-T-0007 Veritas NetBackup Multiple Remote Buffer Overflow
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 459
Veritas Software NetBackup BusinesServer 4.5.0 FP

Veritas Software NetBackup BusinesServer 4.5.0 MP
Veritas Software NetBackup DataCenter 4.5.0 FP
Veritas Software NetBackup DataCenter 4.5.0 MP
Veritas Software NetBackup Enterprise Server 5.0.0
To check the version number, perform the following. Open the netbackup administration console. Select Help
and About to obtain version information. If the version is one of those listed in the vulnerable systems above,
127. IAVA0755 2006-T-0009 Multiple Vulnerabilities i n Symantec AntiVirus Engine
Vulnerable Systems:
Symantec Anti-virus scan engine prior to 5.1
To determine which version of Symantec Antivirus you have, start the application and select Help|About.
This should display the scan version engine. Some instances display the engine version on the main application
window.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 460
128. IAVA0760 2006-T-0013 RealVNC Remote Aut hentication Bypass
Vulnerable Systems:
Real VNC 4.1.1
To determine if the vnc software is installed on a unix machine perform the following:
# find / -name vncserver print
If the software is found, perform the following to retrieve the version information:
# vncserver help
This will display the version on the first line returned. If the version is not at least 4.2.3, then this is a finding.
129. IAVA0765 2006-T-0023 Multiple Vulnerabilities in Wireshark
Vulnerable Systems:
Wireshark 0.99.2 or Ethereal 0.99.0 or earlier
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 461
Check for the existence of wireshark with the following command:

# find / -name tshark print
If the binary for tshark is found, continue with the following command to check the version.
# tshark v
If the version displayed is not at least 0.99.3, then this is a finding.
130. IAVA0770 2006-T-0035 Sun Java System/iPlane t Messaging Server
Vulnerable Systems:
iPlanet Messaging Server 5.2 (for Solaris 8 and 9) without patch 5.2hf2.13
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 8, 9, and 10) without patch 118207-56
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 9 and 10) without patch 118208-56
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for RHEL 2.1 and 3.0) without patch 118209-56
To determine if Sun Java System Messaging Server is installed on a system, the following command can be run:
# pkginfo SUNWmsgco
application SUNWmsgco Sun Java System Messaging Server Core Libraries
To determine the version of iPlanet Messaging Server on a system, the following command can be run:
# cat /etc/msgregistry.inf
A list of instances and installs will displayed (if any) if this file exists.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 462
To determine the version of Sun Java Messaging Server on a system, the following command can be run:
# /opt/SUNWmsgsr/sbin/imsimta version
If the software is installed without the patches mentioned in the vulnerable systems section, then this is a finding.
131. IAVA0775 2006-B-0016 Multiple Remote Denial of Service Vulnerabilities within ISC
BIND
Vulnerable Systems:
BIND 9.3.0, BIND 9.3.1, BIND 9.3.2, BIND 9.3.3b1 and BIND 9.3.3rc1
BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6 and 9.4.0b1
Perfrom the following to determine the version of BIND.
# named v
Or
# what /usr/sbin/named -v
If the version is not one of the following: BIND 9.3.2-P1, BIND 9.2.7 or BIND 9.2.6-P1, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 463
132. IAVA0780 2006-B-0017 Multiple Vulnerabilities in Adobe Flash Player
Vulnerable Systems:
Flash Player 8.0.24.0 and prior
Flash Professional 8
Flash Basic
Flash MX
2004Adobe Flex 1.5
To verify the Flash Player version number, access the About Flash Player page, or right-click on Flash
content and select About Macromedia Flash Player from the menu. If you use multiple browsers, perform the
check and the installation for each browser . If the version is Adobe Flash Player 8.0.24 and earlier then this is a
finding.
133. IAVA0785 2006-A-0008 Computer Associates (CA) iTechnology iGateway Service
Vulnerability
Vulnerable Systems:
Computer Associates: CA iTechnology iGateway 4.0
Check for the following version of iGateway 4.0.051230. If the version is not at least 4.0.051230 then this is a
finding. Patches can be obtained from
ftp://ftp.ca.com/pub/iTech/downloads
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 464
PDI:
4
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECMT-1, ECMT-2, VIVM-1
PDI Description:
Computer Associates (CA) iTechnology iGateway Service

Vulnerability
Reference:
IAVA 2006-A-0008
134. IAVA0805 2006-A-0050 Multiple Vulnerabilities in Oracle E-Business Suite and

Applications
Vulnerable Systems:
Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
To check for patches, open the Oracle Universal Installer: On the Welcome screen, click on the Installed
Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view
the installed patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed: 11.5.10 CU2: 5447522, 5486407, 5479643, 5500118,
5335967, 5483388 11.5.10 and CU1: 5447522, 5486407, 5479643, 5500118, 5335967, 4580011 11.5.9:
5447522, 5486408, 5479643, 5500118, 4665644, 5483382, 5534762 11.5.8: 5447522, 5479643, 5500118,
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 465
5549711, 5483377, 5534752 11.5.7: 5447522, 5479643, 5500118, 5534742 For Oracle Mobile Field Service
(MFS) customers: 5483388, 5483382, 5483377 For Oracle Trading Community Architecture customers: If your
instance is at 11i.HZ.G or 11i.HZ.H, then apply patch 5521537. If your instance is at 11i.HZ.I to 11i.HZ.L, then
apply patch 3748842. If your instance is at 11i.HZ.M, then apply patch 5521476. If your instance is at 11i.HZ.N,
then apply patch 5526897. Versions earlier than 11.5.7 are no longer supported.
135. IAVA0810 2007-T-0001 MIT Kerberos 5 RPC Library Remote Code Execution
Vulnerability
Vulnerable Systems:
MIT Kerberos 5 1.5.1 and earlier
#
If the version is not at least 5.1.5.2 or 5.1.6, then this is a finding.

136. IAVA0815 2007-T-0002 MIT Kerberos 5 Administration Daemon Remote Code
Execution Vulnerability
Vulnerable Systems:
MIT Kerberos 5 1.5 and Kerberos 5.1.5.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 466
#
If the version is not at least 5.1.5.2 or 5.1.6, then this is a finding.

137. IAVA0820 2007-T-0003 Sun Java RunTime Environment GIF Images Buffer Overflow
Vulnerability
Vulnerable Systems:
JDK and JRE 5.0 Update 9 and earlier
#
java fullversion
Or
#
java version
If the version is not at least equal to or greater than one of the following, then this is a finding:
JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_13 or later
SDK and JRE 1.3.1_19 or later
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 467
138. IAVA0825 2007-A-0001 Snort Backtracking Denial of Service Vulnerability

Vulnerable Systems:
All versions prior to Snort Project Snort 2.6.1
# snort -V
If the version is not at least 2.6.1.2 or later, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 468
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECMT-1, ECMT-2,VIVM-1
PDI Description:
Snort Backtracking Denial of Service Vulnerability
Reference:
IAVA 2007-A-0001
139. IAVA0830 2007-A-0002 Snort GRE Packet Decoding Integer Underflow Vulnerability
Vulnerable Systems:
Snort 1.3.1 or later with the special option for developers for experimental pre-processor.
# snort -V
I f the version is 2.6.1.2, ask the SA if the executable binary was compiled against source code with the
developers option enabled. If it has been, then this is a finding.
140. IAVA0835 2007-A-0006 Multiple Vulnerabilities in Adobe Acrobat
Vulnerable Systems:
Adobe Acrobat version s 6.0.5 and prior and versions 7.0.8 and prior.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 469

3.
Select "about Acrobat Reader."
If the version is not at least one of the following, then this is a finding:
Acrobat 6.0.6 or later OR 7.0.9 or later OR 8.0 or later.
141. IAVA0840 2007-A-0007 Multiple Vulnerabilities in Oracle Database Server
Vulnerable Systems:
Oracle Database 10 g Release 2, versions 10.2.0.1, 10.2.0.2, 10.2.0.3
Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
To check for patches, execute the following: runInstaller.exe
On the Welcome screen, click on the Installed Products button at the bottom of the screen. Expand each Oracle
Home. Expand the Oneoffs selection and view the installed patches. If patches listed are not there or the
Oneoffs selection is not there, then this is a Finding.
Version
Version
9.2.0.5
2/5/2007
10.1.0.4
5689894
9.2.0.6
2/5/2007
10.1.0.5
5689908
9.2.0.7
5689875
10.2.0.1
5689937
9.2.0.8
5490859
10.2.0.2
5689957
10.1.0.3
2/5/2007
10.2.0.3
NA
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 470
142. IAVA0845 2007-A-0008 Multiple Vulnerabilities in Oracle Application Server
Vulnerable Systems:
Oracle Application Server 10g Release 3, versions 10.1.3.0.0, 10.1.3.1.0
Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
Oracle Application Server 10g (9.0.4), versions 9.0.4.2, 9.0.4.3
143. IAVA0850 2007-A-0009 Multiple Vulnerabilities in Oracle Collaboration Suite
Vulnerable Systems:
Oracle9 i Database Release 1, version 9.0.1.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 471
144. IAVA0855 2007-A-0010 Multiple Vulnerabilities in Oracle E-Business Suite

Vulnerable Systems:
Oracle E-Business Suite Release 11 i, versions 11.5.7 - 11.5.10 CU2
145. IAVA0860 2007-A-0011 Multiple Vulnerabilities in Oracle Enterprise Manager
Vulnerable Systems:
Oracle Enterprise Manager 10 g Grid Control Release 2, version 10.2.0.1
Oracle Enterprise Manager 10g Grid Control Release 1, versions 10.1.0.4, 10.1.0.5
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 472
07/14/2007 08:21:33 AM

Stig Solaris Solution Manual

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Stig Solaris Solution Manual

Загружено:

Авторское право:

Доступные форматы

4 SYSTEM CHECKS

3. SYSTEM CHECK PROCEDURES

Indicates completely automated scripts.

Indicates partially automated scripts.

Indicates partially automated scripts that we could fully automate.

Indicates scripts requiring manual reviews.

Indicates manual review scripts we could partially automate.

This page is intentionally left blank.

SYSTEM CHECK PROCEDURES

UNIX Overview and Site Information

GEN000020 Single User Mode Password

GEN000040 Single User Mode Password Incompatibility Documentation

GEN000060 Single User Mode Password Incompatibility Location

GEN000080 System Equipment Location

GEN000100 Supported Release

GEN000120 Vendor Recommended and Security Patches

GEN000140 Create and Maintain System Baseline

GEN000160 System Baseline Backup on Write-protected Media

GEN000220 System Baseline for System Libraries and Binaries Checking

GEN000240 Network Time-Server

DISCRETIONARY ACCESS CONTROL AND GENERAL SECURITY

GEN000260 Shared Account Documentation

GEN000280 Shared Account Direct Logon

GEN000300 Unique Account Name

GEN000320 Unique UID

GEN000340 Reserved System Account UIDs

GEN000360 Reserved System Account GIDs

GEN000380 Groups Referenced in /etc/passwd

Logon Warning Banner

GEN000400 Logon Warning Banner Display

GEN000420 Logon Warning Banner Content

GEN000440 Logging Login Attempts

GEN000460 Three Failed Login Attempts

GEN000480 Login Delay

GEN000520 Continuous Display

GEN000540 Password Change 24 Hours

GEN000560 Password Protect Enabled Accounts

GEN000580 Password Length

GEN000600 Password Character Mix

GEN000620 Password Character Mix

GEN000640 Password Character Mix

GEN000660 Password Contents

GEN000680 Password Contents

GEN000700 Password Change Every 60 Days

GEN000740 Password Change Every Year

GEN000760 Inactive Accounts are not locked

GEN000780 Easily Guessed Passwords

GEN000800 Password Reuse

GEN000820 Global Password Configuration Files

GEN000840 Root Account Access

GEN000860 Password Change for Administrative Passwords Upon SA Reassignment

GEN000880 Roots UID

GEN000900 Roots Home Directory

GEN000920 Roots Home Directory Permissions

GEN000940 Roots Search Path

GEN000960 Roots Search Path

GEN000980 Root Console Access

GEN001000 Remote Consoles

GEN001020 Direct Root Login

GEN001060 Log Root Access Attempts

GEN001080 Root Shell

GEN001100 Encrypting Root Access

GEN001120 Encrypting Root Access

File and Directory Controls