Академический Документы
Профессиональный Документы
Культура Документы
Page 1
This section details the procedures to perform for manual UNIX system Security checks. Reviewers should use
the UNIX Scripts whenever possible. Manual checks are provided in the event that the scripts are either
unavailable to examine an item, return false negatives, return false positives, or will not execute on the system.
The check procedures in this document now contain Global Information Grid-Bandwidth Expansion (GIG-BE)
information to identify the MAC level, IA Control identifiers, and Department of Defense (DOD) description of
the IA Control. Many contain more than one pertinent IA Control. These are listed to the far right of the PDI
number within the identification block.
Each identification block also contains one of six codes to indicate the automation status of each PDI. These
may change from time to time, such as a script that is initially manual for an IAVA but is automated at a later
time. Scripts are either MAN+ /+ or PART because there is either information needed before they can be
automated, the attempts to automate them have proven to produce false positives/negatives, or just perform the
service adequately using current methods. The codes are:
AUTO
PART
PART+
MAN
MAN+
MAN++
3.1.1.1
3.1.1.2
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.1.1.3
3.1.1.4
3.1.2
Operating System
3.1.2.1
3.1.2.2
3.1.3
File Integrity
3.1.3.1
3.1.3.2
3.1.3.3
3.1.3.4
3.2
3.2.1
3.2.1.1
3.2.1.2
3.2.2
Interactive Users
3.2.2.1
3.2.2.2
3.2.2.3
3.2.2.4
3.2.2.5
3.2.3
3.2.3.1
3.2.3.2
3.2.4
Account Access
3.2.4.1
3.2.4.2
3.2.4.3
3.2.5
Inactivity Timeout/Locking
3.2.5.1
GEN000500 Inactivity
3.2.5.2
3.2.6
Page 2
Password Guidelines
3.2.6.1
3.2.6.2
3.2.6.3
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 3
3.2.6.4
3.2.6.5
3.2.6.6
3.2.6.7
3.2.6.8
3.2.6.9
3.2.6.10
3.2.6.11
3.2.6.12
3.2.6.13
3.2.6.14
3.2.6.15
3.2.6.16
3.2.7
Root Account
3.2.7.1
3.2.7.2
3.2.7.3
3.2.7.4
3.2.7.5
3.2.7.6
3.2.7.7
3.2.7.8
3.2.7.9
3.2.7.10
3.2.8
3.2.8.1
3.2.8.2
3.2.9
3.2.9.1
3.2.9.2
3.2.9.3
3.2.9.4
3.2.9.5
3.2.9.6
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.9.7
3.2.9.8
3.2.9.9
3.2.9.10
3.2.9.11
3.2.9.12
3.2.9.13
3.2.9.14
3.2.9.15
3.2.10
Home Directories
3.2.10.1
3.2.10.2
3.2.10.3
3.2.10.4
3.2.10.5
3.2.11
User Files
3.2.11.1
3.2.11.2
3.2.12
3.2.12.1
3.2.12.2
3.2.12.3
3.2.12.4
3.2.12.5
3.2.12.6
3.2.12.7
3.2.13
Page 4
3.2.13.1
3.2.13.2
3.2.13.3
3.2.13.4
3.2.13.5
3.2.13.6
3.2.13.7
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.14
Page 5
3.2.14.1
3.2.14.2
3.2.14.3
3.2.14.4
3.2.14.5
3.2.14.6
3.2.15
3.2.15.1
3.2.15.2
3.2.15.3
3.2.15.4
3.2.15.5
3.2.15.6
3.2.16
Shells
3.2.16.1
3.2.16.2
3.2.16.3
3.2.16.4
3.2.16.5
3.2.16.6
3.2.17
Device Files
3.2.17.1
3.2.17.2
3.2.17.3
3.2.17.4
3.2.17.5
3.2.17.6
3.2.18
3.2.18.1
3.2.18.2
3.2.18.3
3.2.19
3.2.19.1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.19.2
3.2.20
3.2.20.1
3.2.20.2
3.2.20.3
3.2.20.4
3.2.21
Umask
3.2.21.1
3.2.21.2
3.2.22
3.2.22.1
3.2.23
3.2.23.1
3.2.24
Page 6
Development Systems
GEN002600 Development Systems Security Requirements
Default Accounts
GEN002640 Disabled Default System Accounts
Audit Requirements
3.2.24.1
3.2.24.2
3.2.24.3
3.2.24.4
3.2.24.5
3.2.24.6
3.2.24.7
3.2.24.8
3.2.24.9
3.2.24.10
3.2.24.11
3.2.25
3.2.25.1
3.2.26
3.2.26.1
3.2.26.2
3.2.26.3
3.2.26.4
3.2.26.5
3.2.26.6
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.26.7
3.2.26.8
3.2.26.9
3.2.26.10
3.2.26.11
3.2.26.12
3.2.26.13
3.2.26.14
3.2.26.15
3.2.26.16
3.2.27
At Restrictions
3.2.27.1
3.2.27.2
3.2.27.3
3.2.27.4
3.2.27.5
3.2.27.6
3.2.27.7
3.2.27.8
3.2.27.9
3.2.27.10
3.2.27.11
3.2.28
3.2.28.1
3.2.28.2
3.2.29
3.2.29.1
3.2.30
3.2.31
3.2.31.1
3.2.32
3.2.32.1
3.2.33
3.2.33.1
Page 7
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.33.2
3.2.34
3.2.34.1
3.3
3.3.1
3.3.1.1
3.3.1.2
3.3.1.3
3.3.1.4
3.3.1.5
3.3.1.6
3.3.1.7
3.3.2
3.3.2.1
3.3.3
3.3.3.1
3.3.4
3.3.4.1
3.3.4.2
3.3.5
3.3.5.1
3.3.5.2
3.3.5.3
3.3.5.4
3.3.6
Traceroute
3.3.6.1
3.3.6.2
3.3.6.3
3.3.7
Page 8
3.3.7.1
3.3.7.2
3.3.7.3
3.3.7.4
3.3.7.5
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.7.6
3.3.7.7
3.3.7.8
3.3.7.9
3.3.7.10
3.3.7.11
3.3.7.12
3.3.7.13
3.3.7.14
3.3.8
Sendmail or Equivalent
3.3.8.1
3.3.8.2
3.3.8.3
3.3.8.4
3.3.8.5
3.3.8.6
3.3.8.7
3.3.8.8
3.3.8.9
3.3.8.10
3.3.8.11
3.3.8.12
3.3.8.13
3.3.8.14
3.3.8.15
3.3.8.16
3.3.8.17
3.3.9
Page 9
3.3.9.1
3.3.9.2
3.3.9.3
3.3.9.4
3.3.9.5
3.3.9.6
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.10
FTP Configuration
3.3.10.1
3.3.10.2
3.3.10.3
3.3.10.4
3.3.10.5
3.3.10.6
3.3.10.7
3.3.10.8
3.3.11
3.3.11.1
3.3.12
3.3.12.1
3.3.12.2
3.3.12.3
3.3.12.4
3.3.13
X Window System
3.3.13.1
3.3.13.2
3.3.13.3
3.3.13.4
3.3.13.5
3.3.13.6
3.3.14
3.3.14.1
3.3.15
3.3.15.1
3.3.15.2
3.3.15.3
3.3.15.4
3.3.15.5
3.3.16
Page 10
3.3.16.1
3.3.16.2
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.16.3
3.3.16.4
3.3.16.5
3.3.17
3.3.17.1
3.3.17.2
3.3.18
3.3.18.1
3.3.18.2
3.3.18.3
3.3.19
3.3.19.1
3.3.20
3.3.20.1
3.3.21
3.3.21.1
3.3.22
3.3.22.1
3.3.23
3.3.23.1
3.3.24
3.3.24.1
3.3.24.2
3.3.24.3
3.3.24.4
3.3.24.5
3.3.24.6
3.3.24.7
3.3.24.8
3.3.24.9
3.3.24.10
3.3.25
3.3.25.1
3.3.26
Page 11
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.26.1
3.3.27
Samba
3.3.27.1
3.3.27.2
3.3.27.3
3.3.27.4
3.3.27.5
3.3.27.6
3.3.27.7
3.3.27.8
3.3.27.9
3.3.28
3.3.28.1
3.3.28.2
3.3.28.3
3.3.28.4
3.3.28.5
3.3.28.6
3.3.28.7
3.4
3.4.1
3.4.1.1
3.4.1.2
3.4.1.3
3.4.2
3.4.2.1
3.4.2.2
3.5
3.5.1
3.5.1.1
3.5.1.2
3.5.1.3
3.5.2
3.5.2.1
Page 12
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.5.2.2
3.5.2.3
3.5.2.4
3.6
Page 13
3.6.1
SUN SOLARIS
3.6.1.1
3.6.2
Removable Media
SOL00020 /etc/rmmount.conf Configuration
The audit_user File
3.6.2.1
3.6.2.2
3.6.2.3
3.6.2.4
3.6.3
3.6.3.1
3.6.4
3.6.4.1
3.6.5
3.6.5.1
3.6.5.2
3.6.6
Running ASET
3.6.6.1
3.6.6.2
3.6.6.3
3.6.6.4
3.6.7
3.6.7.1
3.6.8
3.6.8.1
3.6.8.2
3.6.9
3.6.9.1
3.6.10
3.6.10.1
3.6.11
3.6.11.1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.7
3.7.1
Trusted Mode
3.7.1.1
3.7.2
3.7.2.1
3.7.3
3.7.3.1
3.7.3.2
3.7.3.3
3.8
3.8.1
Security Structure
3.8.1.1
3.8.2
Network Security
3.8.2.1
3.8.3
System Commands
3.8.3.1
3.8.4
Authentication
3.8.4.1
3.9
3.10
3.10.1.1
3.11
3.11.1
3.11.1.1
3.11.2
3.11.2.1
3.11.3
Xfsmd
IRIX0020 The xmfsmd Service is Enabled
LINUX
System BIOS Configuration
LNX00040 Disable Boot From Removable Media
Restricting the Boot Process
LNX00060 Password Configuration Table Configuration
Boot Loaders
3.11.3.1
3.11.3.2
3.11.3.3
3.11.4
3.11.4.1
3.11.4.2
3.11.5
Page 14
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.11.5.1
3.11.5.2
3.11.5.3
3.11.6
3.11.6.1
3.11.7
3.11.7.1
3.11.8
3.11.8.1
3.11.9
3.11.9.1
3.11.10
Filesystems
LNX00240 Journaling
Red Hat Kickstart and SuSE AutoYaST
LNX00260 Kickstart or AutoYaST
Dual Boot
LNX00280 Capable of Dual Boot
Ugidd RPC Daemon
LNX00300 The rpc.ugidd Daemon is Enabled
Default Accounts
3.11.10.1
3.11.10.2
3.11.11
X Windows
3.11.11.1
3.11.11.2
3.11.12
Console Access
3.11.12.1
3.11.12.2
3.11.12.3
3.11.13
3.11.13.1
3.11.13.2
3.11.13.3
3.11.14
NFS Server
3.11.14.1
3.11.14.2
3.11.15
3.11.15.1
3.11.16
3.11.16.1
3.11.17
3.11.17.1
Page 15
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.11.17.2
3.11.17.3
3.11.18
RealPlayer
3.11.18.1
3.12
Page 16
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.12.16
3.12.17
3.12.18
3.12.19
3.12.20
3.12.21
3.12.22
3.12.23
3.12.24
3.12.25
3.12.26
3.12.27
3.12.28
3.12.29
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.12.30
3.12.31
3.12.32
3.12.33
3.12.34
3.12.35
3.12.36
3.12.37
3.12.38
3.12.39
3.12.40
3.12.41
3.12.42
3.12.43
3.12.44
3.12.45
3.12.46
3.12.47
3.12.48
3.12.49
3.12.50
3.12.51
3.12.52
3.12.53
3.12.54
3.12.55
3.12.56
3.12.57
3.12.58
3.12.59
3.12.60
3.12.61
3.12.62
3.12.63
http://s3.amazonaws.com/0706/819143.html
Page 17
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 18
3.12.64
3.12.65
3.12.66
3.12.67
3.12.68
3.12.69
3.12.70
3.12.71
3.12.72
3.12.73
3.12.74
3.12.75
3.12.76
3.12.77
3.12.78
3.12.79
3.12.80
3.12.81
3.12.82
3.12.83
3.12.84
3.12.85
3.12.86
3.12.87
3.12.88
3.12.89
3.12.90
3.12.91
3.12.92
3.12.93
3.12.94
3.12.95
3.12.96
3.12.97
IAVA0600 1998-0011 General Internet Message Access Protocol (IMAP) and Post Office
Protocol (POP) Vulnerabilities
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 19
3.12.98
3.12.99
3.12.100
IAVA0615 2000-T-0015 BMC Best/1 Version 6.3 Performance Management System
Vulnerability
3.12.101
3.12.102
3.12.103
3.12.104
3.12.105
3.12.106
3.12.107
3.12.108
IAVA0655 2002-T-SNMP-003 Multiple Simple Network Management Protocol
Vulnerabilities in Servers and Applications
3.12.109
IAVA0660 2002-A-SNMP-004 Multiple Simple Network Management Protocol
Vulnerabilities in Perimeter Devices
3.12.110
IAVA0665 2002-A-SNMP-005 Multiple Simple Network Management Protocol
Vulnerabilities in Enclave Devices
3.12.111
IAVA0670 2002-A-SNMP-006 Multiple Simple Network Management Protocol
Vulnerabilities in Servers and Applications
3.12.112
Server
3.12.113
IAVA0680 2004-T-0002 Oracle 9i Application/Database Server Denial Of Service
Vulnerability
3.12.114
3.12.115
IAVA0690 2004-T-0011 Oracle Application Server Web Cache HTTP Request Method
Heap Overrun Vulnerability
3.12.116
3.12.117
IAVA0700 2004-T-0026 Mozilla Network Security Services Library Remote Heap
Overflow Vulnerability
3.12.118
3.12.119
3.12.120
Queuing
3.12.121
3.12.122
3.12.123
3.12.124
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 20
3.12.125
3.12.126
3.12.127
3.12.128
3.12.129
3.12.130
3.12.131
BIND
3.12.132
3.12.133
IAVA0785 2006-A-0008 Computer Associates (CA) iTechnology iGateway Service
Vulnerability
3.12.134
IAVA0805 2006-A-0050 Multiple Vulnerabilities in Oracle E-Business Suite and
Applications
3.12.135
IAVA0810 2007-T-0001 MIT Kerberos 5 RPC Library Remote Code Execution
Vulnerability
3.12.136
IAVA0815 2007-T-0002 MIT Kerberos 5 Administration Daemon Remote Code Execution
Vulnerability
3.12.137
IAVA0820 2007-T-0003 Sun Java RunTime Environment GIF Images Buffer Overflow
Vulnerability
3.12.138
3.12.139
3.12.140
3.12.141
3.12.142
3.12.143
3.12.144
3.12.145
Solaris 2.5 - 9
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 21
# cd /etc/rcS.d
# grep sulogin *
The sulogin utility should be called from within the svm start up script.
Additionally,
# more /etc/default/sulogin (if it exists)
Confirm PASSREQ=NO is not configured
Solaris 10
# more /etc/default/sulogin (if it exists)
Confirm PASSREQ=NO is not configured
By default Solaris 10 requires a password and the /etc/default/sulogin does not exist.
HP-UX
# more /tcb/files/auth/system/default
Confirm the d_boot_authenticate is:
:d_boot_authenticate:
The entry :d_boot_authenticate@: is a finding.
AIX
AIX has a chassis key that is used to prevent booting to single-user mode without a password.
Confirm it is in the correct position and the key has been removed.
IRIX
# more /etc/default/sulogin (if it exists)
Confirm PASSREQ=NO is not configured
Linux
# more /etc/inittab
Confirm the following line is configured:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 22
~~:S:wait:/sbin/sulogin
If the UNIX host is configurable and is bootable in single-user mode without a password, then this is a finding.
PDI:
GEN000020
V0000756
Category II
:
Previously:
G001
PDI Description:
Reference:
Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password.
If the UNIX host is not be configured to require a password when booted to single-user mode and is not justified
and documented with the IAO, then this is a finding.
This check is only applicable if GEN000020 is a finding.
PDI:
GEN000040
V0000757
Category II
:
Previously:
G002
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 23
Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password.
Solaris 2.5 - 9
# cd /etc/rcS.d
# grep sulogin *
The sulogin utility should be called from within the svm start up script.
Additionally,
Solaris 10
# more /etc/default/sulogin (if is exists)
Confirm PASSREQ=NO is not configured
Solaris 10
# more /etc/default/sulogin (if is exists)
Confirm PASSREQ=NO is not configured
HP-UX
# more /tcb/files/auth/system/default
Confirm the d_boot_authenticate is:
:d_boot_authenticate:
The entry :d_boot_authenticate@: is a finding.
AIX
AIX has a chassis key that is used to prevent booting to single-user mode without a password.
Confirm it is in the correct position and the key has been removed.
IRIX
# more /etc/default/sulogin (if is exists)
Confirm PASSREQ=NO is not configured
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 24
Linux
# more /etc/inittab
Confirm the following line is configured:
~~:S:wait:/sbin/sulogin
If the UNIX host can not be configured to require a password when booted to single-user mode and is not located
in a controlled access area accessible only by SAs, then this is a finding. An access-controlled area is defined as
requiring two different checks of an individuals identity and authority before gaining access to the system.
Note: This check is only applicable if GEN000020 is a finding
PDI:
GEN000060
V0000758
Category II
:
Previously:
G003
PECF-1, PECF-2
PDI Description:
Reference:
An access-controlled area is defined as requiring two different checks of an individuals identity and authority
before gaining access to the system. One of the checks should require two factor authentication.
If the UNIX system equipment is not located in a controlled access area, then this is a finding.
PDI:
GEN000080
Category:II
Previously:
G234
V0001063
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
PECF-1, PECF-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 25
2. Operating System
1. GEN000100 Supported Release
Solaris
# uname -a
Supported releases are 2.7 and newer.
HP-UX
# uname -a
Supported releases are 10.20 and newer.
AIX
# uname -a
Supported releases are 4.3 and newer, and 5.1 and newer.
IRIX
# uname -R
Supported releases are 6.5 and newer.
Linux
# uname -R
Supported releases are RedHat Enterprise 3 and newer and SUSE Enterpise 9 and later.
If the operating system is not a supported release, then this is a finding.
PDI:
GEN000100
Category:II
Previously:
N/A
V0011940
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 26
DCSW-1
PDI Description:
Reference:
Solaris
# patchadd p |grep patch
or
# showrev p | grep patch
HP-UX
# swlist l fileset | grep patch
AIX
# /usr/sbin/instfix -c -i | cut -d":" -f1
IRIX
# versions | grep patch
Linux
# rpm qa | grep patch
Compare the system output with the most current vendor recommended and security patches.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 27
If vendor recommended and security patches are not installed or are out-of-date, then this is a finding. Program
managed specific systems should follow their configuration management cycle which may be longer than a
normal vendor cycle.
PDI:
GEN000120
V0000783
Category II
:
Previously:
G033
DCSL-1, VIVM-1
PDI Description:
Vendor recommended and security patches are not installed or are outof-date.
Reference:
Confirm with the SA that a system baseline (all device files, all sgid and suid files, and system libraries and
binaries), to include cryptographic hashes of files in the baseline, has been created and is maintained.
If a system baseline (all device files, all sgid and suid files, and system libraries and binaries), to include
cryptographic hashes of files in the baseline, has not been created and is not maintained, then this is a finding.
PDI:
GEN000140
Category:II
Previously:
N/A
V0011941
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 28
Confirm with the SA that the system baseline backup is stored on write-protected media.
If the system baseline backup(s) are not stored on write-protected media, then this is a finding. This check only
applies to backups that are not maintained by automated remote backup systems such as Veritas Netbackup.
PDI:
GEN000160
Category:II
Previously:
N/A
V0011942
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-2
PDI Description:
Reference:
Confirm with the SA that filesyst ems are checked at least weekly for unauthorized system libraries or binaries or
unauthorized modification to authorized system libraries or binaries.
If filesystems are not checked at least weekly for unauthorized system libraries or binaries or unauthorized
modification to authorized system libraries or binaries, then this is a finding.
PDI:
GEN000220
Category:II
Previously:
N/A
V0011945
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 29
All platforms
# ps e | egrep xntpd|ntpd
Check if ntpdate scheduled to run:
Solaris
# grep ntpdate /var/spool/cron/crontabs/*
HP-UX
# grep ntpdate /var/spool/cron/crontabs/*
AIX
# grep ntpdate /var/spool/cron/crontabs/*
IRIX
# grep ntpdate /var/spool/cron/crontabs/*
Linux
# grep ntpdate /var/spool/cron/*
# grep ntpdate /etc/cron.d/*
# grep ntpdate /etc/cron.daily/*
# grep ntpdate /etc/cron.hourly/*
# grep ntpdate /etc/cron.monthly/*
# grep ntpdate /etc/cron.weekly/*
If NTP is running or ntpdate is found:
# more /etc/ntp/ntp.conf
Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S.
DOD source.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 30
GEN000240
Category I
:
V0004301
Previously:
G695
DCHW-1
PDI Description:
Reference:
Solaris
Check for multiple accesses to an account from different workstations/IP addresses .
# last
HP-UX
Check for multiple accesses to an account from different workstations/IP addresses .
# last R
# lastb -R
AIX
Check for multiple accesses to an account from different workstations/IP addresses .
# last
IRIX
Check for multiple accesses to an account from different workstations/IP addresses .
# last
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 31
Linux
Check for multiple accesses to an account from different workstations/IP addresses .
# last R
Discuss with the SA whether shared accounts exist. A shared account is any account, other than root, that more
than one person knows the password to . If shared accounts do exist, confirm with the IAO shared accounts are
documented with the IAO. If a shared account is not justified and documented with the IAO, then this is a
finding.
PDI:
GEN000260
Category II
:
V0000759
Previously:
G006
DCSD-1
PDI Description:
Reference:
Solaris
Check for multiple accesses to an account from different workstations/IP addresses .
# last
HP-UX
Check for multiple accesses to an account from different workstations/IP addresses .
# last R
# lastb -R
AIX
Check for multiple accesses to an account from different workstations/IP addresses .
# last
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 32
IRIX
Check for multiple accesses to an account from different workstations/IP addresses .
# last
Linux
Check for multiple accesses to an account from different workstations/IP addresses .
# last R
Confirm with the SA, if shared accounts exist, users log on to an individual account and switch user to the shared
account.
If a shared account is logged onto directly , then this is a finding.
Note: This check is only applicable if GEN000260 is a finding.
PDI:
GEN000280
Category II
:
V0000760
Previously:
G007
PDI Description:
Reference:
2. Interactive Users
1. GEN000300 Unique Account Name
Solaris
# logins d
HP-UX
# pwck s
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 33
AIX
# usrck n ALL
IRIX
# cut d : f1 /etc/passwd | uniq d
If duplicates are found, perform the following to display full listing.
# grep <account_name> /etc/passwd
Linux
# pwck r
If accounts have the same account name, then this is a finding.
PDI:
GEN000300
Category:III
Previously:
G008
V0000761
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
PDI Description:
Reference:
Solaris
# logins d
HP-UX
# pwck s
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 34
AIX
# usrck n ALL
IRIX
# cut d : f3 /etc/passwd | uniq d
If duplicates are found, perform the following to display complete listing.
# grep ^.*:.*:<account_uid> /etc/passwd
Linux
# pwck r
If accounts have the same uid, then this is a finding.
PDI:
GEN000320
V0000762
Category II
:
Previously:
G009
PDI Description:
Reference:
# more /etc/passwd
Confirm all accounts with a uid of 99 and below (499 and below for Linux) are used by a system account.
If a uid reserved for system accounts, 0 99 (0 499 for Linux), is used by a non-system account without
documentation, then this is a finding. A regular account within this range must be justified and documented
with the IAO.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN000340
V0011946
Page 35
Category II
:
Previously:
N/A
ECPA-1
PDI Description:
Reference:
# more /etc/passwd
Confirm all accounts with a gid of 99 and below (499 and below for Linux) are used by a system account.
If a gid reserved for system accounts, 0 99 (0 499 for Linux), is used by a non-system account without
documentation, then this is a finding. A regular account within this range must be justified and documented with
the IAO.
PDI:
GEN000360
V0000780
Category II
:
Previously:
G029
ECPA-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 36
Solaris
# logins d
HP-UX
# pwck s
AIX
# grpck
IRIX
# more /etc/passwd
Compare with:
# more /etc/group
Confirm each gid referenced in the /etc/passwd file is listed in the /etc/group file.
Linux
# pwck r
If a group referenced in the /etc/passwd file is not in the /etc/group file, then this is a finding.
PDI:
GEN000380
Category:IV
Previously:
G030
V0000781
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 37
Login banners will be configured for all services that allow login access to the system. For TCP WRAPPERS, c
heck for hosts.allow and hosts.deny files and then look for banner files associated with them. For
ssh , locate the ssh configuration file, sshd_config or ssh2d_config . This file is usually located in /
etc/sshd , /etc/ssh2 , /etc/ssh , or /usr/local/etc . Confirm that the Banner variable
contains the full path to the file containing the Logon Warning banner. Other files specific to each vendor are
listed below.
Solaris
Check for logon warning banner display.
# more /etc/issue
# more /etc/motd
# more /etc/dt/config/*/Xresources (if GUI is implemented)
# more /etc/default/telnetd
# more /etc/default/ftpd
TCP_Wrappers)
# more /etc/ftpd/banner.msg
HP-UX
Check for logon warning banner display.
# more /etc/issue
# more /etc/motd
# more /etc/dt/config/*/Xresources (if GUI is implemented)
# more /etc/ftpaccess
AIX
Check for logon warning banner display.
# more /etc/motd
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 38
IRIX
Check for logon warning banner display.
# last
Linux
Check for logon warning banner display .
# more /etc/issue
# more /etc/motd
# more /etc/issue.net
# more /etc/X11/xdm/Xresources (if GUI is implemented)
# more /etc/X11/xdm/kdmrc
# more /etc/X11/gdm/gdm
# more /etc/vsftpd.conf
If the Department of Defense (DOD) logon banner is not displayed prior to a logon attempt, then this is a finding.
PDI:
GEN000400
V0000763
Category II
:
Previously:
G010
ECWM-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 39
Use the Example Banner in Appendix G , Sample Logon Warning Banner, for further information. An exact
match is not required as long as these five elements are included.
A compressed version (subset) may be used as long as the below listed points are included:
If the Department of Defense (DOD) login banner does not contain the required notice and consent information,
then this is a finding.
PDI:
GEN000420
V0000764
Category II
:
Previously:
G011
ECWM-1
PDI Description:
The Department of Defense (DOD) login banner does not contain the
required notice and consent information.
Reference:
4. Account Access
1. GEN000440 Logging Login Attempts
Solaris
Check if successful logons are being logged.
# last | more
Check if unsuccessful logons are being logged .
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 40
# ls l /var/adm/loginlog
HP-UX
Check if successful logons are being logged .
# last R | more
Check if unsuccessful logons are being logged .
# lastb R | more
AIX
Check if successful logons are being logged .
# last | more
Check if unsuccessful logons are being logged .
# last f
/etc/security/failedlogin | more
IRIX
Check for multiple accesses to an account from different workstations/IP addresses .
# last | more
Linux
Check if successful logons are being logged .
# last R | more
Check if unsuccessful logons are being logged .
# lastb R | more
If successful and unsuccessful logins and logouts are not logged, then this is a finding.
PDI:
GEN000440
V0000765
Category II
:
Previously:
G012
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 41
Solaris 10
HP-UX
Confirm the u_maxtries is set to 3 or less, but not 0.
# grep :u_maxtries# /tcb/files/auth/system/default
AIX
Confirm the loginretries field is set to 3 or less, but not 0 for each user.
# /usr/sbin/lsuser -a loginretries ALL
IRIX
Confirm LOCKOUT is set to 3 or less, but not 0.
# grep LOCKOUT /etc/default/login
Linux
#
more /etc/pam.d/system-auth
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 42
GEN000460
V0000766
Category II
:
Previously:
G013
ECLO-1, ECLO-2
PDI Description:
Reference:
Solaris
Confirm SLEEPTIME is set to 4 or more, or that this variable is not configured as 4 is the system dafault.
# grep SLEEPTIME /etc/default/login
Note: This check is currently not applicable for Solaris 5.10.
HP-UX
Confirm the t_logdelay is set to 4 or more.
# grep :t_logdelay# /tcb/files/auth/system/default
AIX
Confirm the logindelay field is set to 4 or more.
# grep logindelay /etc/security/login.cfg
IRIX
Confirm SLEEPTIME is set to 4 or more.
# grep SLEEPTIME /etc/default/login
Linux
Confirm FAIL_DELAY is set to 4 or more.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 43
PDI:
GEN000480
V0000768
Category II
:
Previously:
G015
ECLO-1, ECLO-2
PDI Description:
The login delay between login prompts after a failed login is set to at
least four seconds.
Reference:
5. Inactivity Timeout/Locking
1. GEN000500 Inactivity
This requirement can be satisfied with policy or a SOP to configure terminals and workstations with a screen lock
or password protected screen saver after 15 idle minutes. The windows software may also be configured to
support it.
For systems configured to use XLock, the command xlock will lock the display session. For systems configured
to use XScreensaver, the command xscreensaver-command lock will lock the display session. Ask the
SA to verify, at the command line, one of the screen-locking commands actually locks the display.
Solaris, under OpenWindows, uses a command called xlock for manually locking displays. HP 10.X uses a
command called lock that works on ASCII (not Windows) displays. Both Solaris and HP 10.X windows
systems offer a lock icon that will lock the display just by clicking on it.
If there is no terminal lockout or session disconnect after 15 inactive minutes requiring the account password to
resume or a new session, then this is a finding.
PDI:
GEN000500
V0004083
Category II
:
Previously:
G605
PESL-1
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 44
Reference:
If there is an application running on the system that is continuously in use (such as a network monitoring
application), ask the SA what the name of the application is.
# ps ef | more
If the logon session for an application requiring a continuous display does not ensure:
The logon session is not a root session.
The inactivity exemption is justified and documented with the IAO.
The display station (e.g., keyboard, CRT) is located in a controlled access area.
Then this is a finding.
PDI:
GEN000520
V0000769
Category II
:
Previously:
G016
ECLP-1
PDI Description:
Reference:
6. Password Guidelines
1. GEN000540 Password Change 24 Hours
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 45
Solaris
Confirm the min days field (the 4 th field) is set to 1 or more for each user.
# more /etc/shadow
HP-UX
Confirm the mintm is set to 1 or more for each user.
# getprpw -r -m mintm <USER>
AIX
Confirm the minage field is set to 1 or more for each user.
# /usr/sbin/lsuser -a minage ALL
IRIX
Confirm the min days field (the 4th field) is set to 1 or more for each user.
# more /etc/shadow
Linux
Confirm the min days field (the 4 th field) is set to 1 or more for each user.
# more /etc/shadow
If passwords can be changed more than once every 24 hours, then this is a finding.
PDI:
GEN000540
V0001032
Category II
:
Previously:
G004
IAAC-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 46
Examine the /etc/shadow (or equivalent) looking for accounts with blank passwords using the following
commands:
SOLARIS
#
pwck
HP-UX
#
pwck s or authck p
AIX
#
pwdck n ALL
IRIX
#
Linux
# grep nullok /etc/pam.d/system-auth
If an entry for nullok is found, then this is a finding on Linux.
PDI:
GEN000560
V0000770
Category I
:
Previously:
G018
PDI Description:
Reference:
Solaris
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 47
HP-UX
Confirm MIN_PASSWORD_LENGTH is set to 9 or more
# grep MIN_PASSWORD_LENGTH /etc/default/security
AIX
Confirm the minlen field is set to 9 or more for each user.
# /usr/sbin/lsuser -a minlen ALL
IRIX
Confirm PASSLENGTH is set to 9 or more for each user.
# grep PASSLENGTH /etc/default/passwd
Linux
Confirm pass_min_len is set to 9 or more for each user.
# grep minlen /etc/pam.d/passwd
If a password does not contain a minimum of 9 characters, then this is a finding.
PDI:
GEN000580
V0011947
Category II
:
Previously:
G019
DCSS-1, DCSS-2
PDI Description:
Reference:
Verify that at least 2 lowercase letters are required and at least 2 upper case letters.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 48
Solaris 10
Confirm MINLOWER is set to at least 2 and MINUPPER is set to at least 2.
# egrep MINLOWER|MINUPPER /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_LOWER_CASE_CHARS /etc/default/security
# grep PASSWORD_MIN_UPPER_CASE_CHARS /etc/default/security
AIX
# grep minalpha /etc/security/user
Linux
GEN000600
V0011948
Category II
:
Previously:
G019
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two upper and two lower
alphabetic characters.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 49
Solaris 10
Confirm MINDIGIT is greater than or equal to 2.
# grep MINDIGIT /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_DIGIT_CHARS /etc/default/security
AIX
# grep minother /etc/security/user
Linux
PDI:
GEN000620
V0011972
Category II
:
Previously:
G019
DCSS-1, DCSS-2
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 50
Reference:
Solaris 10
Confirm MINSPECIAL is 2 or greater.
# grep MINSPECIAL /etc/default/passwd
HP-UX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN000640
V0011973
Page 51
Category II
:
Previously:
G019
DCSS-1, DCSS-2
PDI Description:
Reference:
This is a manual check of site policy, in most cases. Refer to Appendix E, Password Protection Schemes , for
password configuration guidelines.
PDI:
GEN000660
V0011974
Category II
:
Previously:
G019
DCSS-1, DCSS-2
PDI Description:
Reference:
AIX
Confirm maxrepeats is set to less than 3.
# g rep i maxrepeats /etc/security/ user
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 52
PDI:
GEN000680
V0011975
Category II
:
Previously:
G019
DCSS-1, DCSS-2
PDI Description:
Reference:
Solaris
Confirm the max days field (the 5 th field) is set to 60 or less, but not 0 for each user.
# more /etc/shadow
HP-UX
Confirm the exptm is set to 60 or less, but not 0 for each user.
# getprpw -r -m exptm <USER>
AIX
Confirm the maxage field is set to 60 or less, but not 0 for each user.
# /usr/sbin/lsuser -a maxage ALL
IRIX
Confirm the min days field (the 5th field) is set to 1 or more for each user.
# more /etc/shadow
Linux
Confirm the max days field (the 5 th field) is set to 60 or less, but not 0 for each user.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 53
# more /etc/shadow
If passwords are not changed at least every 60 days, then this is a finding.
PDI:
GEN000700
V0011976
Category II
:
Previously:
G020
DCSS-1, DCSS-2
PDI Description:
Reference:
Ask the SA if there are any automated processing accounts on the system. If there are accounts on the system,
ask the SA if the passwords for those automated accounts are changed at least once a year. If not, then this is a
finding.
PDI:
GEN000740
Category:II
Previously:
AD33
V0011977
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Reference:
Indications of inactive accounts are those that have no entries in the last log. Check the date in the last log to
verify it is within the last 35 days. If an inactive account is not disabled via an entry in the password field in the /
etc/passwd or /etc/shadow (or TCB equivalent), check the /etc/passwd file to check if the account
has a valid shell. If not, then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 54
GEN000760
V0000918
Category II
:
Previously:
G071
PDI Description:
Reference:
Check this PDI by running a password strength application, such as Crack or Jack the Ripper, on the system. If
those are not available, then the check should be marked as Not Reviewed with an appropriate explanation in the
Remarks field.
PDI:
GEN000780
V0002390
Category I
:
Previously:
G511
IAIA-1
PDI Description:
Reference:
Solaris 10
Confirm HISTORY is set to 5 or more.
# grep HISTORY /etc/default/passwd
HP-UX
# grep HISTORY /etc/default/security
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 55
Linux
# ls /etc/security/opasswd
#
If /etc/security/opasswd does not exist, then this is a finding. If the remember option in /etc/
pam.d/system-auth is not set to 5, then this is a finding.
If passwords are reused witin the last five changes, then this is a finding.
PDI:
GEN000800
V0004084
Category II
:
Previously:
G606
IAIA-1
PDI Description:
Reference:
Solaris
Confirm MINWEEKS is set to 1 or more.
# grep MINWEEKS /etc/default/passwd
Confirm MAXWEEKS is set to 8 or less, but not 0.
# grep MAXWEEKS /etc/default/passwd
HP-UX
Confirm the default mintm is set to 1 or more
# getprdef -r -m mintm
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 56
AIX
Confirm the following:
# grep minage /etc/security/user
# grep maxage /etc/security/user
IRIX
Confirm MINWEEKS is set to 1 or more.
# grep MINWEEKS /etc/default/passwd
Confirm MAXWEEKS is set to 1 or more.
# grep MAXWEEKS /etc/default/passwd
Linux
Confirm PASS_MIN_DAYS is set to 1 or more.
# grep PASS_MIN_DAYS /etc/login.defs
Confirm PASS_MAX_DAYS is set to 60 or less, but not 0.
# grep PASS_MAX_DAYS /etc/login.defs
If global password configuration files are not configured per guidelines, then this is a finding.
PDI:
GEN000820
V0011978
Category II
:
Previously:
N/A
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 57
Ask the SA for the names of people sharing the root password and verify that they are security or SA personnel.
Ask the SA if the root users are documented with the IAO. If they are not, then this is a finding.
PDI:
GEN000840
V0004303
Category II
:
Previously:
G691
ECPA-1
PDI Description:
Reference:
Ask the SA or the IAO for the password procedures that state the root passwords are changed upon administrator
reassignment. If there is not such documentation, then this is a finding.
PDI:
GEN000860
Category:III
Previously:
AD16
V0000971
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECPA-1, IAAC-1
PDI Description:
Reference:
7. Root Account
1. GEN000880 Roots UID
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 58
PDI:
GEN000880
V0000773
Category II
:
Previously:
G021
ECPA-1
PDI Description:
Reference:
GEN000900
Category:IV
Previously:
G022
V0000774
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The root account home directory has not been changed from /.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 59
GEN000920
V0000775
Category II
:
Previously:
G023
ECCD-1, ECCD-2
PDI Description:
Reference:
As the root user perform the following to check the search path:
#
echo $PATH
If the PATH variable contains a . or :: or starts or ends with : then this is a finding.
PDI:
GEN000940
V0000776
Category II
:
Previously:
G024
DCCS-1, DCCS-2
PDI Description:
The root accounts search path contains a ., ::, or starts or ends with
a :..
Reference:
As the root user perform the following to check the search path:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 60
echo $PATH
#
If any of the directories in the PATH variable are world writeable, then this is a finding.
PDI:
GEN000960
V0000777
Category II
:
Previously:
G025
ECCD-1, ECCD-2
PDI Description:
The root account has world writable directories in its search path.
Reference:
Solaris
Confirm CONSOLE is set to /dev/console .
# grep CONSOLE=/dev/console /etc/default/login
HP-UX
Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null .
# more /etc/securetty
AIX
# /user/sbin/lsuser a rlogin root
IRIX
Confirm CONSOLE is set to /dev/console or the console device.
# grep CONSOLE /etc/default/login
Linux
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 61
Confirm /etc/securetty exists and is empty or contains only the word console or a single tty
device.
# more /etc/securetty
PDI:
GEN000980
Category II
:
V0000778
Previously:
G026
IAIA-1, IAIA-2
PDI Description:
The root account can be directly logged into from somewhere other
than the system console.
Reference:
HP-UX
Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null .
# more /etc/securetty
AIX
Ensure /etc/security/login.cfg does not define an alternate console.
# more /etc/security/login.cfg
IRIX
Confirm CONSOLE is set to /dev/console or the console device.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 62
Linux
Confirm /etc/securetty exists and is empty or contains only the word console or a single tty
device.
# more /etc/securetty
PDI:
GEN001000
V0004298
Category II
:
Previously:
G698
DCHW-1
PDI Description:
Reference:
GEN001020
V0011979
Category II
:
Previously:
N/A
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 63
Check the following log files to determine if access to the root account is being logged. Try to su and enter
an incorrect password.
Solaris
# more /var/adm/sulog
HP-UX
# more /var/adm/sulog
AIX
# more /var/adm/sulog
IRIX
# more /var/adm/sulog
Linux
# more /var/log/messages
or
# more/var/adm/sulog (configurable from /etc/default/su)
If root login accounts are not being logged, then this is a finding.
PDI:
GEN001060
V0011980
Category II
:
Previously:
G027
PDI Description:
Successful and unsuccessful access to the root account are not logged.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 64
PDI:
GEN001080
Category:III
Previously:
G229
V0001062
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Reference:
Perform the following to determine if root has logged in over an unencrypted network connection. The first
command determines if root has logged in over a network. The second will check to see if ssh is installed.
Solaris
# last
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 65
# ps ef |grep sshd
HP-UX
# last R
# ps ef |grep sshd
AIX
# last
| more
# ps ef |grep sshd
IRIX
# last
# ps ef |grep sshd
Linux
# last | grep ^root | egrep v reboot|console | more
# ps ef |grep sshd
If the output from the last command shows root has logged in over the network and sshd is not running,
then this is a finding.
PDI:
GEN001100
V0001046
Category I
:
Previously:
G499
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 66
#
permitrootlogin
If the PermitRootLogin entry is found uncommented and set to yes, then this is a finding.
PDI:
GEN001120
V0001047
Category II
:
Previously:
G500
ECPA-1, IAAC-1
PDI Description:
An encrypted remote access program, such as ssh, does not disable the
capability to log directly on as root.
Reference:
Perform:
#
ls lL <system directory>
to check the permissions for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin. Uneven file permission exist if the file owner has less privileges than the group or world users and
when the file is owned by a privileged user or group (such as root or bin) .. If any of the files in the above listed
directories contain uneven file permissions, then this is a finding.
PDI:
GEN001140
V0000784
Category II
:
Previously:
G034
ECCD-1, ECCD-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 67
Perform:
#
and
#
If there are any files list ed either in the nousers or nogroup files created from the above commands,
then this is a finding.
PDI:
GEN001160
V0000785
Category II
:
Previously:
G035
ECCD-1, ECCD-2
PDI Description:
Reference:
Solaris
# ls la /usr/bin or /usr/sbin
HP-UX
# ls la /usr/lbin
AIX
# ls la /usr/sbin
IRIX
# ls la /usr/etc
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 68
Linux
# ls la /usr/sbin
If any of the files that are used to start network daemons in the above directories have permissions greater than
755, then this is a finding.
Note: Network daemons that may not reside in these directories (such as httpd or sshd) must also be checked for
the correct permissions.
PDI:
GEN001180
V0000786
Category II
:
Previously:
G036
PDI Description:
Reference:
Perform:
#
ls lL <system directory>
to check the permissions for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin . If the file permissions are greater than 755, and the files are system commands, then this is a
finding.
Note: Elevate to Category Code I if world writable.
.
PDI:
GEN001200
V0000794
Category II
:
Previously:
G044
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 69
Perform:
#
ls lL <system directory>
to check the owner for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /usr/
sbin . If the files are not owned by a system account or application, then this is a finding.
PDI:
GEN001220
V0000795
Category II
:
Previously:
G045
PDI Description:
Reference:
ls lL <system directory>
to check the group owner for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin . If the files are not owned by a system group or application group, then this is a finding.
PDI:
GEN001240
V0000796
Category II
:
Previously:
G046
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 70
Most syslog messages are logged to /var/log, /var/log/syslog , or /var/adm directories. Check
the permissions by performing the following:
#
ls lL <syslog directory>
If any of the log files permissions are greate r than 640, then this is a finding.
PDI:
GEN001260
V0000787
Category II
:
Previously:
G037
PDI Description:
Reference:
ls lL /usr/share/man
ls lL /usr/share/info
ls lL /usr/share/infopage
If any files in the above directories have permissions greater than 644, then this is a finding.
PDI:
GEN001280
Category:III
Previously:
G042
V0000792
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 71
ls lL /usr/lib/*
If any of the file permissions are greater than 755, then this is a finding.
PDI:
GEN001300
V0000793
Category II
:
Previously:
G043
PDI Description:
Reference:
Solaris
# ls la /usr/lib/netsvc/yp
HP-UX
# ls la /var/yp/<nis domainname>
AIX
# ls la /usr/lib/netsvc/yp or /usr/lib/nis
IRIX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 72
# ls la /usr/var/yp/<nis domainname>
Linux
# ls la /var/yp/<nis domainname>
If the file ownership is not root, sys, bin, then this is a finding.
PDI:
GEN001320
V0000789
Category II
:
Previously:
G039
ECLP-1
PDI Description:
Reference:
Solaris
# ls la /usr/lib/netsvc/yp
HP-UX
# ls la /var/yp/<nis domainname>
AIX
# ls la /usr/lib/netsvc/yp or /usr/lib/nis
IRIX
# ls la /usr/var/yp/<nis domainname>
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 73
Linux
# ls la /var/yp/<nis domainname>
If the file group ownership is not root, sys, bin or other, then this is a finding.
PDI:
GEN001340
V0000790
Category II
:
Previously:
G040
ECLP-1
PDI Description:
NIS/NIS+/yp files are not group owned root, sys, bin, or other.
Reference:
Solaris
# ls la /usr/lib/netsvc/yp
HP-UX
# ls la /var/yp/<nis domainname>
AIX
# ls la /usr/lib/netsvc/yp or /usr/lib/nis
IRIX
# ls la /usr/var/yp/<nis domainname>
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 74
Linux
# ls la /var/yp/<nis domainname>
If any of the file permissions are greater than 755, then this is a finding.
PDI:
GEN001360
V0000791
Category II
:
Previously:
G041
PDI Description:
Reference:
GEN001380
V0000798
Category II
:
Previously:
G048
ECCD-1, ECCD-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 75
# ls lL /etc/passwd
Check /etc/shadow and equivalent file(s) ownership:
HP-UX
The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow
structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if
they deviate from this configuration.
d555
/tcb
root
/tcb/files
d771
root
/tcb/files/auth
d771
root
/tcb/files/auth/[a-z]/*
664
sys
sys
sys
root
root
AIX.
# ls lL /etc/ security/passwd
GEN001400
V0000797
Category II
:
Previously:
G047
ECCD-1, ECCD-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 76
HP-UX
The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow
structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if
they deviate from this configuration.
d555
/tcb
root
/tcb/files
d771
root
/tcb/files/auth
d771
root
/tcb/files/auth/[a-z]/*
664
sys
sys
sys
root
root
AIX.
# ls lL /etc/ security/passwd
GEN00142 Category II
0
:
Status
Code:
AUTO
Previously:
G050
V0000800
MAC/Confidentiality Levels:
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
Perform:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 77
Solaris
# pwck
HP-UX
# pwck -s
AIX
# usrck n ALL
IRIX
# pwck
Linux
# pwck
If any interactive users are not assigned a home directory, then this is a finding.
PDI:
GEN001440
Category:IV
Previously:
G051
V0000899
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform:
Solaris
# pwck
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 78
HP-UX
# pwck -s
AIX
# usrck n ALL
IRIX
# pwck
Linux
# pwck
If an interactive user assigned home directories do not exist, then this is a finding.
PDI:
GEN001460
Category:IV
Previously:
G052
V0000900
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Issue this command for each user in the /etc/passwd file to display user home directory permissions:
# ls lLd /<usershomedirectory>
If a users home directories are more permissive the 750, then this is a finding. Home directories with
permissions greater than 750 must be justified and documented with the IAO.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001480
V0000901
Page 79
Category II
:
Previously:
G053
PDI Description:
Reference:
Issue this command for each user in the /etc/passwd file to display user home directory ownership:
# ls lLd /<usershomedirectory>
If a users home directory(s) are not owned by the assigned user, then this is a finding. Home directories not
owned by the assigned user must be justified and documented with the IAO.
PDI:
GEN001500
V0000902
Category II
:
Previously:
G054
ECCD-1, ECCD-2
PDI Description:
Reference:
Issue this command for each user in the /etc/passwd file to display user home directory group ownership:
# ls lLd /<usershomedirecotory>
# grep <user> /etc/group
If user home directories are not group owned by the assigned users primary group, then this is a finding. Home
directories with a group owner other than the assigned owner must be justified and documented with the IAO.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001520
V0000903
Page 80
Category II
:
Previously:
G055
ECCD-1, ECCD-2
PDI Description:
Home directories are not group owned by the home directory owners
primary group. Exceptions may exist for application directories, which
will be documented with the IAO.
Reference:
If non-startup files are found in a users home directory which are not owned by the user ask the SA or IAO if
these files are documented.
If user home directories contain files or directories not owned by the home directory owner without
documentation, then this is a finding.
PDI:
GEN001540
Category:III
Previously:
G067
V0000914
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
If non-start-up files are found in a users home directory that have permissions less restrictive than 750, ask the
SA or IAO if these files are documented.
If user home directories contain files or directories more permissive than 750 without documentation, then this is
a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 81
GEN001560
Category:III
Previously:
G068
V0000915
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECLP-1
PDI Description:
Reference:
Solaris
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls lL rc*
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 82
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
If run control scripts are more permissive than 755, then this is a finding.
PDI:
GEN001580
V0000906
Category II
:
Previously:
G058
ECLP-1
PDI Description:
Reference:
Perform:
Solaris
# cd /etc/init.d
# grep PATH *
HP-UX
# cd /sbin/init.d
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 83
# grep PATH *
AIX
# cd /etc
# grep PATH rc*
IRIX
# cd /etc/init.d
# grep PATH *
Linux
(may vary)
# cd /etc
# grep PATH *
# cd /etc/init.d
# grep PATH */*
GEN001600
V0000907
Category II
:
Previously:
G059
DCSS-1, DCSS-2
PDI Description:
Reference:
Solaris
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 84
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
# cd /etc
(may vary)
# ls lL rc*
# cd /etc/init.d
# ls l
If run control scripts have the sgid or suid bit set, then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001620
V0000909
Page 85
Category II
:
Previously:
G061
ECLP-1
PDI Description:
Run control scripts have the sgid or the suid bit set.
Reference:
Perform more command to look in the system startup files to check for files or scripts being executed. Check
the permissions on the files or scripts to check if they are world writable. Alternatively, the command
#
Will give a list of world writable files that can be checked against the executed files or scripts. If world writeable
files are found to be executed from systems startup scripts, then this is a finding.
PDI:
GEN001640
V0000910
Category I
:
Previously:
G062
ECCD-1, ECCD-2
PDI Description:
Reference:
Solaris
# cd /etc
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 86
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
If run control scripts are not owned by root or bin, then this is a finding.
PDI:
GEN001660
V0004089
Category II
:
http://s3.amazonaws.com/0706/819143.html
Previously:
G611
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 87
DCSW-1
PDI Description:
Reference:
Solaris
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 88
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l rc*
If run control scripts are not group owned by root, sys, bin, other or the system default, then this is a finding.
PDI:
GEN001680
Category II
:
V0004090
Previously:
G612
DCSW-1
PDI Description:
Run control scripts are not group owned by root, sys, bin, other, or the
system default.
Reference:
Perform:
Solaris
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
HP-UX
# cd /sbin
# ls lL rc*
# cd /sbin/init.d
# ls l
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 89
AIX
# cd /etc
# ls lL rc*
IRIX
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l
Linux
(may vary)
# cd /etc
# ls lL rc*
# cd /etc/init.d
# ls l rc*
Use the more command to search for programs executed by system start-up files. Then use the ls l
command to examine the permissions of the program. In most cases, they will be owned by root, sys, or bin. In a
very small minority of cases, they may be owned by identifiable applications. In no case will applications be
owned by users.
PDI:
GEN001700
V0004091
Category II
:
Previously:
G613
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 90
GEN001720
V0011981
Category II
:
Previously:
N/A
ECLP-1
PDI Description:
Reference:
GEN001740
V0011982
Category II
:
http://s3.amazonaws.com/0706/819143.html
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 91
ECLP-1
PDI Description:
Reference:
GEN001760
V0011983
Category II
:
Previously:
N/A
ECLP-1
PDI Description:
Global initialization files are not group owned by root, sys, bin, other,
or the system default.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 92
GEN001780
Category:III
Previously:
G112
V0000825
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Reference:
AIX.
# ls l /etc/ security/.profile
# ls alL /etc/skel
If skeleton dot files are more permissive than 644, then this is a finding.
PDI:
GEN001800
V0000788
Category II
:
Previously:
G038
ECCD-1, ECCD-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 93
AIX.
# ls l /etc/ security/.profile
# ls alL /etc/skel
If skeleton dot files are not owned by root or bin, then this is a finding.
PDI:
GEN001820
V0011984
Category II
:
Previously:
N/A
ECCD-1, ECCD-2
PDI Description:
Reference:
GEN001840
V0011985
Category II
:
http://s3.amazonaws.com/0706/819143.html
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 94
DCSS-1, DCSS-2
PDI Description:
Reference:
# ls al / <usershomedirectory>/.login
# ls al / <usershomedirectory>/.cschrc
# ls al / <usershomedirectory>/.logout
# ls al / <usershomedirectory>/.profile
# ls al / <usershomedirectory>/.bash_profile
# ls al / <usershomedirectory>/.bashrc
# ls al / <usershomedirectory>/.bash_logout
# ls al / <usershomedirectory>/.env
# ls al / <usershomedirectory>/.dtprofile
# ls al / <usershomedirectory>/.dispatch
# ls al / <usershomedirectory>/.emacs
# ls al / <usershomedirectory>/.exrc
If local initialization files are not owned the home directory user, then this is a finding. Local initialization files
not owned by the user must be justified and documented by the IAO.
PDI:
GEN001860
V0000904
Category II
:
Previously:
G056
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 95
# ls al / <usershomedirectory>/.login
# ls al / <usershomedirectory>/.cschrc
# ls al / <usershomedirectory>/.logout
# ls al / <usershomedirectory>/.profile
# ls al / <usershomedirectory>/.bash_profile
# ls al / <usershomedirectory>/.bashrc
# ls al / <usershomedirectory>/.bash_logout
# ls al / <usershomedirectory>/.env
# ls al / <usershomedirectory>/.dtprofile
# ls al / <usershomedirectory>/.dispatch
# ls al / <usershomedirectory>/.emacs
# ls al / <usershomedirectory>/.exrc
If local initialization files are more permissive than 740 or the .dtprofile file is more permissive than 755, then
this is a finding.
PDI:
GEN001880
V0000905
Category II
:
Previously:
G057
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001900
V0011986
Page 96
Category II
:
Previously:
N/A
DCSS-1, DCSS-2
PDI Description:
Reference:
# ls -la / <usershomedirectory>/.*
If any of the above files have the suid or sgid bit set, then this is a finding.
PDI:
GEN001920
V0000908
Category II
:
Previously:
G060
ECLP-1
PDI Description:
Local initialization f iles have the suid or the sgid bit set.
Reference:
# more / <usershomedirectory>/.*
Look for programs or scripts executed within the local initialization files, and issue an ls -al on any programs
or scripts found to check if the called program or script is world writable.
If local initialization files execute world writable programs or scripts, then this is a finding.
PDI:
GEN001940
V0004087
Category II
:
Previously:
G609
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 97
IA Controls:
ECLP-1
PDI Description:
Reference:
GEN001960
Category:III
Previously:
G610
V0004088
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 98
If the .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files contain a plus
(+) that is not used to define entries for NIS+ netgroups, then this is a finding.
PDI:
GEN001980
V0011987
Category II
:
Previously:
N/A
DCCS-1, DCCS-2
PDI Description:
Reference:
GEN002000
V0000913
Category II
:
Previously:
G066
IAIA-1, IAIA-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 99
GEN002020
V0004427
Category II
:
Previously:
G614
IAIA-1, IAIA-2
PDI Description:
Reference:
GEN002040
V0011988
Category I
:
Previously:
N/A
IAIA-1, IAIA-2
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 100
PDI Description:
Reference:
If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files files have permissions greater than 700, then this is a
finding.
PDI:
GEN002060
V0004428
Category II
:
Previously:
G615
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 101
Linux.
# cd /etc/pam.d
# grep rhosts_auth *
GEN002100
Category II
:
V0011989
Previously:
N/A
DCCS-1, DCCS-2
PDI Description:
Reference:
16. Shells
1. GEN002120 The /etc/shells File Does Not Exist
AIX.
# ls l /etc/security/login.cfg
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 102
If the /etc/shells (or equivalent) file does not exist , then this is a finding.
PDI:
GEN002120
Category II
:
V0000916
Previously:
G069
DCCS-1, DCCS-2
PDI Description:
Reference:
AIX.
# more /etc/passwd
# more /etc/security/login.cfg
GEN002140
V0000917
Category II
:
Previously:
G070
DCCS-1, DCCS-2
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 103
PDI Description:
Reference:
AIX.
# more /etc/security/login.cfg
For each shell listed in the /etc/security/login.cfg file:
# ls l <shell>
GEN002160
V0000919
Category I
:
Previously:
G072
ECLP-1
Shell files have the suid bit set.
UNIX STIG: 3.10
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 104
AIX.
# more /etc/security/login.cfg
For each shell listed in the /etc/security/login.cfg file:
# ls l <shell>
GEN002180
Category II
:
V0000920
Previously:
G073
ECLP-1
PDI Description:
Reference:
AIX.
# more /etc/security/login.cfg
For each shell listed in the /etc/security/login.cfg file:
# ls l <shell>
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 105
# ls l <shell>
If shell files are not owned by root or bin, then this is a finding.
PDI:
GEN002200
Category II
:
V0000921
Previously:
G074
ECLP-1
PDI Description:
Reference:
AIX.
# more /etc/security/login.cfg
For each shell listed in the /etc/security/login.cfg file:
# ls l <shell>
GEN002220
V0000922
Category II
:
Previously:
G075
ECLP-1
Shell files are more permissive than 755.
UNIX STIG: 3.10
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 106
# find / -type b
# find / -type c
# find / -type n
If the system is not checked weekly against the system baseline for extraneous device files, then this is a finding.
Ask the SA to show the previous weeks baseline of files.
PDI:
GEN002260
V0000923
Category III
:
Previously:
G076
VIVM-1
The system is not checked weekly against the system baseline for
extraneous device files.
UNIX STIG: 3.11
ls al /dev
ls al /devices (Solaris)
Check the permissions on the directories and subdirectories that contain device files.
If device file directories are writable by users other than a system account or as configured by the vendor, then
this is a finding.
PDI:
GEN002280
V0000924
Category II
:
Previously:
G077
ECCD-1, ECCD-2
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 107
PDI Description:
Reference:
Attempt to determine if any backup devices exist for the system. Some systems will have a file containing the
default device files (such as /etc/default/ tar on Solaris). Others can be checked via a system
administration GUI (such as SAM on HP-UX). If backup device files exist ask the SA or IAO if the file(s) are
documented with the IAO. .
PDI:
GEN002300
Category II
:
V0000925
Previously:
G078
PDI Description:
Device files used for backup are writable by users other than root or a
pseudo backup user.
Reference:
SOLARIS
# ls lL /dev/audio
HP-UX
# /usr/sbin/ioscan f
# ls lL <audio device file>
AIX
# /usr/sbin/lsdev C | grep I audio
#
ls lL /dev/*aud0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 108
IRIX
# ls lL /dev/audio
Linux
# ls -lL /dev/audio*
If the permissions are greater than 644, then this is a finding.
PDI:
GEN002320
Category II
:
V0001048
Previously:
G501
PDI Description:
Reference:
SOLARIS
# ls lL /dev/audio
HP-UX
# /usr/sbin/ioscan f
# ls lL <audio device file>
AIX
# /usr/sbin/lsdev C | grep I audio
#
ls lL /dev/*aud0
IRIX
# ls lL /dev/audio
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 109
Linux
# ls -lL /dev/audio*
If the audio device is not owned by root, then this is a finding.
PDI:
GEN002340
Category II
:
V0001049
Previously:
G502
PDI Description:
Reference:
SOLARIS
# ls lL /dev/audio
HP-UX
# /usr/sbin/ioscan f
# ls lL <audio device file>
AIX
# /usr/sbin/lsdev C | grep I audio
#
ls lL /dev/*aud0
IRIX
# ls lL /dev/audio
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 110
Linux
# ls -lL /dev/audio*
If the audio device group ownership is not root, sys, bin, or audio, then this is a finding.
PDI:
GEN002360
V0001061
Category II
:
Previously:
G504
PDI Description:
Reference:
GEN002380
V0000801
Category II
:
Previously:
G082
ECLP-1
The ownership, permissions, and location of files with the suid bit set
are not documented with the IAO .
UNIX STIG: 3.12.1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 111
GEN002400
V0000803
Category II
:
Previously:
G084
VIVM-1
PDI Description:
The system is not checked weekly against the system baseline for
unauthorized suid files as well as unauthorized modification to
authorized suid files.
Reference:
GEN002420
V0000805
Category II
:
Previously:
G086
ECLP-1
PDI Description:
User file systems, removable media, or remote file systems are not
mounted with the nosuid option invoked.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 112
GEN002440
V0000802
Category II
:
Previously:
G083
ECLP-1
PDI Description:
The ownership, permissions, and location of files with the suid bit set
are not documented with the IAO
Reference:
GEN002460
V0000804
Category II
:
Previously:
G085
VIVM-1
PDI Description:
The system is not checked weekly against the system baseline for
unauthorized sgid files as well as unauthorized modification to
authorized sgid files.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 113
GEN002480
V0001010
Category II
:
Previously:
G079
ECCD-1, ECCD-2
PDI Description:
There are world writable files or world writable directories that are not
public directories.
Reference:
GEN002500
Category:III
Previously:
G087
V0000806
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 114
If public directories are not owned by root or an application user, then this is a finding.
PDI:
GEN002520
Category II
:
V0000807
Previously:
G088
ECLP-1
PDI Description:
Reference:
GEN002540
Category:II
Previously:
N/A
V0011990
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECLP-1
PDI Description:
Reference:
21. Umask
AIX
# /usr/sbin/lsuser a umask ALL | more
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 115
GEN002560
V0000808
Category II
:
Previously:
G089
ECCD-1, ECCD-2
PDI Description:
Reference:
AIX
# /usr/sbin/lsuser a umask ALL | more
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 116
If an application has a umask less restrictive than 077, ask the SA or IAO if it is an application requirement and
ask to see the documentation. Note, however, that it is well known that Oracle requires a umask of 022. In that
case, or a similar one, this would not be a finding if it is documented with the IAO.
PDI:
GEN002580
V0000809
Category III
:
Previously:
G090
ECCD-1, ECCD-2
PDI Description:
Reference:
Ask the SA if the system being evaluated is a development system. If the system is utilized for development, ask
the SA if the same security standards are applied to both the development and production systems. If the same
security standards are not applied to both development and production systems, then this is a finding.
PDI:
GEN002600
Category:II
Previously:
N/A
V0011991
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
To determine if default system accounts such as those for sys, bin, uucp, nuucp, daemon, smtp, etc., have been
disabled perform the following:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 117
Solaris
# grep *LK* /etc/shadow
HP-UX
# grep u_lock /tcb/files/auth/b/bin
Repeat for other system accounts.
AIX
#
IRIX
#
Linux
#
If there are any default system accounts that are not locked or have false for a shell, then this is a finding.
PDI:
GEN002640
Category:II
Previously:
G092
V0000810
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 118
HP-UX
# audsys
AIX
#
IRIX
#
chkconfig audit
Linux
#
ps ef |grep auditd
GEN002660
V0000811
Category II
:
Previously:
G093
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 119
Perform the following to determine the location of audit logs and then check the ownership:
Solaris
# more /etc/security/audit_control
# ls lLd <audit log dir>
HP-UX
# ls la /.secure/etc/*
AIX
#
ls la <audit directories>
IRIX
#
ls la /var/adm/sat
Linux
#
ls la /var/log/audit.d
# ls la /var/log/audit/audit.log
If any of the audit log file s are readable by unprivileged ids, then this is a finding.
PDI:
GEN002680
V0000812
Category II
:
Previously:
G094
ECTP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 120
Perform the following to determine the location of audit logs and then check the permissions:
Solaris
# more /etc/security/audit_control
# ls la <audit log dir>
HP-UX
# ls la /.secure/etc
AIX
#
ls la <audit directories>
IRIX
#
ls la /var/adm/sat
Linux
#
ls la /var/log/audit.d
# ls la /var/log/audit/audit.log
If any of the audit log file permissions are greater than 640, then this is a finding.
PDI:
GEN002700
V0000813
Category II
:
Previously:
G095
ECTP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 121
Solaris
# more /etc/security/audit_control
Confirm flags fr or fr is configured.
HP-UX
#
AIX
#
more /etc/security/audit/events
IRIX
#
Linux
For LAUS:
#
For auditd:
# grep -a exit,always S open F success!=0 /etc/audit.rules
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 122
GEN002720
Category:II
Previously:
G100-G106
V0000814
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECAR-2
PDI Description:
Reference:
Solaris
# grep flags /etc/security/audit_control
Confirm flags fd or +fd and -fd is configured.
HP-UX
#
AIX
#
more /etc/security/audit/events
IRIX
#
Linux
For LAUS:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 123
PDI:
GEN002740
Category:II
Previously:
G100-G106
V0000815
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit files and programs deleted
by the user.
Reference:
HP-UX
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 124
AIX
#
more /etc/security/audit/events
IRIX
#
Linux
For LAUS:
#
#
PDI:
GEN002760
Category:II
Previously:
G100-G106
V0000816
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECAR-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 125
Solaris
# egrep flags|naflags /etc/security/audit_control
Confirm flags lo or +lo and -lo is configured.
Confirm naflags lo or +lo and lo is configured.
HP-UX
#
AIX
#
more /etc/security/audit/events
IRIX
#
Linux
For LAUS:
#
For auditd:
This is not a finding. Auditd enables this by default in the source code.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 126
GEN002800
Category:II
Previously:
G100-G106
V0000818
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit login, logout, and session
initiation.
Reference:
HP-UX
#
# | grep moddac
AIX
#
more /etc/security/audit/events
IRIX
#
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 127
Linux
For LAUS:
#
#
PDI:
GEN002820
Category:II
Previously:
G100-G106
V0000819
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
ECTP-1
PDI Description:
Reference:
Perform the following to search the crontab for entries to rotate the audit logs.
#
crontab l
If a program can be located, this is not a finding. Otherwise, query the SA. If there is one that is demonstrable
(and runs automatically), this is not a finding. If the SA runs it manually, it is still a finding, because if the SA is
not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding.
This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does
not have todays date, this is a finding.
PDI:
GEN002860
V0004357
Category II
:
Previously:
G674
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 128
IA Controls:
ECTP-1
PDI Description:
Reference:
Ask the SA or the IAO if audit data is retained for at least one year or five years for SAMI audit data. If it is not,
then this is a finding.
PDI:
GEN002900
V0011992
Category III
:
Previously:
N/A
ECRR-1
PDI Description:
Audit data is not retained at least one year or SAMI audit data for five
years.
Reference:
Ask the SA if audit logs and records are backed up onto a different system or offline media on at least a weekly
basis. If it is not, then this is a finding. This check only pertains to audit logs. If a full operating system backup
is completed weekly which contains all of the audit logs, then this is not a finding.
PDI:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECTB-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 129
Ask the IAO if audit files are reviewed daily for requirements stated in the Unix STIG. If the audit files are not
reviewed daily, then this is a finding.
PDI:
GEN002940V001199 Category II
3
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECAT-1, ECAT-2
PDI Description:
Audit trails and/or system logs are not reviewed on a daily basis
for:
Excessive logon attempt failures by single or multiple users
Logons at unusual/non-duty hours
Failed attempts to access restricted system or data files
indicating a possible pattern of deliberate browsing
Unusual or unauthorized activity by System Administrators
Command-line activity by a user that should not have that
capability
System failures or errors
Unusual or suspicious patterns of activity
Reference:
Solaris
# ls lL /etc/cron.d/cron.allow
# ls lL /etc/cron.d/cron.deny
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 130
HP-UX
# ls lL /var/adm/cron/cron.allow
# ls lL /var/adm/cron/cron.deny
AIX
# ls lL /var/adm/cron/cron.allow
# ls lL /var/adm/cron/cron.deny
IRIX
# ls lL /etc/cron.d/cron.allow
# ls lL /etc/cron.d/cron.deny
Linux
Red Hat
# ls lL /etc/cron.allow
# ls lL /etc/cron.deny
Or
SuSE
# ls lL /var/spool/cron/allow
# ls lL /var/spool/cron/deny
If the cron.allow or cron.deny files do exist, then this is a finding.
PDI:
GEN002960
V0000974
Category II
:
Previously:
G200
ECPA-1
Access to the cron utility is not controlled via the cron.allow and/or
cron.deny file(s).
UNIX STIG: 3.17.3
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 131
Solaris
# ls lL /etc/cron.d/cron.allow
HP-UX
# ls lL /var/adm/cron/cron.allow
AIX
# ls lL /var/adm/cron/cron.allow
IRIX
# ls lL /etc/cron.d/cron.allow
Linux
Red Hat
# ls lL /etc/cron.allow
Or
SuSE
# ls lL /var/spool/cron/allow
If the cron.allow file is more permissive than 600, then this is a finding.
PDI:
GEN002980
V0000975
Category II
:
Previously:
G201
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 132
HP-UX
# ls /var/spool/cron/crontabs/
AIX
# ls /var/spool/cron/crontabs/
IRIX
# ls /var/spool/cron/crontabs/
Linux
# ls /var/spool/cron/
# ls /etc/cron.d/
# ls /etc/crontab
# ls /etc/cron.daily/
# ls /etc/cron.hourly/
# ls /etc/cron.monthly/
# ls /etc/cron.weekly/
If cron jobs exist under any of the above directories, use the following command to search for programs executed
by at:
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 133
Perform a lo ng listing of each program file found in the cron file to determine if the file is world writeable.
#
GEN003000
V0000976
Category II
:
Previously:
G203
DCSL-1
PDI Description:
Reference:
Solaris
# ls /var/spool/cron/crontabs/
HP-UX
# ls /var/spool/cron/crontabs/
AIX
# ls /var/spool/cron/crontabs/
IRIX
# ls /var/spool/cron/crontabs/
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 134
Linux
# ls /var/spool/cron/
# ls /etc/cron.d/
# ls /etc/crontab
# ls /etc/cron.daily/
# ls /etc/cron.hourly/
# ls /etc/cron.monthly/
# ls /etc/cron.weekly/
If cron jobs exist under any of the above directories, use the following command to search for programs executed
by at:
#
Perform a long listing of each program file s parent directory found in the cron file to determine if the directory
is world writeable.
#
PDI:
GEN003020V000097 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G204
IA Controls:
DCSL-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 135
Solaris
# ls lL /var/spool/cron/crontabs/
HP-UX
# ls lL /var/spool/cron/crontabs/
AIX
# ls lL /var/spool/cron/crontabs/
IRIX
# ls lL /var/spool/cron/crontabs/
Linux
# ls lL /var/spool/cron/
# ls lL /etc/cron.d/
# ls lL /etc/crontab
# ls lL /etc/cron.daily/
# ls lL /etc/cron.hourly/
# ls lL /etc/cron.monthly/
# ls lL /etc/cron.weekly/
If the file is not owned by root or the creating user account, then this is a finding.
PDI:
GEN003040
V0011994
Category II
:
Previously:
N/A
DCSL-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 136
Solaris
# more /etc/cron.d/cron.allow
HP-UX
# more /var/adm/cron/cron.allow
AIX
# more /var/adm/cron/cron.allow
IRIX
# more /etc/cron.d/cron.allow
Linux
Red Hat
# more /etc/cron.allow
Or
SuSE
# more /var/spool/cron/allow
Default accounts (such as bin, sys, adm, and others) will not be listed in the cron.allow file or this will be a
finding.
PDI:
GEN003060
V0011995
Category II
:
Previously:
N/A
ECPA-1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 137
PDI Description:
Default system accounts (with the possible exception of root) are listed
in the cron.allow file or excluded from the cron.deny file if cron.allow
does not exist.
Reference:
Solaris
# ls lL /var/spool/cron/crontabs/
HP-UX
# ls lL /var/spool/cron/crontabs/
AIX
# ls lL /var/spool/cron/crontabs/
IRIX
# ls lL /var/spool/cron/crontabs/
Linux
# ls lL /var/spool/cron/
# ls lL /etc/cron.d/
# ls lL /etc/crontab
# ls lL /etc/cron.daily/
# ls lL /etc/cron.hourly/
# ls lL /etc/cron.monthly/
# ls lL /etc/cron.weekly/
( Permissions of 600)
( Permissions of 600)
(Permissions of 600)
(Permissions of 700)
(Permissions of 700)
(Permissions of 700)
(Permissions of 700)
If crontab files are more permissive than 600 (700 for some Linux files), then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN003080
V0000978
Page 138
Category II
:
Previously:
G205
PDI Description:
Crontab files are more permissive than 600 (700 for some Linux files).
Reference:
Solaris
# ls ld /var/spool/cron/crontabs
HP-UX
# ls ld /var/spool/cron/crontabs
AIX
# ls ld /var/spool/cron/crontabs
IRIX
# ls ld /var/spool/cron/crontabs
Linux
# ls ld /var/spool/cron
# ls ld /etc/cron.d
# ls ld /etc/cron.daily
# ls ld /etc/cron.hourly
# ls ld /etc/cron.monthly
# ls ld /etc/cron.weekly
If the cron or crontab directories are more permissive than 755, then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN003100
V0000979
Page 139
Category II
:
Previously:
G206
PDI Description:
Reference:
Solaris
# ls ld /var/spool/cron/crontabs
HP-UX
# ls ld /var/spool/cron/crontabs
AIX
# ls ld /var/spool/cron/crontabs
IRIX
# ls ld /var/spool/cron/crontabs
Linux
# ls ld /var/spool/cron
# ls ld /etc/cron.d
# ls ld /etc/cron.daily
# ls ld /etc/cron.hourly
# ls ld /etc/cron.monthly
# ls ld /etc/cron.weekly
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 140
If the cron or crontab directories are not owned by root or bin, then this is a finding.
PDI:
GEN003120
V0000980
Category II
:
Previously:
G207
PDI Description:
Reference:
Solaris
# ls ld /var/spool/cron/crontabs
HP-UX
# ls ld /var/spool/cron/crontabs
AIX
# ls ld /var/spool/cron/crontabs
IRIX
# ls ld /var/spool/cron/crontabs
Linux
# ls ld /var/spool/cron
# ls ld /etc/cron.d
# ls ld /etc/cron.daily
# ls ld /etc/cron.hourly
# ls ld /etc/cron.monthly
# ls ld /etc/cron.weekly
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 141
If the cron or crontab directories are not group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003140
V0000981
Category II
:
Previously:
G208
ECLP-1
PDI Description:
The cron or crontab directories are not group owned by root, sys, or bin.
Reference:
Solaris
# ls lL /var/cron/log
#
more /etc/default/cron
CRONLOG=YES
If this line does not exist, this is a finding.
HP-UX
# ls lL /var/adm/cron/log
Cron is logged by default.
AIX
# ls lL /var/adm/cron/log
Cron is logged by default.
IRIX
# ls lL /var/cron/log
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 142
Linux
Cron logging is controlled by the syslog on Linux:
#
Red Hat
# ls lL /var/log/cron
SuSE
# ls lL /var/log/messages
If an entry for cron is not found, then this is a finding.
PDI:
GEN003160
V0000982
Category II
:
Previously:
G209
PDI Description:
Reference:
Solaris
# ls lL /var/cron/log
HP-UX
# ls lL /var/adm/cron/log
AIX
# ls lL /var/adm/cron/log
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 143
IRIX
# ls lL /var/cron/log
Linux
Red Hat
# ls lL /var/log/cron
SuSE
# ls lL /var/log/messages
If the cronlog file is more permissive than 600, then this is a finding.
PDI:
GEN003180
V0000983
Category II
:
Previously:
G210
PDI Description:
Reference:
Solaris
# ls lL /etc/cron.d/cron.deny
HP-UX
# ls lL /var/adm/cron/cron.deny
AIX
# ls lL /var/adm/cron/cron.deny
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 144
IRIX
# ls lL /etc/cron.d/cron.deny
Linux
Red Hat
# ls lL /etc/cron.deny
Or
SuSE
# ls lL /var/spool/cron/deny
If the cron.deny file is more permissive than 600 , then this is a finding.
PDI:
GEN003200
V0004358
Category II
:
Previously:
G620
PDI Description:
Reference:
Solaris
# ls lL /var/spool/cron/crontabs
HP-UX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 145
# ls lL /var/spool/cron/crontabs
AIX
# ls lL /var/spool/cron/crontabs
IRIX
# ls lL /var/spool/cron/crontabs
Linux
# ls lL /var/spool/cron
# ls lL /etc/cron.d
# ls lL /etc/cron.daily
# ls lL /etc/cron.hourly
# ls lL /etc/cron.monthly
# ls lL /etc/cron.weekly
Determine if there are any cron jobs by viewing a long listing of the directory. If there are cron jobs perform the
following to check for any programs that may have a umask more permissive than 077:
#
If there are any, this is a finding unless the IAO has justifying documentation. If there are no cron jobs present,
this vulnerability is Not Applicable.
PDI:
GEN003220
Category:III
Previously:
G621
V0004360
MAC/Confidentiality Levels: MAC I CSP, MAC II CSP, MAC III CSP
IA Controls:
DCSW-1, DCSD-1
PDI Description:
Cron programs set the umask more permissive than 077 and these are
not justified and documented with the IAO.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 146
Solaris
# ls lL /etc/cron.d/cron.allow
HP-UX
# ls lL /var/adm/cron/cron.allow
AIX
# ls lL /var/adm/cron/cron.allow
IRIX
# ls lL /etc/cron.d/cron.allow
Linux
Red Hat
# ls lL /etc/cron.allow
Or
SuSE
# ls lL /var/spool/cron/allow
If the cron.allow file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003240
V0004361
Category II
:
Previously:
G622
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 147
IA Controls:
DCSW-1
PDI Description:
The cron.allow file is not owned and group owned by root , sys or bin.
Reference:
Solaris
# ls lL /etc/cron.d/cron.deny
HP-UX
# ls lL /var/adm/cron/cron.deny
AIX
# ls lL /var/adm/cron/cron.deny
IRIX
# ls lL /etc/cron.d/cron.deny
Linux
Red Hat
# ls lL /etc/cron.deny
Or
SuSE
# ls lL /var/spool/cron/deny
If the cron.deny file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003260
V0004430
Category II
:
Previously:
G623
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 148
IA Controls:
DCSW-1
PDI Description:
The cron.deny file is not owned and group owned by root , sys, or bin.
Reference:
27. At Restrictions
Solaris
# ls lL /etc/cron.d/at.allow
# ls lL /etc/cron.d/at.deny
HP-UX
# ls lL /var/adm/cron/at.allow
# ls lL /var/adm/cron/at.deny
AIX
# ls lL /var/adm/cron/at.allow
# ls lL /var/adm/cron/at.deny
IRIX
# ls lL /etc/cron.d/at.allow
# ls lL /etc/cron.d/at.deny
Linux
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 149
# ls lL /etc/at.allow
# ls lL /etc/at.deny
Ensure at least on of the above files exists .
PDI:
GEN003280V000098 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G211
IA Controls:
ECPA-1
PDI Description:
Reference:
Solaris
# more /etc/cron.d/at.deny
HP-UX
# more /var/adm/cron/at.deny
AIX
# more /var/adm/cron/at.deny
IRIX
# more /etc/cron.d/at.deny
Linux
# more /etc/at.deny
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 150
PDI:
GEN003300V000098 Category:II
5
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G212
IA Controls:
ECPA-1
PDI Description:
Reference:
Solaris
# more /etc/cron.d/at.allow
HP-UX
# more /var/adm/cron/at.allow
AIX
# more /var/adm/cron/at.allow
IRIX
# more /etc/cron.d/at.allow
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 151
Linux
# more /etc/at.allow
Default accounts (such as bin, sys, adm, and others) will not be listed in the at.allow file or this will be a
finding.
PDI:
GEN003320V000098 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G213
IA Controls:
ECPA-1
PDI Description:
Reference:
Solaris
# ls lL /etc/cron.d/at.allow
# ls lL /etc/cron.d/at.deny
HP-UX
# ls lL /var/adm/cron/at.allow
# ls lL /var/adm/cron/at.deny
AIX
# ls lL /var/adm/cron/at.allow
# ls lL /var/adm/cron/at.deny
IRIX
# ls lL /etc/cron.d/at.allow
# ls lL /etc/cron.d/at.deny
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 152
Linux
# ls lL /etc/at.allow
# ls lL /etc/at.deny
If the at.allow or at.deny file(s) is more permissive than 600, then this is a finding.
PDI:
GEN003340V000098 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G214
IA Controls:
PDI Description:
Reference:
Perform a long listing of each program file in the at job file to determine if the file is world writeable.
#
GEN003360V000098 Category:II
8
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G215
IA Controls:
DCSL-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 153
Perform a long listing of each program file s parent directory found in the at job file to determine if the directory
is world writeable.
#
GEN003380V000098 Category:II
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G216
IA Controls:
DCSL-1
PDI Description:
Reference:
ls ld /var/spool/atjobs
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 154
If the directory permissions are greater than 755, then this is a finding.
PDI:
GEN003400V000436 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G625
IA Controls:
PDI Description:
Reference:
ls ld /var/spool/atjobs
If the directory is not owned by root, sys, bin, or daemon, then this is a finding.
PDI:
GEN003420V000436 Category:II
5
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G626
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 155
cd /var/spool/cron/atjobs
Or
#
cd /var/spool/atjobs
Determine if there are any at jobs by viewing a long listing of the directory. If there are at jobs perform the
following to check for any programs that may have a umask more permissive than 077:
#
If there are any, this is a finding unless the IAO has justifying documentation. If there are no at jobs present,
this vulnerability is Not Applicable.
PDI:
GEN003440V000436 Category II
6
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G627
IA Controls:
DCSW-1, DCSD-1
PDI Description:
At programs set the umask more permissive than 077 and these
are not justified and documented with the IAO.
Reference:
Solaris
# ls lL /etc/cron.d/at.allow
HP-UX
# ls lL /var/adm/cron/at.allow
AIX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 156
# ls lL /var/adm/cron/at.allow
IRIX
# ls lL /etc/cron.d/at.allow
Linux
# ls lL /etc/at.allow
If the at.allow file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003460V000436 Category II
7
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G629
IA Controls:
DCSW-1
PDI Description:
The at.allow file is not owned and group owned by root , sys, or
bin.
Reference:
Solaris
# ls lL /etc/cron.d/at.deny
HP-UX
# ls lL /var/adm/cron/at.deny
AIX
# ls lL /var/adm/cron/at.deny
IRIX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 157
# ls lL /etc/cron.d/at.deny
Linux
# ls lL /etc/at.deny
If the at.deny file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003480V000436 Category II
8
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G630
IA Controls:
DCSW-1
PDI Description:
The at.deny file is not owned and group owned by root , sys, or
bin.
Reference:
Check for the disabling of core dumps with the following commands:
Solaris
# coreadm |grep enabled
If any lines are returned then this is a finding.
HP-UX
# grep ulimit /etc/profile
If the c argument with a value of 0 is not present, then this is a finding.
AIX
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 158
ulimit c
systune rlimit_core_max
0
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform the following to check the permissions of the core dump directory:
Solaris
# ls ld /var/crash
HP-UX
#
ls ld /var/adm/crash
ls ld /var/adm/ras
AIX
IRIX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 159
ls ld /var/adm/crash
ls ld /var/crash
Linux
If the file permissions are greater than 700, then this is a finding. If GEN003500 is Not a Finding, then this
check is Not Applicable.
PDI:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
PDI Description:
The core dump data directory is not owned and group owned by
root and/or is more permissive than 700.
Reference:
To check that the executable stack has been disabled, perform the following:
Solaris and Irix
#
kmtune q executable_stack
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 160
Linux
Linux kernels must support the NX feature. Red Hat Enterprise 4 and SuSE 9.1 and later do support this
feature. This will be a finding on systems prior to the above releases. This is a manual review.
AIX
Stack execution is disabled by default. Mark this check Not a Finding.
PDI:
GEN003540V001199 Category:II
9
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
PDI Description:
Reference:
Check the following to determine if TCP sequence numbers are not easily guessed:
Solaris
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 161
Linux
All kernels after 1996 are not vulnerable to this. This check should be marked as Not Applicable for Linux.
AIX
#
systune tcpiss_md5
1
If any of the above settings are not configured, then this is a finding.
PDI:
GEN003580V001200 Category:II
1
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform the following to ensure the network security settings are enabled for each operating system. The
command is listed with the expected response below it.
Solaris
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 162
HP-UX
#
0
#
AIX
#
/usr/sbin/no o ipsrcroutesend
0
/usr/sbin/no o directed_broadcast
0
/usr/sbin/no o bcastping
0
/usr/sbin/no o ipsrcrouteforward
0
Linux
# sysctl a | grep net.ipv4.ip_forward
0
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 163
Irix
#
systune ipforward
2
#
systune allow_brdaddr_scraddr
0
If any of the above settings are not applied ,then this is a finding.
PDI:
GEN003600V001200 Category:II
2
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform the following to determine if the /var, /home, and /export/home file partitions are on separate disk
partitions:
#
more /etc/fstab
Or
# more /etc/vfstab
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 164
Examine the first column for the disk device and ensure the device label for /var, /home, or /export/home are not
the same as the root filesystem. If they are the same, ask the SA if this is justified and documented with the
IAO. If it is not, then this is a finding.
PDI:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Logging should be enabled for those types of files systems that do not turn on logging by default. JFS, VXFS,
HFS and EXT3 all turn logging on by default and will not be a finding. For those that do not turn logging on by
default, perform the following:
#
Ensure the root file systems shows loggin g or this will be a finding.
PDI:
GEN003640V000430 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G690
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 165
Check /etc/syslog.conf and verify the auth facility is logging both the notice and info level messages by:
#
auth.info /etc/syslog.conf
grep
If either of the above two entries are not found, then this is a finding.
PDI:
GEN003660V001200 Category:II
4
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1,DCCS-2
PDI Description:
Reference:
3. Network Services
1. Network Services
grep v ^# /etc/inetd.conf
Or
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 166
MAC/Confidentiality Levels:
Previously:
A028
IA Controls:
DCSD-1, DCPP-1
PDI Description:
Reference:
UNIX STIG: 4
ps ef |grep inetd
ps ef |grep xinetd
Or
Or
# svcs -a
If inetd is not running, then this check is not a finding. Otherwise continue:
#
grep v ^# /etc/inetd.conf
grep v ^# /etc/xinetd.conf
Or
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 167
GEN003700V001200 Category:II
5
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
PDI Description:
All inetd/xinetd services are disabled and inetd (xinetd for Linux)
is not disabled.
Reference:
UNIX STIG: 4
ls lL /etc/inetd.conf
ls lL /etc/xinetd.conf
#
ls lL /etc/xinetd.d
This is a finding if any of the above files or directories are not owned by root or bin.
PDI:
GEN003720V000082 Category:II
1
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G107
IA Controls:
ECLP-1
PDI Description:
The inetd.conf file (xinetd.conf file and the xinetd.d directory for
Linux) is not owned by root or bin.
Reference:
UNIX STIG: 4
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 168
ls lL /etc/inetd.conf
ls lL /etc/xinetd.conf
#
ls lL /etc/xinetd.d
This is a finding if permissions for the inetd.conf files are greater than 440. In addition, on Linux systems,
the /etc/xinetd.d directory permissions should not be greater than 755.
PDI:
GEN003740V000082 Category:II
2
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G108
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
UNIX STIG: 4
# ls lL /etc/services
The services file is not owned by root or bin, then this is a finding
PDI:
GEN003760V000082 Category II
3
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G109
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 169
IA Controls:
ECLP-1
PDI Description:
Reference:
UNIX STIG: 4
# ls lL /etc/services
If the services file is more permissive than 644, then this is a finding.
PDI:
GEN003780V000082 Category II
4
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G110
IA Controls:
PDI Description:
Reference:
UNIX STIG: 4
Solaris 10
#
If the tcp_trace option is not found in the exported configuration file, then this is a finding.
HP-UX
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 170
Linux
Each file in the /etc/xinetd.d directory and the /etc/inetd.conf file should be examined for
the following:
log_type
= SYSLOG authpriv
log_on_success
log_on_failure
= HOST USERID
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G198
IA Controls:
PDI Description:
Reference:
UNIX STIG: 4
svcs rlogin
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 171
Linux
#
GEN003820V000468 Category I
7
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V042
IA Controls:
DCSW-1
PDI Description:
Reference:
3. Rexec
Linux
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 172
GEN003840V000468 Category I
8
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V102
IA Controls:
DCSW-1
PDI Description:
Reference:
4. Finger
svcs finger
Linux
#
GEN003860V000470 Category:III
1
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V046
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 173
IA Controls:
DCSW-1
PDI Description:
Reference:
Perform the following to determine if any network analysis tools are enabled:
# find / -name ethereal
# find / -name tcpdump
# find / -name snoop
If the any of the above network analysis tools are found, then this is a finding.
PDI:
GEN003865V001204 Category:II
9
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSW-1
PDI Description:
Reference:
Ask the SA if the system is a print server or a client of another server. If it is either of these, ask the SA if it is
documented with the IAO. If the printer configuration is not documented with the IAO, then this is a finding.
PDI:
GEN003880V000082 Category II
6
:
MAC/Confidentiality Levels:
IA Controls:
Status Code:MAN
Previously:
G120
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 174
PDI Description:
Reference:
Look for the presence of a print service configuration file by using the command:
#
If neither of the files are found, then this check should be marked Not Applicable.
Otherwise perform:
#
and search for entries that contain a + or _ character. If any are found then this is a finding.
PDI:
GEN003900V000082 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G121
IA Controls:
DCSL-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 175
Look for the presence of a print service configuration file by using the command:
#
If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform:
#
If the owner of the file is not root, sys, bin or lp, then this is a finding.
PDI:
GEN003920V00008 Category II
28
:
MAC/Confidentiality Levels:
Previously:
G122
IA Controls:
ECLP-1
PDI Description:
The hosts.lpd (or equivalent) file is not owned by a root, sys, bin,
or lp.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 176
Look for the presence of a print service configuration file by using the command:
#
If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform:
#
and verify the permissions are not greater than 664. If the permissions are greater than 664, then this is a
finding.
PDI:
GEN003940V000082 Category:II
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G123
IA Controls:
PDI Description:
Reference:
6. Traceroute
1. GEN003960 The traceroute Command Ownership
Solaris
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 177
# ls lL /usr/sbin/traceroute
HP-UX
# ls lL /usr/sbin/traceroute
AIX
# ls lL /usr/bin/traceroute
IRIX
# ls lL /usr/etc/traceroute
Linux
# ls lL /usr/sbin/traceroute
If the traceroute command is not owned by root, then this is a finding.
PDI:
GEN003960V000436 Category:II
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G631
IA Controls:
DCSW-1
PDI Description:
Reference:
Solaris
# ls lL /usr/sbin/traceroute
HP-UX
# ls lL /usr/sbin/traceroute
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 178
AIX
# ls lL /usr/bin/traceroute
IRIX
# ls lL /usr/etc/traceroute
Linux
# ls lL /usr/sbin/traceroute
If the traceroute command is not group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003980V000437 Category:II
0
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G632
IA Controls:
DCSW-1
PDI Description:
Reference:
Solaris
# ls lL /usr/sbin/traceroute
HP-UX
# ls lL /usr/sbin/traceroute
AIX
# ls lL /usr/bin/traceroute
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 179
IRIX
# ls lL /usr/etc/traceroute
Linux
# ls lL /usr/sbin/traceroute
If the traceroute command is more permissive than 700, then this is a finding.
PDI:
GEN004000V000437 Category:II
1
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G633
IA Controls:
PDI Description:
Reference:
This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox support 128bit encryption. Select Help from the browser menu, and then select About Navigator. The Netscape information
page will display. The line which says This version supports U.S. security indicates you have 128 bit
encryption. If its says This version supports International security you have 40 bit encryption and this is a
finding.
PDI:
MAC/Confidentiality Levels:
IA Controls:
Status Code:MAN
Previously:
G634
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 180
PDI Description:
Reference:
This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox can check for
new browser version, but will not automatically install them. Verify that automatic software installation is not
enabled. Select Edit>>Preferences>>Advanced from the web browser toolbar. Drop down the Advanced submenu. The Advanced options sub-menu gives us the Software Installation settings. Verify the Enable software
installation setting is not checked. If it is checked, then this is a finding.
PDI:
GEN004040V000437 Category II
3
:
MAC/Confidentiality Levels:
Status Code:MAN
Previously:
G635
IA Controls:
DCSW-1
PDI Description:
Reference:
This check is mainly pertaining to passwords or sensitive data that can be stored by the browser cache. Ensure
the following setting is enabled: Edit>>Preferences>>Privacy&Security from the web browser toolbar. Select
the Passwords sub-category and verify Use encryption when storing sensitive data under the Encrypting versus
Obscuring is checked. If it is not, then this is a finding.
PDI:
GEN004060V000437 Category II
4
:
MAC/Confidentiality Levels:
Status Code:MAN
Previously:
G636
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 181
To check if Java is enabled in the Netscape or Mozilla browser select Edit >> Preferences from the browser tool
bar, and then select the Advanced menu i tem. If the option, Enable Java is checked, this is a finding.
To determine if a browser has JavaScript Enabled perform:
Select Edit>>Preferences>Advanced from the browser toolbar. Select the Scripts and Plug-ins tab. Ensure that
Navigator is not selected under the Enable JavaScript heading. If it is, then this is a finding.
If either Java or JavaScript are enabled, then this is a finding.
PDI:
MAC/Confidentiality Levels:
Status Code:MAN
Previously:
G638
IA Controls:
DCSW-1
PDI Description:
Reference:
GEN004120V000437 Category II
7
:
MAC/Confidentiality Levels:
IA Controls:
Status Code:MAN
Previously:
G639
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 182
PDI Description:
Reference:
To check if a browser warning is enabled to issue a warning prior to viewing remote data select Edit >>
Preferences in the browser tool bar, and then select the Privacy and Security (Advanced in Mozilla) menu i tem.
Select the Validation tab and verify that Use OCSP to validate only certificates that specify an OCSP service
URL under OCSP. If it is not selected, then this is a finding.
PDI:
MAC/Confidentiality Levels:
Status Code:MAN
Previously:
G641
IA Controls:
DCSW-1
PDI Description:
Reference:
Click on Edit>>Preferences>> Navigator, and verify the Blank Page button under Navigator Start
With is selected or, if Home Page is selected, verify the pathname under the Home Page box is for a local web
server. For Firefox select Edit >> Preferences in the browser tool bar, and then select the General item.
PDI:
GEN004180V000438 Category II
0
:
MAC/Confidentiality Levels:
IA Controls:
Status Code:MAN
Previously:
G642
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 183
PDI Description:
Reference:
To check if browsers are configured for SSL, select Edit >> Preferences in the browser tool bar, and then select
the Privacy and Security menu i tem. Select the SSL tab and verify that Enable SSL version 2 and Enable
SSL version 3 is checked under the SSL Protocol versions. If they are not, then this is a finding. The tables
below show the encryption algorithms associated with each version of SSL.
PDI:
GEN004200V000438 Category II
1
:
MAC/Confidentiality Levels:
Status Code:MAN
Previously:
G643
IA Controls:
DCSW-1
PDI Description:
Reference:
SSL v2 Enable
X
SSL v3 Enable
X
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 184
Look in the root account home directory for a .netscape or a .mozilla directory. If none exists, mark
this check as Not A Finding. If there is one, verify with the root users and the IAO what the intent of the
browsing is. Some evidence may be obtained by using the browser to view cached pages under the .netscape
directory.
PDI:
GEN004220V000438 Category I
2
:
MAC/Confidentiality Levels:
Previously:
G644
IA Controls:
ECMT-1, ECMT-2
PDI Description:
The root account uses the browser for reasons other than to
control local applications.
Reference:
To view the version number click Help then click About Browser from the browser tool bar. If the browser
version is not Netscape 4.79 or greater, or FireFox 1.5 or greater, then this is a finding.
PDI:
GEN004240V000103 Category II
8
:
MAC/Confidentiality Levels:
Previously:
W01
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 185
IA Controls:
DCSQ-1
PDI Description:
Reference:
To check if a browser is enabled to display a warning prior to accepting cookies, select Edit >> Preferences in the
browser tool bar, and then select the Privacy and Security menu i tem. Select the Cookies tab and verify that
Ask for each cookie is checked under the Cookie Lifetime Policy. If it is not, then this is a finding.
PDI:
GEN004260V000103 Category:III
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
W03
IA Controls:
ECWM-1
PDI Description:
Reference:
To check if a browser is enabled to issue a warning when submitting unencrypted form data, select Edit >>
Preferences in the browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL tab and
verify that Sending form data from an unencrypted page to an unencrypted page is checked. If it is not, then
this is a finding.
Note: This is a core setting in Firefox and should be marked as Not A Finding.
PDI:
GEN004280V000104 Category:III
1
MAC/Confidentiality Levels:
IA Controls:
Status Code:AUTO
Previously:
W09
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 186
PDI Description:
Reference:
To check if a browser warning is enabled when viewing a page with both encrypted/unencrypted content, select
Edit >> Preferences in the browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL
tab and verify that Viewing a page with an encrypted/unencrypted mix is checked. If it is not, then this is a
finding.
Note: This is a core setting in Firefox and should be marked as Not A Finding.
PDI:
GEN004300V000104 Category:III
2
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
W11
IA Controls:
ECWM-1
PDI Description:
Reference:
To check if a browser warning is enabled when leaving an encrypted site, select Edit >> Preferences in the
browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL tab and verify that
Leaving a page that supports encryption is checked. If it is not, then this is a finding.
Note: This is a core setting in Firefox and should be marked as Not A Finding.
PDI:
GEN004320V000104 Category:III
3
MAC/Confidentiality Levels:
IA Controls:
Status Code:AUTO
Previously:
W13
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 187
PDI Description:
Reference:
8. Sendmail or Equivalent
ls lL <alias location>
GEN004360V000083 Category:II
1
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G127
IA Controls:
ECLP-1
PDI Description:
Reference:
ls lL <alias location>
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 188
GEN004380V000083 Category:II
2
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G128
IA Controls:
ECLP-1
PDI Description:
Reference:
GEN004400V000083 Category I
3
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G131
IA Controls:
ECLP-1
PDI Description:
Files executed through an aliases file are not owned by root and
do not reside within a directory owned and writable only by root.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 189
GEN004420V000083 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G132
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 190
Or
#
MAC/Confidentiality Levels:
Previously:
G133
IA Controls:
PDI Description:
Reference:
more /etc/syslog.conf
Ensure the configuration file logs mail.crit , mail.debug, mail.*, or *.crit . If the system is
not logging critical sendmail messages, then this is a finding.
PDI:
GEN004460V000083 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G134
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 191
Perform:
#
more /etc/syslog.conf
Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file.
Perform:
#
GEN004480V000083 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G135
IA Controls:
ECLP-1, ECTP-1
PDI Description:
Reference:
Perform:
#
more /etc/syslog.conf
Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file.
Perform:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 192
If the log file permissions are greater than 644, then this is a finding.
PDI:
GEN004500V000083 Category:II
8
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G136
IA Controls:
PDI Description:
Reference:
telnet <host>:25
# help
The help feature can be disabled by creating an empty help file.
If the help command returns any sendmail version information, then this is a finding.
PDI:
GEN004540V001200 Category:II
6
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 193
telnet localhost 25
If a version number is displayed, then the following line should be added to correct the problem in the
sendmail.cf file.
O SmtpGreetingMessage= Mail Server Ready ; $b
If the above entry is not in the sendmail.cf file, then this is a finding.
PDI:
GEN004560V000438 Category:III
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G646
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
This is considered a finding if any .forward files are found on the system.
PDI:
GEN004580V000438 Category I
5
:
MAC/Confidentiality Levels:
IA Controls:
Status Code:AUTO
Previously:
G647
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 194
PDI Description:
Reference:
Perform:
#
or
or
# sendmail d0
to determine the sendmail daemon version. Version 8.13.8 is the latest required version.
If the sendmail version is not at least 8.13. 8, then this is a finding.
PDI:
GEN004600V000468 Category I
9
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V124
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 195
telnet localhost 25
debug
If the command does not return a 500 error code of command unrecognized, then this is a finding.
PDI:
GEN004620V000469 Category I
0
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V125
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
telnet localhost 25
decode
If the command does not return a 500 error code of command unrecognized, then this is a finding.
PDI:
GEN004640V000469 Category I
1
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V126
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 196
telnet localhost 25
expn root
If the command does not return a 500 error code of command unrecognized, then this is a finding.
Or
Locate the sendmail.cf configuration file by:
#
GEN004660V000469 Category:III
2
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V128
IA Controls:
DCCS-1, DCCS-2
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 197
Reference:
telnet localhost 25
vrfy root
If the command does not return a 500 error code of command unrecognized, then this is a finding.
Or
Locate the sendmail.cf configuration file by:
#
Ensure the vrfy command is disabled with an entry in the sendmail.cf file. The entry could be any one of
Opnovrfy , novrfy, goaway .
The goaway argument encompasses many things, such as novrfy
and noexpn .
PDI:
GEN004680V000469 Category:III
3
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V130
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 198
telnet localhost 25
wiz
wizard
If the command does not return a 500 error code of command unrecognized, then this is a finding.
Or
Locate the sendmail.cf configuration file by:
#
PDI:
GEN004700V000469 Category:III
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V131
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform the following to check for FTP or Telnet within the enclave:
# last | more
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 199
If any FTP or Telnet connections are found, examine the third field and ask the SA if the initiating client is inside
of the enclave. Ask the SA if the network connection is behind the premise router and protected by a firewall or
router access control list. If it is not, then this is a finding.
PDI:
GEN004720V001200 Category:II
7
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform the following to check for FTP or Telnet outside the enclave:
# last | more
If any FTP or Telnet connections are found, examine the third field and ask the SA if the initiating client is
outside of the enclave. If it is, then this is a finding.
PDI:
GEN004760V001200 Category I
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 200
more /etc/passwd
Make a note of any user accounts with administrative privileges by verifying the third field is set to 0 and then
perform the following.
#
more /etc/ftpd/ftpusers
Ensure that any root privileged user or users with any root roles is listed in the ftpusers file.
In addition perform the following to check for both ftp and telnet logins under root:
#
last |more
Verify that root has not logged in with telnet or ftp. If they have, then this is a finding.
PDI:
GEN004780V001200 Category I
9
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Perform the following to determine if unencrypted ftp or telnet are enabled on most systems:
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 201
Solaris 10
#
svcs ftp
#
svcs telnet
Linux
#
chkconfig telnet
#
chkconfig vsftpd
If any of the above are found to be active, ask the SA if any type of encryption is being used with these services.
If it is not encrypted and an Acceptance of Risk Letter is not present, then this is a finding.
PDI:
GEN004800V001201 Category:II
0
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECNK-1
PDI Description:
Reference:
ps ef |grep ftpd
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 202
GEN004820V000084 Category II
6
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G147
IA Controls:
DCSD-1
PDI Description:
Reference:
ps ef |grep ftpd
PDI:
GEN004840V000470 Category II
2
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
V052
IA Controls:
IAIA-1
PDI Description:
Reference:
ls la <ftpusers file>
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 203
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
/etc/vsftpd.ftpusers
IRIX
/etc/ftpd/ftpusers
GEN004880V000084 Category:II
0
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G140
IA Controls:
DCSL-1
PDI Description:
Reference:
Check for system accounts in the ftpusers files which should not be allowed to used ftp by:
#
more /etc/ftpusers
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 204
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
/etc/vsftpd.ftpusers
IRIX
/etc/ftpd/ftpusers
If system accounts are not listed in the ftpusers file, then this is a finding.
PDI:
GEN004900V000084 Category:II
1
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G141
IA Controls:
DCSL-1
PDI Description:
The ftpusers file does not contain account names not allowed to
use FTP.
Reference:
Perform the following on the ftpusers file associated with the applicable operating system:
#
ls la <file location>
/etc/ftpusers
/etc/ftpd/ftpusers
/etc/ftpusers
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
HPUX 11
AIX
Page 205
/etc/ftpd/ftpusers
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
/etc/vsftpd.ftpusers
IRIX
/etc/ftpd/ftpusers
GEN004920V000084 Category:II
2
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G142
IA Controls:
ECLP-1
PDI Description:
Reference:
Perform the following on the ftpusers file associated with the applicable operating system:
#
ls la <file location>
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
/etc/vsftpd.ftpusers
IRIX
/etc/ftpd/ftpusers
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 206
If the file permissions are greater than 640, then this is a finding
PDI:
GEN004940V000084 Category:II
3
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G143
IA Controls:
PDI Description:
Reference:
Perform:
# grep ftpd /etc/inetd.conf ,
and check the line for ftpd to check if the l (HP-UX, Solaris, AIX, and Digital) or v (HP-UX) options are
invoked. If not, then this is a finding.
Solaris 10:
#
svccfg
svc:>
export ftp
svc:>
quit
On Linux systems:
#
If either the log_on_success or log_on_failure are commented out, then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 207
GEN004980V000084 Category:III
5
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G145
IA Controls:
DCSL-1
PDI Description:
Reference:
PDI:
GEN005000V000438 Category I
7
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G649
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 208
It should be writable by no one (555). The following directories must exist in the account: /etc , and /bin
with permissions of (111). The /<ftp home directory> /etc directory will only contain password,
group and netgroup files but can be empty. The / <ftp home directory> /bin directory should be a
symbolic link to the /<ftp home directory>/ usr/bin directory in the ftp account and contain only a
copy of the ls command. There must be a /<ftp home directory>/ usr/lib directory owned by root
with permissions of (555). The /<ftp home directory>/usr/lib directory should contain the
following libraries with permissions of ( 555): ld.so.1 , libc.so.1 , libdl.so.1 , libmp.so.2 ,
libnsl.so.1 , libsocket.so.1 , nss_compat.so.1 , nss_dns.so.1 , nss_files.so.1 ,
nss_nis.so.1 , nss_nisplus.so.1 , and nss_xfn.so.1 . Other requirements include:
~ftp/etc will be owned by the superuser and not writable by anyone. The following files will be
there: copies of the files passwd, group, and netconfig files. The permissions will be 444 .
~ftp/pub will be owned by root with permissions of 755. Users may place files, which are to be
accessible via the anonymous account, in this directory.
~ftp/dev will be owned by root and not writable by anyone . It will contain the following files:
/dev/zero, /dev/tcp, /dev/udp and /dev/ticotsord . The permissions for these
files should be 666.
~ftp/usr/share/lib/zoneinfo will be owned by root with permissions of 555. It should have
the same contents as /usr/share/lib/zoneinfo .
Secuirty: For Linux, Solaris 8 and newer, in.ftpd uses pam (3PAM) for authentication, account and session
management. Here is a partial pam.conf file with required entries for the in.ftpd command using UNIX
authentication, account management, and session management modules.
ftp
auth
required
/usr/lib/security/pam_unix.so.1
ftp
account
required
/usr/lib/security/pam_unix.so.1
ftp
session
required
/usr/lib/security/pam_unix.so.1
PDI:
GEN005020V000438 Category I
8
:
MAC/Confidentiality Levels:
Previously:
G650
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 209
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
GEN005040V001201 Category:II
1
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 210
GEN005060V001201 Category I
3
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSW-1
PDI Description:
FSP is enabled.
Reference:
Perform the following to determine if the system is running in tftp in secure mode:
Solaris
#
HP-UX tftpd runs in secure mode by default, therefore this is not applicable.
AIX
#
more /etc/tftpaccess.ctl
If the file does not exist, then this is a finding. Ensure the only entry is to allow access to the tftp user home
directory.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 211
Linux
#
IRIX
#
PDI:
GEN005080V000084 Category I
7
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G149
IA Controls:
DCSL-1
PDI Description:
Reference:
to locate the file. Once the file is located, use the command:
# ls la <file location>
to check for the suid or sgid bit being set. If either of the bits are set, then this is a finding.
PDI:
GEN005100V000084 Category I
8
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G150
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 212
IA Controls:
ECLP-1
PDI Description:
Reference:
If a tftp user account does not exist and TFTP is active, then this is a finding.
Ensure the user shell is /bin/false or equivalent. If it is not, then this is a finding.
Ensure the TFTP user is assigned a home directory . If not, then this is a finding.
PDI:
GEN005120V000084 Category:II
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G151
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 213
Solaris 10
#
svcs tftp
Linux
#
Or
#
chkconfig tftp
If TFTP is found to enabled, ask the SA if it is documented with the IAO. This is a finding if it is not
documented.
PDI:
GEN005140V000469 Category I
5
:
MAC/Confidentiality Levels:
Previously:
V141
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
To check for .Xauthority files being utilized, change directory to a users home directory and perform:
#
ls la .Xauthority
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 214
If the file does not exist, ask the SA if the user is using Xwindows. If the user is utilizing Xwindows and
the .Xauthority file does not exist and host based access control is not being used, then this is a finding.
PDI:
GEN005160V000085 Category II
0
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G152
IA Controls:
PDI Description:
Reference:
ls lL .Xauthority
If the file permissions are greater than 600, then this is finding.
PDI:
GEN005180V001201 Category:II
4
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-2
PDI Description:
Reference:
Perform the following to determine if access to the X window system is limited to authorized clients:
#
xhost
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 215
PDI:
GEN005200V000469 Category:I
7
MAC/Confidentiality Levels:
Status Code:PART+
Previously:
V155
IA Controls:
ECIC-1
PDI Description:
Reference:
xauth
xauth>
list
If the above command sequence does not show any host other than the localhost, then xauth is not being used.
Search the system for an X*.hosts files, where * is a display number that may be used to limit X window
connections. If none are found and user based access control is not being used, then this is a finding.
PDI:
GEN005220V001201 Category:II
6
MAC/Confidentiality Levels:
Previously:
N/A
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 216
IA Controls:
ECIC-1
PDI Description:
Reference:
Perform the following to determine if access to the X window system is limited to authorized clients:
#
xauth
xauth> list
Ask the SA if the clients listed are authorized. If they are not, then this is a finding.
PDI:
GEN005240V001201 Category II
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
Reference:
GEN005260V001201 Category:II
8
http://s3.amazonaws.com/0706/819143.html
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 217
MAC/Confidentiality Levels:
IA Controls:
ECIC-1
PDI Description:
Reference:
GEN005280V000469 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
V145
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 218
IA Controls:
ECIC-1
PDI Description:
Reference:
GEN005300V000099 Category I
3
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G224
IA Controls:
PDI Description:
Reference:
Perform:
# find / -name snmpd.conf
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 219
# ls lL <snmpd.conf>
If the snmpd.conf file is more permissive than 700, then this is a finding.
PDI:
GEN005320V000099 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G225
IA Controls:
PDI Description:
Reference:
Perform the following to find all the Management Information Base (MIB) files on the system:
# find / -name *.mib print
# ls lL <mib file>
Any file returned with permissions greater than 640 is a finding.
PDI:
GEN005340V000099 Category II
5
:
MAC/Confidentiality Levels:
Previously:
G226
IA Controls:
PDI Description:
Reference:
Perform:
# find / -name snmpd.conf
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 220
# ls lL <snmpd.conf>
# find / -name *.mib
If the snmpd.conf file is not owned by root and group owned by sys or the application, then this is a finding.
PDI:
GEN005360V001201 Category:II
9
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
PDI Description:
The snmpd.conf and .mib files are not owned by root and group
owned by sys or the application.
Reference:
#
#
If there is any output, then ask the SA if this is an snmp server. If it is an snmp server, then ask what other
applications run on it. If there is anything other than network management software and DBMS software that is
used only for the storage and inquiry of snmp data, this is a finding.
PDI:
GEN005380V000439 Category II
2
:
MAC/Confidentiality Levels:
Status Code:MAN
Previously:
G655
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 221
GEN005400V000439 Category:II
3
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G656
IA Controls:
PDI Description:
Reference:
GEN005420V000439 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G657
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 222
Ask the SA if a remote loghost server exists. If it does not mark this as Not A Finding
Ask the SA if the loghost server is collecting data for hosts outside the enclave. If it is, then this is a finding.
PDI:
GEN005440V001202 Category II
0
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Local hosts are used as loghosts for systems outside the local
network.
Reference:
PDI:
GEN005460V000439 Category II
5
:
MAC/Confidentiality Levels:
IA Controls:
Status Code:PART
Previously:
G658
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 223
PDI Description:
Reference:
ps ef |grep syslogd
ps ef | grep syslogd
ps ef | grep syslogd
ps ef | grep syslogd
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 224
GEN005480V001202 Category:II
1
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
Examine the file. If the variables Protocol 2,1 or, Protocol 1 are defined on a line without a leading
comment, this is a finding.
If the SSH server is F-Secure, the variable name for SSH 1 compatibility is Ssh1Compatibility, not protocol.
If the variable Ssh1Compatiblity is set to yes, then this is a finding.
PDI:
GEN005500V000429 Category I
5
:
MAC/Confidentiality Levels:
IA Controls:
Status Code:AUTO
Previously:
G701
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 225
PDI Description:
Reference:
To determine if ssh is configured with tcp wrappers support perform the following:
#
For example:
sshd1: ALL
sshd2: ALL
sshdfwd-X11 : ALL
If the above lines or similar are not in /etc/hosts.deny , then this is a finding.
Perform the following to determine if banners are configured:
#
If the above command does not return any lines, then this is a finding.
PDI:
GEN005540V001202 Category:II
2
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 226
GEN005560V000439 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G661
IA Controls:
DCSW-1
PDI Description:
Reference:
Ask the SA if the system is used for any other services such as web servers, file servers, DNS servers, or
applications servers. If it is used for another service, then this is a finding.
PDI:
GEN005580V000439 Category II
8
:
http://s3.amazonaws.com/0706/819143.html
Status Code:PART
Previously:
G662
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 227
MAC/Confidentiality Levels:
IA Controls:
DCSW-1
PDI Description:
Reference:
ls l /etc/notrouter
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 228
PDI:
GEN005600V001202 Category:II
3
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCC|S-2
PDI Description:
Reference:
/opt/lotus/bin/server v
The version should be 5.0.6a or higher for Linux, and the transition components for AIX and Solaris should be
version 2.1.1.
If version is not one of the above, then this is a finding.
PDI:
MAC/Confidentiality Levels:
Status
Code:
AUTO
Previously:
V5899
IA Controls:
DSCQ-1
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 229
Reference:
Perform the following to determine if the squib web proxy is a vulnerable version:
#
MAC/Confidentiality Levels:
Status
Code:
AUTO
Previously:
V9478
IA Controls:
DSCQ-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 230
Perform the following to determine if the squib web proxy is a vulnerable version:
#
GEN005660V000470 Category II
7
:
MAC/Confidentiality Levels:
Status
Code:
AUTO
Previously:
V9482
IA Controls:
DSCQ-1
PDI Description:
Reference:
Perform the following to determine if the squib web proxy is a vulnerable version:
#
If the version number is not at least 2.7STABLE7 or later then this is a finding.
PDI:
MAC/Confidentiality Levels:
IA Controls:
Status
Code:
AUTO
Previously:
V9730
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 231
PDI Description:
Reference:
./ns-httpd v
Ask the SA for documentation showing the installation of either service pack 3 for iPlanet Web Server 6, or
service pack 10 for iPlanet Web Server 4.1.
PDI:
MAC/Confidentiality Levels:
Status
Code:
PART
Previously:
V9517
IA Controls:
DSCQ-1
PDI Description:
An iPlanet Web Server was found with the search engine NSquery-pat file viewing vulnerability.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 232
Perform the following for each operating system to determine if NFS port monitoring is is set to 1:
Solaris
#
HP-UX
#
kctune nfs_portmon
nfso o nfs_portmon
nfso o portcheck
AIX
Or
IRIX
Linux does not use nfs_portmon. By default, it exports with the secure option which is the same as nfs_
portmon. Perform the following to determine if the default has been overridden:
#
If any of the file systems are exported with the insecure option, then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 233
GEN005720V000092 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G177
IA Controls:
DCSL-1
PDI Description:
Reference:
Solaris
# ls lL /etc/dfs/dfstab
HP-UX
# ls lL /etc/exports
AIX
# ls lL /etc/exports
IRIX
# ls lL /etc/exports
Linux
# ls lL /etc/exports
If the export configuration file is not owned by root, then this is a finding.
PDI:
GEN005740V000092 Category:II
8
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G178
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 234
IA Controls:
ECLP-1
PDI Description:
Reference:
Solaris
# ls lL /etc/dfs/dfstab
HP-UX
# ls lL /etc/exports
AIX
# ls lL /etc/exports
IRIX
# ls lL /etc/exports
Linux
# ls lL /etc/exports
If the export configuration file is more permissive than 644, then this is a finding.
PDI:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G179
IA Controls:
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 235
exportfs v |grep rw
If any entries are returned, ask the SA if the file systems have been approved and documented with the IAO for
export as writable.
PDI:
GEN005780V000093 Category II
0
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G180
IA Controls:
DCSD-1
PDI Description:
Reference:
exportfs v
This will display all of the exported file systems. For each file system displayed perform and check the
ownership:
# ls lL <filesystem>
If the files and directories are not owned by root, then this is a finding.
PDI:
GEN005800V000093 Category:II
1
http://s3.amazonaws.com/0706/819143.html
Status Code:AUTO
Previously:
G181
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 236
MAC/Confidentiality Levels:
IA Controls:
ECLP-1
PDI Description:
NFS exported system files and system directories are not owned
by root.
Reference:
Perform the following to determine if the anon option is set correctly for exported file systems:
#
Each of the exported file systems should include an entry to check for the anon= option being set to 1 or an
equivalent (60001, 65534, or 65535). Linux systems use the anonuid option instead of anon.
Note: If the anon flag is found to have a UID of 0 , this finding is elevated to a Severity Code I.
PDI:
GEN005820V000093 Category:II
2
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G182
IA Controls:
IAIA-1, IAIA-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 237
exportfs v
If the exported filesystems do not contain the rw or ro options, then this is a finding.
PDI:
GEN005840V000093 Category:II
3
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G183
IA Controls:
PDI Description:
Reference:
This check only applies to Solaris. Perform the following on NFS servers:
#
Check to ensure the second column does not equal 0. This would indicate the default is set to none. Perform
the following to check currently exported file systems:
#
more /etc/exports
more /etc/dfs/dfstab
Or
If the option sec=none is set on any of the exported file systems, then this is a finding.
PDI:
GEN005860V000093 Category:II
4
MAC/Confidentiality Levels:
IA Controls:
Status Code:AUTO
Previously:
G184
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 238
PDI Description:
Reference:
Perform the following to determine if the NFS server is exporting with the root access option:
#
If the option is found on an exported file system, ask the SA if the access is justified and documented with the
IAO. If it is not, then this is a finding.
PDI:
GEN005880V000093 Category II
5
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G185
IA Controls:
DCSD-1
PDI Description:
The root access option for NFS has not been justified and
documented with the IAO.
Reference:
Perform the following to determine if nfs clients are mounting file systems with the nosuid and nosgid options:
#
If the mount ed file systems do not have the above two options, then this is a finding and it must be justified and
documented with the IAO.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 239
GEN005900V000093 Category II
6
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G186
IA Controls:
ECLP-1
PDI Description:
The nosuid and nosgid options are not enabled on a NFS Client.
Reference:
If an IM client is installed, ask the SA if it configured to communicate only with .mil IM servers. If it has access
to servers on the internet, then this is a finding.
PDI:
GEN006000V001202 Category II
4
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 240
Ask the SA if any peer-to-peer file-sharing applications are installed. Some examples of these applications
include:
Napster
Kazaa
ARES
Limewire
IRC Chat Relay
BitTorrent
If any of these applications are installed without an Acceptance of Risk Letter from the DAA, then this is a
finding.
PDI:
GEN006040V001202 Category II
5
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
Reference:
27. Samba
ps ef |grep smbd
If a process is returned as running, ask the SA if the Samba server is operationally required. If it is not, then this
is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 241
GEN006060V000432 Category:II
1
MAC/Confidentiality Levels:
Status Code:PART
Previously:
L170
IA Controls:
DCPR-1
PDI Description:
Reference:
SWAT must be utilized with ssh to ensure a secure connection between the client and the server. The ssh
daemon on the server must be configured to allow port forwarding. If SWAT is being utilized to administer
Samba on the server, perform the following:
#
If the line is commented out or set to no and SWAT is in use, then this is a finding.
PDI:
GEN006080V000102 Category:II
6
MAC/Confidentiality Levels:
Status Code:PART
Previously:
L048
IA Controls:
DCPR-1
PDI Description:
The Samba Web Administration tool is not used with SSH port
forwarding.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 242
# ls lL /etc/samba/smb.conf
If /etc /samba /smb.conf is not owned by root, then this is a finding.
PDI:
GEN006100V000102 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L050
IA Controls:
ECLP-1
PDI Description:
Reference:
GEN006120V000105 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L051
IA Controls:
DCPR-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 243
If /etc /samba /smb.conf is more permissive than 644, then this is a finding.
PDI:
GEN006140V000102 Category:II
8
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L052
IA Controls:
PDI Description:
Reference:
GEN006160V000102 Category:II
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L054
IA Controls:
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 244
GEN006180V000105 Category:II
8
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L055
IA Controls:
ECLP-1
PDI Description:
Reference:
GEN006200V000105 Category:II
9
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L057
IA Controls:
PDI Description:
Reference:
Perform:
# more /etc/samba/smb.conf
1. Confirm the hosts allow restricts connections to the local network subnet mask(s) and the loopback
address. For example:
hosts allow = 192.168.1. 192.168.2. 127.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 245
3. The encrypt passwords option will be set to y es . In addition, the smb password file option will
contain the path to the smbpasswd file. For example:
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
4. All guest entries in the shares definition section of the smb.conf file will be set to No . For example:
guest ok = no
If the smb.conf file is not configured per guidance, then this is a finding.
PDI:
GEN006220V000103 Category:II
0
MAC/Confidentiality Levels:
Status Code:PART
Previously:
L056
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 246
Perform:
# ps e | egrep innd|nntpd
If an Internet Network News server is running and not justified and documented by the IAO, then this is a
finding.
PDI:
GEN006240V000102 Category:II
3
MAC/Confidentiality Levels:
Status Code:PART
Previously:
L040
IA Controls:
DCSW-1, DCSD-1
PDI Description:
Reference:
GEN006260V000427 Category:II
3
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L154
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 247
GEN006280V000427 Category:II
4
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L156
IA Controls:
PDI Description:
Reference:
GEN006300V000427 Category:II
5
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L158
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 248
GEN006320V000427 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L160
IA Controls:
PDI Description:
Reference:
GEN006340V000427 Category:II
7
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L162
IA Controls:
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 249
# ls al /etc/news
If /etc /news files are not group owned by root or news, then this is a finding.
PDI:
GEN006360V000427 Category:II
8
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
L164
IA Controls:
ECLP-1
PDI Description:
Reference:
GEN006380V000439 Category I
9
:
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G663
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 250
ps ef |grep ypbind
If NIS is found active on the system, ask the SA if its use is documented with the IAO. If NIS use is not
documented, this is a finding.
PDI:
GEN006400V000086 Category II
7
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G174
IA Controls:
DCSD-1
PDI Description:
The NIS protocol is in use and not justified and documented with
the IAO.
Reference:
To view the domainname for the NIS Maps to be stored under, perform the following:
# domainname
If the name returned is simple to guess, such as the organization name, building or room name, etc., then this is a
finding.
PDI:
GEN006420V001202 Category:II
6
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 251
GEN006440V000086 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G173
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Reference:
GEN006460V000092 Category:II
6
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G176
IA Controls:
DCSL-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 252
Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. Use the command:
#
(where <daemon name> is the name of the primary application daemon) to determine if the application is loaded
on the system. Use the command:
#
GEN006480V000078 Category II
2
:
http://s3.amazonaws.com/0706/819143.html
Status Code:PART
Previously:
G031
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 253
MAC/Confidentiality Levels:
IA Controls:
ECID-1
PDI Description:
Reference:
UNIX STIG: 6
crontab l
Check for the existence of a vulnerability assessment tool being scheduled and run monthly. If no entries exist in
the crontab, ask the SA if a vulnerability tool is run monthly . In addition, if the tool is run monthly, ask to see
any reports that may have been generated from the tool. If a tool is not run monthly, then this a finding.
PDI:
GEN006540V000093 Category II
9
:
MAC/Confidentiality Levels:
Status Code:PART
Previously:
G190
IA Controls:
VIVM-1
PDI Description:
Reference:
UNIX STIG: 6
Perform:
find / -name (program name) print
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 254
to check for the existence of security tools on the system. Ask the SA if the program is configured to notify the
IAO and SA if a breach is detected. This check must be justified and documented with the IAO.
PDI:
GEN006560V001202 Category:II
8
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECAT-1, ECAT-2
PDI Description:
Reference:
UNIX STIG: 6
http://news.tbo.com/news/metro/MGB3WNDK34F.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 255
GEN006580V000094 Category:II
0
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G196
IA Controls:
PDI Description:
Reference:
# more /etc/syslog.conf
Look for entries similar to the following:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 256
mail.debug
/var/adm/maillog
mail.none
/var/adm/maillog
mail.*
/var/log/mail
auth.info
/var/log/messages
daemon.*
/var/log/messages
The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not
logging and this is a finding.
PDI:
GEN006600V000094 Category:II
1
MAC/Confidentiality Levels:
Status Code:AUTO
Previously:
G197
IA Controls:
PDI Description:
The access control program does not log each system access
attempt.
Reference:
ls la /etc/hosts.allow
ls la /etc/hosts.deny
GEN006620V001203 Category:II
0
MAC/Confidentiality Levels:
IA Controls:
Previously:
N/A
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 257
PDI Description:
Reference:
Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file. The
Mcafee command line scanner is available for most Unix/Linux operating systems. Additional tools specific for
each operating system are also available and will have to be manually reviewed if they are installed. In addition,
the defintions file should not be older than 14 days. Anti-Virus software can be obtained from https://
www.cert.mil.
Check if uvscan scheduled to run:
Solaris
# grep uvscan /var/spool/cron/crontabs/*
HP-UX
# grep uvscan /var/spool/cron/crontabs/*
AIX
# grep uvscan /var/spool/cron/crontabs/*
IRIX
# grep uvscan /var/spool/cron/crontabs/*
Linux
# grep uvscan /var/spool/cron/*
# grep uvscan /etc/cron.d/*
# grep uvscan /etc/cron.daily/*
# grep uvscan /etc/cron.hourly/*
# grep uvscan /etc/cron.monthly/*
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 258
GEN006640V001276 Category I
5
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECVP-1
PDI Description:
Reference:
CTO 06-12
6. SUN SOLARIS
1. Removable Media
1. SOL00020 /etc/rmmount.conf Configuration
SOL00020V001203 Category II
1
:
MAC/Confidentiality Levels:
Previously:
N/A
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 259
IA Controls:
PDI Description:
Reference:
Perform:
#
more /etc/security/audit_user
If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the
same flags as all users as defined in /etc/security/audit_control file.
PDI:
SOL00040V000435 Category:II
3
MAC/Confidentiality Levels:
Previously:
G677
IA Controls:
DCSW-1
PDI Description:
The audit_user file has a different auditing level for specific users.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 260
SOL00060V000435 Category:II
2
MAC/Confidentiality Levels:
Previously:
G678
IA Controls:
ECTP-1
PDI Description:
Reference:
SOL00080V000435 Category:II
1
MAC/Confidentiality Levels:
Previously:
G679
IA Controls:
ECTP-1
PDI Description:
Reference:
SOL00100V000424 Category:II
5
http://s3.amazonaws.com/0706/819143.html
Previously:
G680
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 261
MAC/Confidentiality Levels:
IA Controls:
ECTP-1
PDI Description:
Reference:
If there is an out put, then check to make sure that the files in question are in the /usr/aset/masters
directory by performing:
#
ls l /usr/aset/masters
The following files should be in the listing: tune.high , tune.low , tune.med , and uid_aliases . If
the all of the files are not in the directory listing, then this is a finding.
PDI:
SOL00120V000431 Category:II
3
MAC/Confidentiality Levels:
Previously:
G681
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 262
# more /usr/aset/masters/uid_aliases
If fhe /usr/aset/masters/uid_aliases file is not empty or all contents are not commented out, then
this is a finding.
PDI:
SOL00140V000431 Category:II
2
MAC/Confidentiality Levels:
Previously:
G682
IA Controls:
DCSW-1
PDI Description:
Reference:
An a returned entry would indicate ASET is being utilized. Determine if ASET is configured to check firewall
settings by:
#
SOL00160V000430 Category:II
9
MAC/Confidentiality Levels:
Previously:
G685
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 263
IA Controls:
DCSW-1
PDI Description:
Reference:
more /usr/aset/asetenv
If there are any changes below the following two lines that are not comments, this is a finding:
# Don't change from here on down ...
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 264
SOL00180V000095 Category:II
3
MAC/Confidentiality Levels:
Previously:
SO05
IA Controls:
DCSW-1
PDI Description:
Reference:
6. Running ASET
If NIS+ is running and the YPCHECK variable is set to false, then this is a finding.
PDI:
SOL00200V000095 Category:II
4
MAC/Confidentiality Levels:
Previously:
SO06
IA Controls:
DCSW-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 265
The default user list is /usr/aset/userlist. If the u option is specified in the crontab entry, then the
userlist file is the argument supplied to the u option. Perform:
#
more /usr/aset/userlist
If the file does not exist or if the file does not contain a list of the system usernames, then this is a finding.
PDI:
SOL00220V000095 Category:II
5
MAC/Confidentiality Levels:
Previously:
SO07
IA Controls:
DCSW-1
PDI Description:
The /usr/aset/userlist file does not contain a list of all system users.
Reference:
# ls lL /usr/aset/userlist
If /usr/asset/userlist is not owned by root, then this is a finding.
PDI:
SOL00240V000095 Category:II
6
MAC/Confidentiality Levels:
Previously:
SO08
IA Controls:
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 266
# ls lL /usr/aset/userlist
If /usr/aset/userlist is more permissive than 600, then this is a finding.
PDI:
SOL00260V000095 Category:II
7
MAC/Confidentiality Levels:
Previously:
SO09
IA Controls:
PDI Description:
Reference:
SOL00300V000095 Category:II
8
MAC/Confidentiality Levels:
Previously:
SO10
IA Controls:
PDI Description:
Reference:
8. Sun Answerbook2
1. SOL00360 Sun Answerbook2 Script Access
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 267
110532-01
Solaris 5.5.1_x86
110538-01
Solaris 5.6
110532-01
Solaris 5.6_x86
110538-01
Solaris 5.7
110532-01
Solaris 5.7_x86
110538-01
Solaris 5.8
110532-01
Solaris 5.8_x86
110538-01
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
MAC/Confidentiality Levels:
Previously:
V9756
IA Controls:
DSCQ-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 268
Solaris 5.5.1
110531-01
Solaris 5.5.1_x86
110537-01
Solaris 5.6
110531-01
Solaris 5.6_x86
110537-01
Solaris 5.7
110531-01
Solaris 5.7_x86
110537-01
Solaris 5.8
110531-01
Solaris 5.8_x86
110537-01
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
SOL00380V000471 Category II
1
:
MAC/Confidentiality Levels:
Previously:
V9758
IA Controls:
DCSQ-1
PDI Description:
Reference:
To enable NFS server logging the log option must be applied to all exported files systems in the /etc/dfs/
dfstab. Perform the following to verify NFS is enabled:
#
share
The preceding command will display all exported filesystems. Each line should contain a log entry to indicate
logging is enabled. If the log entry is not present then this is a finding. If the share command does not return
anything, then this is not an NFS server and this is considered Not Applicable.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 269
SOL00400V000430 Category:II
0
MAC/Confidentiality Levels:
Previously:
G696
IA Controls:
DCHW-1
PDI Description:
Reference:
SOL00420V001203 Category II
2
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 270
SOL00440V001203 Category I
3
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCS-2
PDI Description:
Reference:
1. Trusted Mode
1. HPUX0020 Operating in Trusted Mode
To check if the system is in Trusted Mode the following file structure should exist:
# ls la /tcb/files/auth/r/root
If the file does not exist, this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 271
HPUX0020V000096 Category II
0
:
MAC/Confidentiality Levels:
Previously:
HP02
IA Controls:
DCSW-1
PDI Description:
Reference:
HPUX0040V000429 Category II
0
:
MAC/Confidentiality Levels:
Previously:
HP14
IA Controls:
ECAT-1, ECAR-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 272
# ls lL /etc/securetty
If /etc/securetty is not owned root, then this is a finding.
PDI:
HPUX0060V000096 Category II
6
:
MAC/Confidentiality Levels:
Previously:
HP08
IA Controls:
ECLP-1
PDI Description:
Reference:
# ls lL /etc/securetty
If /etc/securetty is not grup owned by root, sys, or bin, then this is a finding.
PDI:
HPUX0080V000096 Category II
5
:
MAC/Confidentiality Levels:
Previously:
HP07
IA Controls:
ECLP-1
PDI Description:
Reference:
# ls lL /etc/securetty
If /etc/securetty is more permissive than 640, then this is a finding.
PDI:
HPUX0100V000096 Category II
7
:
MAC/Confidentiality Levels:
Previously:
HP09
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 273
IA Controls:
ECLP-1
PDI Description:
Reference:
Perform:
# /bin/tcbck
If TCB is not installed, the output will show an error code of 3001-101 and/or a text message that indicates TCB
is not installed. This will result in a finding.
PDI:
AIX00020V000096 Category II
9
:
MAC/Confidentiality Levels:
Previously:
AIX02
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
2. Network Security
1. AIX00040 securetcpip Command
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 274
is not there, then this is a finding. The stanza indicates the securetcpip command, which disables all the
unsafe tcpip commands, (e.g., rsh, rlogin, tftp) has been executed.
PDI:
AIX00040
V0004284
Category II
:
Previously:
AIX07
DCSW-1
PDI Description:
Reference:
3. System Commands
1. AIX00060 System Baseline for Files with TCB Bit Set
Perform the following command with no parameters to ensure the system is in trusted mode:
#
/bin/tcbck
If TCB is not installed, the output will show an error code of 3001-101 and/or a text message that indicates TCB
is not installed. If the output from the command indicates that it is not in trusted mode, mark this item Not
Reviewed. Otherwise, check the root crontab to verify tcbck is executed weekly. If it is not in the crontab,
ask the SA if the check is run manually and to see the results of the check.
PDI:
AIX00060
V0004287
Category II
:
Previously:
AIX10
DCPR-1, VIVM-1
PDI Description:
A baseline of AIX files with the TCB bit set is not checked weekly.
Reference:
4. Authentication
1. AIX00080 SYSTEM Attribute
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 275
AIX00080V001203 Category I
5
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
PDI Description:
Reference:
10. Xfsmd
more /etc/inetd.conf
root
/usr/etc/xfsmd
xfsmd
IRIX0020
V0004705
Category I
:
Previously:
V9402
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 276
IA Controls:
DSCQ-1
PDI Description:
Reference:
11. LINUX
If the CM OS is not configured to disable the capability to boot from removable media (e.g., diskette), then this is
a finding.
PDI:
LNX00040V000101 Category:I
3
MAC/Confidentiality Levels:
Previously:
L007
IA Controls:
ECSC-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 277
On x86 systems enter the system BIOS and confirm that a supervisor password is enabled. Some systems will
have only one password setting, while others may have both user and supervisor settings. On those with two
settings, ensure the supervisor password is enabled and set. If the system cannot be rebooted to confirm the
settings, ask the system administrator if a BIOS password is enabled. If it is not, then this is a finding.
PDI:
LNX00060V000424 Category II
6
:
MAC/Confidentiality Levels:
Previously:
L064
IA Controls:
DCPR-1
PDI Description:
Reference:
3. Boot Loaders
Confirm /etc/lilo.conf or /boot/grub/grub.conf exist, if neither exists, ask the SA if they are
using a boot diskette as the boot loader.
If a boot diskette is implemented as the boot loader, then this is a finding.
PDI:
LNX00080V000424 Category I
7
:
MAC/Confidentiality Levels:
Previously:
L066
IA Controls:
DCCB-1, DCCB-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 278
# test f /etc/grub.conf
# echo $?
# test f /etc/lilo.conf
# echo $?
If either of the echo statements return 1, the preceding file is not on the system. Grub is the preferred boot loader
for the system. If the LILO is being utilized, check for the presence of /etc/lilo.conf.crc which should
contain a hashed password. If it does not contain a hashed password or another third party boot loader is utilized
then this is a finding.
PDI:
LNX00100V000424 Category I
8
:
MAC/Confidentiality Levels:
Previously:
L068
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The default boot loader does not support journeling and the
password cannot be encrypted and the host is not located in a
controlled access area accessible only by SAs and justified and
documented with the IAO.
Reference:
Ask the SA if the Linux /boot partition resides on removable media (e.g., cdrom, diskette). If so, ask the SA to
verify if it is stored securely under the direction of the security officer and is only used in emergencies. This is a
finding if the media is not stored in a secure location.
PDI:
LNX00120V000425 Category:I
5
MAC/Confidentiality Levels:
Previously:
L084
IA Controls:
PESS-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 279
LNX00140V000424 Category I
9
:
MAC/Confidentiality Levels:
Previously:
L072
IA Controls:
DCCB-1, DCCB-2
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 280
LNX00160V000425 Category:II
0
MAC/Confidentiality Levels:
Previously:
L074
IA Controls:
PDI Description:
Reference:
Check for the password to precede the first image stanza in /etc/lilo.conf :
#
more /etc/lilo.conf
password=
image=/boot/vmlinuz-2.4.20-6smp
LNX00180V000425 Category I
2
:
MAC/Confidentiality Levels:
Previously:
L078
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 281
LNX00200V001203 Category I
6
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCCB-1, DCCB-2
PDI Description:
Reference:
LNX00220V000425 Category I
3
:
MAC/Confidentiality Levels:
Previously:
L080
IA Controls:
PDI Description:
Reference:
6. Filesystems
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 282
1. LNX00240 Journaling
LNX00240V000101 Category II
5
:
MAC/Confidentiality Levels:
Previously:
L017
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Reference:
On SuSE systems tftp must be running for AutoYaST to work properly. Check for tftp by:
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 283
# more /etc/bootptab
and ask the SA if any of the exported file systems contain Kickstart images to be installed on a client.
PDI:
LNX00260V000425 Category:I
6
MAC/Confidentiality Levels:
Previously:
L088
IA Controls:
ECSD-1, ECSD-2
PDI Description:
Reference:
8. Dual Boot
Review the applicable boot loader configuration file to ensure it is capable of booting only one operating system.
For the grub boot loader, /etc/grub.conf should be reviewed. For the lilo boot loader, /etc/
lilo.conf should be reviewed. Locations for these file may differ on older versions of linux.
PDI:
LNX00280V000101 Category II
6
:
MAC/Confidentiality Levels:
Previously:
L022
IA Controls:
DCPR-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 284
Or
# ps ef | grep i ugidd
If the daemon is running or installed this is a finding.
PDI:
LNX00300V000426 Category:II
2
MAC/Confidentiality Levels:
Previously:
L128
IA Controls:
DCPR-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 285
LNX00320V000426 Category I
8
:
MAC/Confidentiality Levels:
Previously:
L140
IA Controls:
IAAC-1, ECPA-1
PDI Description:
Reference:
LNX00340V000426 Category:II
9
MAC/Confidentiality Levels:
Previously:
L142
IA Controls:
IAAC-1
PDI Description:
Reference:
11. X Windows
X servers get started several ways, such as xdm, gdm or xinit . Perform:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 286
ps ef |grep X
PDI:
LNX00360V000102 Category:II
1
MAC/Confidentiality Levels:
Previously:
L032
IA Controls:
DCPR-1
PDI Description:
Reference:
X servers get started several ways, such as xdm, gdm or xinit . Perform:
#
ps ef |grep X
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 287
PDI:
LNX00380V000102 Category:II
2
MAC/Confidentiality Levels:
Previously:
L034
IA Controls:
DCPR-1
PDI Description:
The X server has one of the following options enabled: -ac, -core
(except for debugging purposes), or -nolock.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 288
# ls lL /etc/security/access.conf
If /etc/login.access or /etc/security/access.conf is not owned by root, then this is a finding.
PDI:
LNX00400V000102 Category:II
5
MAC/Confidentiality Levels:
Previously:
L044
IA Controls:
ECLP-1
PDI Description:
Reference:
LNX00420V000105 Category:II
4
MAC/Confidentiality Levels:
Previously:
L045
IA Controls:
ECLP-1
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 289
Reference:
LNX00440V000105 Category:II
5
MAC/Confidentiality Levels:
Previously:
L046
IA Controls:
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 290
LNX00480V000433 Category:II
4
MAC/Confidentiality Levels:
Previously:
L204
IA Controls:
ECLP-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 291
LNX00500V000433 Category:II
5
MAC/Confidentiality Levels:
Previously:
L206
IA Controls:
ECLP-1
PDI Description:
Reference:
LNX00520V000433 Category:II
6
MAC/Confidentiality Levels:
Previously:
L208
IA Controls:
PDI Description:
Reference:
ps ef |grep nfsd
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 292
If an NFS server is running, confirm that it is not configured with the insecure option by:
#
exportfs v
speedy.redhat.com(rw,insecure)
LNX00540V001203 Category I
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCPR-1
PDI Description:
Reference:
ps ef |grep nfsd
If an NFS server is running, confirm that it is not configured with the insecure_locks option by:
#
exportfs v
PDI:
speedy.redhat.com(rw,insecure_locks)
LNX00560V000433 Category I
9
:
http://s3.amazonaws.com/0706/819143.html
Previously:
L214
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 293
MAC/Confidentiality Levels:
IA Controls:
DCPR-1
PDI Description:
Reference:
Verify that Linux systems have disabled the <CTRL><ALT><DELETE> key sequence by performing:
# grep ctrlaltdel /etc/inittab
If the line returned is not commented out then this is a finding.
PDI:
LNX00580V000434 Category:I
2
MAC/Confidentiality Levels:
Previously:
L222
IA Controls:
DCPR-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 294
Ensure the pam_console.so module is not configured in any files in /etc/pam.d by:
#
cd /etc/pam.d
grep pam_console.so *
Or
#
ls la /etc/security/console.perms
If either the pam_console.so entry or the file /etc/security/console.perms is found then this is a
finding.
PDI:
LNX00600V000434 Category:II
6
MAC/Confidentiality Levels:
Previously:
L230
IA Controls:
DCCS-1, DCCS-2
PDI Description:
PAM grants sole access to admin privileges to the first user who
logs into the console.
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 295
LNX00620V001203 Category II
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
Reference:
LNX00640V001203 Category II
9
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
Reference:
LNX00660V001204 Category II
0
:
MAC/Confidentiality Levels:
Previously:
N/A
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 296
IA Controls:
ECLP-1
PDI Description:
Reference:
18. RealPlayer
rpm q RealPlayer
PDI:
rpm e RealPlayer
LNX00680V001204 Category II
1
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1
PDI Description:
Reference:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 297
Vulnerable Systems:
HP HP-UX 10.10
HP HP-UX 10.20
HP HP-UX 10.24
HP HP-UX 11.00
HP HP-UX 11.04
HP HP-UX 11.11
IBM AIX 4.3
IBM AIX 5.1
SGI IRIX 5.2-6.4
Compaq Tru64 DIGITAL UNIX v4.0f
Compaq Tru64 DIGITAL UNIX v4.0g
Compaq Tru64 DIGITAL UNIX v5.0a
Compaq Tru64 DIGITAL UNIX v5.1
Compaq Tru64 DIGITAL UNIX v5.1a
Sun Solaris 1.1-1.2
Sun Solaris 2.0-2.7
Sun Solaris 7
Sun Solaris 8
Open Group
Caldera (SCO)
Xi Graphics
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
Solaris
2.5.1
104489-15
Solaris
2.5.1_x86
105496-12
Solaris
2.6
Solaris
2.6x86
Solaris
2.7
Solaris
2.7x86
Solaris
2.8
Solaris
2.8x86
105802-19
105803-21
107893-21
107894-20
110286-14
110287-14
HP-UX
10.10
PHSS_26488
HP-UX
10.20
PHSS_29201
HP-UX
10.24
PHSS_29201
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 298
HP-UX
10.30
PHSS_16151
HP-UX
11.00
PHSS_32539
HP-UX
11.11
PHSS_33325
IRIX
SG0004416
AIX
4.3
IY24387
AIX
5.1
IY23846
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0005V000099 Category I
8
:
MAC/Confidentiality Levels:
Previously:
G345
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0011
Vulnerable Systems:
Any system with a recent installation of TCP Wrappers
(primarily UNIX systems)
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 299
Compliance Checking:
Look in the TCP Wrappers source code for the following added line:
#
Or
Review the binary code for the following signature
#
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0010V000100 Category I
2
:
MAC/Confidentiality Levels:
Previously:
G357
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1999-0002
Vulnerable Systems:
Any OS running a POP server based on QUALCOMM's Qpopper
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 300
Compliance Checking:
To determine if a system is vulnerable, first telnet to port 110 on
that host. If it is running a POP server, the banner will show the
version. For example:
# telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
In the above example, the POP server is QUALCOMM's Qpopper version 2.4, which is known to be a
vulnerable version.
IRIX
Check to see if the vulnerable subsystem is installed.
Versions 2.41 and prior of fw_BSDqpopper are vulnerable.
# versions -b fw_BSDqpopper
Name
Date
Description
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0015V000100 Category II
5
:
http://s3.amazonaws.com/0706/819143.html
Previously:
G361
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 301
MAC/Confidentiality Levels:
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 98-06
Vulnerable Systems:
All platforms running IMAP or POP servers.
Compliance Checking:
Perform the following to check if the mail servers are running:
# netstat -a | grep LISTEN | egrep \
imap|pop|pop3|\.143|\.110
Likewise the following command can be used to check for POP-3 Servers:
#
Use the procedures in Appendix F, Patch Control , to check if the following patches have been loaded:
Solaris Internet Mail Server
3.2
105935-09
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 302
3.2_x86
105936-09
2.0
105346-07
2.0_x86
105347-07
AIX 4.2.x
IX80446
AIX 4.3.x
IX80447
Red Hat
imap-4.1.final-1.i386.rpm
IRIX
Check to see if the vulnerable subsystem is installed.
4.1-BETA and prior of fw_imap are vulnerable.
# versions -b fw_imap
I fw_imap
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0020V000100 Category II
6
:
MAC/Confidentiality Levels:
Previously:
G363
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1998-A-0011
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 303
Vulnerable Systems:
Any OS running a vulnerable mail or news client, including
Netscape Messenger.
Compliance Checking:
Use the procedures in Appendix F, Patch Control, to determine the following:
SOLARIS
2.5.1
104178-04
SOLARIS
2.5.1_x86
104185-04
SOLARIS
2.6
SOLARIS
2.6x86
SOLARIS
2.7
SOLARIS
2.7x86
HP-UX
10.10
105338-27
105339-25
107200-16
107201-16
PHSS_26488
HP-UX
10.20
PHSS_29202
HP-UX
10.24
PHSS_28173
HP-UX
10.30
PHSS_16151
HP-UX
11.00
PHSS_32539
HP-UX
11.04
PHSS_30807
HP-UX
11.11
PHSS_33325
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0025V000100 Category II
7
:
MAC/Confidentiality Levels:
Previously:
G365
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 304
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 98-07
Vulnerable Systems:
Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5
WebShield 300 series E-ppliance
WebShield For Solaris 4.0
WebShield 100 series E-ppliance
Compliance Checking:
Ask the SA or IAO if they are running Gauntlet software, and which version. If the system is running less
than version 5.5 patch level 14 or version 6.0 patch level 4, this is a finding.
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
cyber.patch
Remediation Guidelines:
.
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0030V000100 Category I
8
:
http://s3.amazonaws.com/0706/819143.html
Previously:
G371
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 305
MAC/Confidentiality Levels:
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-A-0003
Vulnerable Systems:
MySQLd 3.23.32 and all previous versions
Compliance Checking:
Perform the following to determine the version:
#
mysql V
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0035V000106 Category II
4
:
MAC/Confidentiality Levels:
Previously:
G373
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-T-0004
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 306
Vulnerable Systems:
IPlanet
Compliance Checking:
Use the following steps to determine the version number:
1. Navigate to the following directory:
server-root /bin/https/bin
2. Run the ns-httpd program with the "-v " parameter.
#
./ns-httpd v
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0040V000106 Category:I
7
MAC/Confidentiality Levels:
Previously:
G505
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0007
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 307
Vulnerable Systems:
All current versions of BSD/OS are vulnerable.
OpenLinux 2.3
FreeBSD, Inc.
HP-UX 10.20
IBM AIX
Solaris
SuSE
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
2.6
Solaris
2.6x86
Solaris
2.7
Solaris
2.7x86
Solaris
2.8
Solaris
2.8x86
HP-UX
10.01
PHNE_24820
HP-UX
10.10
PHNE_24820
HP-UX
10.20
PHNE_24821
HP-UX
SIS 10.20
HP-UX
10.24
AIX
4.3.3
AIX
5.1
http://s3.amazonaws.com/0706/819143.html
106049-05
106050-05
107475-05
107476-05
110668-05
110669-05
PHNE_24822
PHNE_25217
IY22029
IY22021
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
IRIX
Page 308
6.5
SG0004354
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0045V000106 Category I
9
:
MAC/Confidentiality Levels:
Previously:
G507
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-T-0008
Vulnerable Systems:
SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier
on the following platforms:
Solaris
Linux
Compliance Checking:
To determine the version of Java on a system, the following command can be run:
#
java fullversion
Or
#
java version
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 309
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0050V000501 Category II
6
:
MAC/Confidentiality Levels:
Previously:
G508
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-B-0015
Vulnerable Systems:
HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:
HP -UX releases 10.20 and 11.00 (only).
Sun Microsystems SOLARIS releases 2.X
Tivoli NetView Versions 5.x and 6.x on the following platforms:
IBM AIX
Sun Microsystems SOLARIS
Compaq Tru64 Unix
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 310
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded for
OpenView:
HP-UX 10.20
PHSS_24797
HP-UX 11.00
PHSS_24798
Solaris
PSOV_02988
Upgrade to, at the least, the required software release about icon, apply the applicable patch, or remove the
binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0055V000236 Category I
6
:
MAC/Confidentiality Levels:
Previously:
G509
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-B-0002
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 311
./ns-httpd v
To determine the version of Sun Java System Application server, the following command can be run:
# <AS_INSTALL>/bin/asadmin version verbose
(Where <AS_INSTALL> is the installation directory of the Application Server)
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G510
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 312
Reference:
IAVA 2004-T-0038
Vulnerable Systems:
SSH1.5: 1.2.24 - 1.2.31
SSH1.5: 1.3.6 - 1.3.10
OpenSSH 1.2, 1.2.1 - 1.2.3
OpenSSH 2.1, 2.1.1, 2.2.0
SSH Communications Security SSH 1.2.23 through 1.2.31
SSH Communications Security SSH 2.x and 3.x (Version 1 fallback is enabled)
F-Secure SSH versions prior to 1.3.11-2
OSSH 1.5.7
Debian
FreeBSD
Compliance Checking:
To get the version, perform:
#
telnet localhost 22
Or
#
Or
# ssh V
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 313
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0065V000239 Category I
1
:
MAC/Confidentiality Levels:
Previously:
G513
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0013
Vulnerable Systems:
Gauntlet for Unix versions 5.x
PGP e-ppliance 300 series version 1.0
McAfee e-ppliance 100 and 120 series
Gauntlet for Unix version 6.0
PGP e-ppliance 300 series versions 1.5, 2.0
PGP e-ppliance 1000 series versions 1.5, 2.0
McAfee WebShield for Solaris v4.1
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
HP-UX
cyber.patch
PHCO_16723 or later
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 314
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0075V000239 Category:I
2
MAC/Confidentiality Levels:
Previously:
G515
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0009
Vulnerable Systems:
OpenSSH versions prior to 2.1.1
OpenBSD
OpenSSH
FreeBSD
IBM
Compliance Checking:
To get the version, perform:
#
telnet localhost 22
Or
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 315
Or
# ssh V
Upgrade to OpenSSH 3.0.2 or later.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0080V000239 Category I
3
:
MAC/Confidentiality Levels:
Previously:
G517
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-T-0017
Vulnerable Systems:
Oracle E-Business Suite 11.0.0
Oracle E-Business Suite 11i 11.5.0
Oracle E-Business Suite 11i 11.5.0 .10
Oracle E-Business Suite 11i 11.5.1
Oracle E-Business Suite 11i 11.5.2
Oracle E-Business Suite 11i 11.5.3
Oracle E-Business Suite 11i 11.5.4
Oracle E-Business Suite 11i 11.5.5
Oracle E-Business Suite 11i 11.5.6
Oracle E-Business Suite 11i 11.5.7
Oracle E-Business Suite 11i 11.5.8
Oracle E-Business Suite 11i 11.5.9
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 316
Compliance Checking:
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for multiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Switch user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
# $ORACLE_HOME/bin/runInstaller
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle Collaboration suite is listed, then expand it view any installed patches.
Please ensure one of the below mentioned patches is installed;
4135540
4193286
4193293
4193299
4193301
4193307
4193312
4201702
4217570
4266635
4312525
Note: Repeat for each Oracle installation.
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 317
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0085V000701 Category I
7
:
MAC/Confidentiality Levels:
Previously:
G518
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-A-0014
Vulnerable Systems:
All Unix operating systems running CDE.
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
2.5.1
108363-02
Solaris
2.5.1_x86
108364-02
Solaris
2.6
105669-11
Solaris
2.6_x86
Solaris
2.7
Solaris
2.7_x86
Solaris
2.8
Solaris
2.8_x86
105670-10
106934-04
106935-04
108949-07
108950-07
HP-UX 10.10
PHSS_25785
HP-UX 10.20
PHSS_25786
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
HP-UX 10.24
HP-UX 11.0
Page 318
PHSS_26029
PHSS_25787
HP-UX 11.04
PHSS_26030
HP-UX 11.11
PHSS_25788
IRIX 5.3
SG0004416
SG0004416
AIX 4.3
IY06694
AIX 5.1
IX89419
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0090V000239 Category I
4
:
MAC/Confidentiality Levels:
Previously:
G519
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-0001
Vulnerable Systems:
BSDi BSD/OS Version 4.1 and earlier
Debian GNU/Linux 2.1 and 2.1r4
All released versions of FreeBSD 3.x and 4.x prior to 4.4-RELEASE; FreeBSD 4.3-STABLE and 3.5.1-
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 319
106235-10
106236-10
107115-10
107116-10
109320-05
109321-05
HP-UX 10.01
PHCO_25107
HP-UX 10.10
PHCO_25108
HP-UX 10.20
PHCO_25109
HP-UX 11.00
PHCO_25110
HP-UX 11.11
PHCO_25111
HP-UX 11.20
PHCO_24868
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 320
IRIX 6.5.3.1.1
AIX 4.3
IY23037
AIX 5.1
IY23041
Linux ALL
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0095V000239 Category II
5
:
MAC/Confidentiality Levels:
Previously:
G521
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-T-0015
Vulnerable Systems:
Mozilla Firefox 1.0.3 and earlier.
Compliance Checking:
# find / -name firefox
If Firefox is found, confirm the version is 1.0.4 or later.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 321
# /<firefox_binary> -v
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0100V000701 Category II
9
:
MAC/Confidentiality Levels:
Previously:
G522
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0014
Vulnerable Systems:
Sun Solaris 8/SunOS 5.8 and earlier
IBM 4.3 and 5.1
SCO OpenServer 5.0.6a and earlier
SGI 3.x
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
2.5.1
106160-02
Solaris
2.5.1_x86
106161-02
Solaris
2.6
105665-04
Solaris
2.6_x86
105666-04
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Solaris
2.7
Solaris
2.7_x86
Solaris
2.8
Solaris
2.8_x86
Page 322
112300-01
112301-01
111085-02 Obsoleted by 108993-02
111086-02 Obsoleted by 108994-02
IRIX 3.x
AIX 4.3
IY26443
AIX 5.1
IY26221
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0105V000239 Category I
6
:
MAC/Confidentiality Levels:
Previously:
G523
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0014
Vulnerable Systems:
FreeBSD FreeBSD prior to 5.4.0
OpenBSD OpenBSD 3.0.0
OpenBSD OpenBSD 3.1.0
OpenBSD OpenBSD 3.2.0
OpenBSD OpenBSD 3.3.0
OpenBSD OpenBSD 3.4.0
OpenBSD OpenBSD 3.5.0
OpenBSD OpenBSD 3.6.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 323
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.64
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 324
IAVA0110V000702 Category II
0
:
MAC/Confidentiality Levels:
Previously:
G524
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-B-0012
Vulnerable Systems:
CacheOS 3.1.22, 4.0.15, 4.1.02
Compaq
NonStop Himalaya Servers
TCP/ip Services for OpenVMS
Tru64 Unix
Insight Management Suite
Deskpro
Professional Workstation (Armada)
SANworks
Hewlett-Packard Company
HP 9000 Series 700 and Series 800 running HP-UX releases 10.X,11.X
HP Procurve switches
JetDirect Firmware (older versions only)
MC/ServiceGuard, EMS HA Monitors
iPlanet
Netscape Directory Server V4.12-V4.16 for Unix
iPlanet Directory Server V5.0SP1 & 5.1 for Unix
iPlanet Web Proxy Server V3.6 for Unix
Oracle
Oracle7 Database, Release 7.3.x
Oracle8 Database, Releases 8.0.x
Oracle8i Database, Releases 8.1.x
Oracle9i Database, Release 9.0.1.x
Sun Microsystems, Inc.
Solstice Enterprise Agents (SEA)
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 325
Concord Communications
eHealth Console version 5.0.2 P1
eHealth Console version 4.8 P8
eHealth TrapEXPLODER 1.3
Netscreen
ScreenOS - all versions
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 2.6
Solaris 2.6_x86
Solaris 2.7
Solaris 2.7_x86
Solaris 2.8
Solaris 2.8_x86
106787-18
106872-18
107709-19
107710-19
108869-16
108870-16
HP-UX 10.20
PHSS_26137
HP-UX 11.00
PHSS_26138
AIX 4.3
IY17630
AIX 5.1
IY20943
Initially, this is a CAT I if the IAVA has not been applied. Additional requirements have been added:
If the snmp version is 3 or greater, this is not a finding .
If the snmp version is 1 or 2, or does not have all the patches, or has open IAVAs for snmp it is a CAT I.
If it is version 1 or 2, fully patched, with no snmp IAVAs open, but there is no formally documented plan to
migrate to version 3, it is a CAT II.
If it is version 1 or 2, is fully patched, and all IAVAs are applied, and there is a formally documented plan to
migrate to version 3, this is a CAT III.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 326
/usr/lib/snmp/ snmpdx
HP-UX
/usr/sbin/ snmpd
Linux
/usr/sbin/ snmpd
AIX
/usr/sbin/ snmpdm
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0115V000265 Category:I
5
MAC/Confidentiality Levels:
Previously:
G525
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 327
named v
#
named d0
BIND 8.4.4, 8.4.5, and 9.3.0 are vulnerable, if any of these versions of BIND are installed and/or running, then
this is a finding.
Upgrade to BIND 8.4.6 or later, or BIND 9.3.1 or later.
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0120V000751 Category:I
7
MAC/Confidentiality Levels:
Previously:
G526
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-A-0005
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 328
Vulnerable Systems:
SSH Communications Security 3.0.0
SSH Communications Security 2.3 and 2.4, for HPUX 10.20 and 11.00 in (TCB)
Red Hat 6.2 Linux 6.1 thru 7.1
Solaris 2.6 thru 2.8
Caldera Linux 2.4
SuSE Linux 6.4 thru 7.0
Compliance Checking:
This check only applies to SSH by Communications Security.
To get the version, perform:
#
telnet localhost 22
Or
#
Or
# ssh V
Upgrade to SSH Secure Shell 3.0.1 or later.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0125V000265 Category II
6
:
MAC/Confidentiality Levels:
IA Controls:
Previously:
G527
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 329
PDI Description:
Reference:
IAVA 2001-T-0018
Vulnerable Systems:
Caldera thru 3.1
Cobalt QUBE 1.0
Connectiva thru 7.0
Debian thru 2.2
Mandrake thru 8.1
Red Hat thru 7.2
SuSE thru 7.3
immunix thru 7.0
and any other system using WU-FTPD or derivatives of it.
Compliance Checking:
To determine the version of ftpd, issue the following command:
# strings /usr/sbin/in.ftpd | grep I version
The version must be 2.6.2, or later, or this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 330
IAVA0135V000265 Category:I
7
MAC/Confidentiality Levels:
Previously:
G529
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-B-0004
Vulnerable Systems:
All Linux and Solaris operating systems with Ethereal prior to 0.10.10 are vulnerable.
Compliance Checking:
To determine the version of Ethereal, issue one of the following commands:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0140V000751 Category I
9
:
MAC/Confidentiality Levels:
Previously:
G530
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 331
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-A-0008
Vulnerable Systems:
KTH Kerberos Development Team
BSDi
OpenBSD
FreeBSD
NetBSD
Compliance Checking:
This check is only applicable to KTH Kerberos version IV and V. MIT Kerberos is not vulnerable to this
condition. Patches are not available from the vendor at this time. Strictly enforce the client's preferences and
abort the connection if authentication or encryption cannot be negotiated. Reference OpenBSD and FreeBSD
man pages for telnet syntax to abort the connection if authentication or encryption cannot be negotiated.
Patches distributed by third parties other than KTH Kerberos are not recommended solutions due to the potential
for unreliability/interoperability issues and insecure or malicious coding.
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G531
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 332
Reference:
IAVA 2002-T-0004
Vulnerable Systems:
Sybase Adaptive Server Enterprise 12.5.3 and prior.
Compliance Checking:
To determine the version of Sybase, perform the following:
#
/usr/sybase/ASE-12_5/bin/dataserver v
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0150V000752 Category II
0
:
MAC/Confidentiality Levels:
Previously:
G532
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0010
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 333
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
Solaris 5.9_x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
104849-09
104848-09
105693-13
105694-13
Solaris 5.7
108800-02
Solaris 5.7_x86
108801-02
Solaris 5.8
110896-02
Solaris 5.8_x86
110897-02
Solaris 5.9
114008-01
Solaris 5.9_x86
114009-01
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 334
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0155V000284 Category I
9
:
MAC/Confidentiality Levels:
Previously:
G533
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0008
Vulnerable Systems:
IBM Websphere Application Server 5.0.2
IBM Websphere Application Server 5.0.2 .1
IBM Websphere Application Server 5.0.2 .2
IBM Websphere Application Server 5.0.2 .3
IBM Websphere Application Server 5.0.2 .4
IBM Websphere Application Server 5.0.2 .5
IBM Websphere Application Server 5.0.2 .6
IBM Websphere Application Server 5.0.2 .7
IBM Websphere Application Server 5.0.2 .8
IBM Websphere Application Server 5.0.2 .9
IBM Websphere Application Server 5.0.2 .10
Compliance Checking:
To determine the version of IBM Websphere Application Server, perform one of the following:
#
versionInfo
Or
#
genVersionReport
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 335
Generates the versionReport.html report file in the bin directory on Linux and UNIX-based platforms, or on
Windows platforms. The report includes the list of components, fixes, and fix packs.
Upgrade to version 5.0.2.11 or later.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0160V000752 Category II
1
:
MAC/Confidentiality Levels:
Previously:
G534
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0017
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 336
Solaris 5.9
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.5.1
112891-01
Solaris 5.5.1_x86
112892-01
Solaris 5.6
112893-01
Solaris 5.6_x86
112894-01
Solaris 5.7
112899-01
Solaris 5.7_x86
112900-01
Solaris 5.8
112846-01
Solaris 5.8_x86
112847-01
Solaris 5.9
112875-01
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0165V000285 Category I
3
:
MAC/Confidentiality Levels:
Previously:
G535
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0009
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 337
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 338
java version
The version for 1.5 systems should be at least 1.5.0_02. The version for 1.4.2 systems should be at least 1.4.2_
08.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0170V000752 Category II
2
:
MAC/Confidentiality Levels:
Previously:
G536
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0024
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 339
Vulnerable Systems:
OpenSSH: Versions 2.3.1p1 through version 3.3 are vulnerable.
OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2
CONECTIVA LINUX
Debian
6.0, 7.0, 8
FreeBSD
HP-UX Secure Shell A.03.10
HP-UX 11.11
HP-UX 11.0
Mandrake 7.1, 7.2, 8.0, 8.1, 8.2
Mandrake Corporate Server 1.0.1, Single Network Firewall 7.2
NetBSD-1.6_BETAx
NetBSD-1.5.2
NetBSD-1.5.1
NetBSD-1.5
OpenBSD
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
SuSE
Trustix Secure Linux 1.1, 1.2, 1.5
Compliance Checking:
OpenSSH versions 2.9.9 through 3.3 are vulnerable if the challenge response handling mechanism is
enabled. 2.3.1p1 through version 3.3 are susceptible to the vulnerability involving the PAM module using
interactive keyboard authentication.
To determine the version:
#
ssh V
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 340
If the version of OpenSSH is less than 3.4, find and view the sshd_config file to make sure the
KbdInteractiveAuthentication and ChallengeResponseAuthentication options are set to no . If either one is yes,
or if the options are not in the sshd_config file, then this is a finding.
For SUN SSH distributed with Solaris 9:
The version of OpenSSH that is in Solaris 9 is not believed to be vulnerable if the default configuration is used. If
sshd_config (4) has been updated so that BOTH of the following entries are present then it is vulnerable.
PAMAuthenticationViaKBDInt yes
KbdInteractiveAuthentication yes
Use the procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
Solaris 5.9
113273-01
Solaris 5.9x86
114858-01
RedHat
openssh-3.1p1-5.src.rpm
SuSE
openssh-3.3p1-6.src.rpm
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0175V000292 Category I
6
:
MAC/Confidentiality Levels:
Previously:
G537
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0011
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 341
Vulnerable Systems:
Adobe Acrobat Reader (UNIX) 5.0.9
Adobe Acrobat Reader (UNIX) 5.0.10
Linux (all versions)
Solaris (all versions)
HP-UX (all versions)
IBM-AIX (all versions)
Compliance Checking:
To determine the version perform the following:
1. Launch Acrobat Reader by executing /bin/acroread
2. Select "help" menu option, and
3. Select "about Acrobat Reader."
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0180V000752 Category II
5
:
MAC/Confidentiality Levels:
IA Controls:
Previously:
G538
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 342
PDI Description:
Reference:
IAVA 2005-T-0025
Vulnerable Systems:
All MIT Kerberos 5 releases up to and including krb5-1.4.1 are vulnerable. Third party application servers
employing Kerberos 5 may be vulnerable as well.
Compliance Checking:
To determine the Kerberos version:
#
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.8
112237-13
Solaris 5.8_x86
112240-10
Solaris 5.9
112908-20
Solaris 5.9_x86
Solaris 5.10
115168-08
120469-01
Solaris 5.10_x86
RedHat
120470-01
krb5-workstation-1.4.1-5.i386.rpm
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 343
IAVA0185V000752 Category II
3
:
MAC/Confidentiality Levels:
Previously:
G539
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0027
Vulnerable Systems:
Adobe Acrobat
Adobe Acrobat 5.0.0
Adobe Acrobat 5.0.5
Adobe Acrobat 6.0.0
Adobe Acrobat 6.0.1
Adobe Acrobat 6.0.2
Adobe Acrobat 6.0.3
Adobe Acrobat 7.0.0
Adobe Acrobat 7.0.1
Adobe Acrobat 7.0.2
Adobe Acrobat Reader
Adobe Acrobat Reader 5.1.0
Adobe Acrobat Reader 6.0.0
Adobe Acrobat Reader 6.0.1
Adobe Acrobat Reader 6.0.2
Adobe Acrobat Reader 6.0.3
Adobe Acrobat Reader 7.0.0
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader (UNIX) 7.0.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 344
Compliance Checking:
To determine the version perform the following:
1. Launch Acrobat Reader by executing /bin/acroread
2. Select "help" menu option, and
4. Select "about Acrobat Reader."
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0190V000752 Category II
4
:
MAC/Confidentiality Levels:
Previously:
G540
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0033
Vulnerable Systems:
All Unix operating systems running CDE ToolTalk
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 345
Compliance Checking:
Use the procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
SOLARIS
Solaris 2.5.1
104489-15
Solaris 2.5.1_x86
105496-13
Solaris 2.6
105802-19
Solaris 2.6x86
Solaris 2.7
Solaris 2.7x86
Solaris 2.8
Solaris 2.8x86
Solaris 2.9
105803-21
107893-20
107894-19
110286-10
110287-10
112808-03
HP-UX
HP-UX 10.10
Replace daemon
HP-UX 10.20
PHSS_27426
HP-UX 11.00
PHSS_27427
HP-UX 11.11
Replace daemon
IRIX
IRIX 6.2 6.5.2
IRIX 6.5.3.1.1
Patch 4799
Patch 4799
AIX
AIX 4.3.3
IY32368
AIX5.1.1.
IY32370
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 346
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0195V000297 Category II
2
:
MAC/Confidentiality Levels:
Previously:
G541
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0012
Vulnerable Systems:
SPARC Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1
Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch
119169-01 or (SVR4) patch 119166-06
x86 Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch
119170-01 or (SVR4) patch 119167-06
Linux Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 347
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch
119171-01 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-05
Compliance Checking:
To determine the version of Sun Java System Application server, the following command can be run:
# <AS_INSTALL>/bin/asadmin version --verbose
(Where <AS_INSTALL> is the installation directory of the Application Server)
Perform procedures in Appendix F, Patch Control, to check for one of the patches:
SPARC Platform
x86 Platform
Linux
119169-01
119170-01
119171-01
or
or
or
119166-06
119167-06
119168-05
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0210V000752 Category II
7
:
MAC/Confidentiality Levels:
Previously:
G544
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0038
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 348
Vulnerable Systems:
Any product using one of the following:
OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2
OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled
SSLeay library
Compliance Checking:
Locate the binary openssl:
# find / -name openssl
# ./openssl version
The required version must be 0.9.6e or 0.9.7-beta3 or higher.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0215V000324 Category II
6
:
MAC/Confidentiality Levels:
Previously:
G545
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-0004
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 349
Vulnerable Systems:
PHP 3.0.10-3.0.18
PHP 4.0.1-4.0.3pl1
PHP 4.0.2-4.0.5
PHP 4.0.6-4.0.7RC2
PHP 4.0.7RC3-4.1.1
PHP 4.2.0 and 4.2.1
Compliance Checking:
Locate the directory where the web server html documents are stored. Create a file by:
#
Direct a web browser to http://localhost/fso.php and examine the screen for the version. Under the HTTP
Response Headers, the X-Powered-By row will show the PHP version.
Or
#
php -v
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0225V000324 Category II
7
:
http://s3.amazonaws.com/0706/819143.html
Previously:
G547
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
MAC/Confidentiality Levels:
Page 350
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-B-0003
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
HP-UX 10.01
HP-UX 10.10
HP-UX 10.20
HP-UX 11.00
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
103640-42
103641-42
105401-39
105402-39
http://s3.amazonaws.com/0706/819143.html
PLUS
PLUS
106639-07
106640-07
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 351
Solaris 5.7
106942-22
PLUS
108451-06
Solaris 5.7_x86
106943-22
PLUS
108452-06
Solaris 5.8
PLUS
PLUS
113319-01
PLUS
112233-02
HP-UX 10.10
HP-UX 10.20
PHNE_25234
HP-UX 11.00
PHNE_26387
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0235V000324 Category I
8
:
MAC/Confidentiality Levels:
Previously:
G549
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0015
Vulnerable Systems:
Conectiva Linux 8.0 running MIT Kerberos 5 1.2.3
Debian GNU/Linux 3.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 352
FreeBSD 4.4
FreeBSD 4.5
FreeBSD 4.6
FreeBSD 4.7
Kerberos 4 Release 1.2
Kerberos 5
MandrakeSoft 8.1
MandrakeSoft 8.2
MandrakeSoft 9.0
MIT Kerberos 5, up to and including krb5-1.2.6.
All Kerberos 4 implementations derived from MIT Kerberos 4
OpenBSD 3.0
OpenBSD 3.1
OpenBSD 3.2
Red Hat 6.2
Red Hat 7.0
Red Hat 7.1
Red Hat 7.2
Red Hat 7.3
Red Hat 8.0
Compliance Checking:
The version for Kerberos can be checked either with:
# krb5-config version
Or
#
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 353
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0245V000332 Category:I
9
MAC/Confidentiality Levels:
Previously:
G551
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0016
Vulnerable Systems:
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Workflow, versions 11.5.1 through 11.5.9.5
Compliance Checking:
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for mulitiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Swith user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
$ORACLE_HOME/bin/runInstaller
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 354
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle Database Server, Oracle Application Server, or Oracle HTTP Server is/are listed,
then expand the Oneoffs selection and view the installed patches.
Please ensure one of the below mentioned patches is installed;
3966175
4074867
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0250V000753 Category I
4
:
MAC/Confidentiality Levels:
Previously:
G552
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-A-0019
Vulnerable Systems:
Solaris 5.6
Solaris 5.6x86
Solaris 5.7
Solaris 5.7x86
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 355
Solaris 5.8
Solaris 5.8x86
Solaris 5.9
HP-UX 10.20
HP-UX 11.0
HP-UX 11.11
HP-UX 11.12
AIX 4.3.3
AIX 5.1.0
AIX 5.2.0
Compliance Checking:
Use the procedures in Appendix F, Patch Control, to check for these patches or versions:
Solaris 5.6
Solaris 5.6x86
Solaris 5.7
Solaris 5.7x86
Solaris 5.8
Solaris 5.8x86
Solaris 5.9
108129-05
108130-05
108117-06
108118-06
109862-03
109863-03
113923-02
HP-UX 10.20
PHSS_28468
HP-UX 11.0
PHSS_28469
HP-UX 11.11
PHSS_28470
HP-UX 11.12
PHSS_28471
AIX 4.3.3
IY37888
AIX 5.1.0
IY37886
AIX 5.2.0
IY37889
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 356
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G553
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0017
Vulnerable Systems:
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Workflow, versions 11.5.1 through 11.5.9.5
Compliance Checking:
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for mulitiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Swith user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
$ORACLE_HOME/bin/runInstaller
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 357
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle Database Server, Oracle Application Server, or Oracle HTTP Server is/are listed,
then expand the Oneoffs selection and view the installed patches.
Please ensure one of the below mentioned patches is installed;
3904641
4613714
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0260V000753 Category I
5
:
MAC/Confidentiality Levels:
Previously:
G554
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-A-0034
Vulnerable Systems:
Caldera OpenLinux Desktop 2.3
Caldera UnixWare 7.1.1
Conectiva Linux 6.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 358
#
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 359
BIND 8.2.2 through 8.2.2P6 (BIND 8.2.2P7 and 8.2.3 are not vulnerable) is vulnerable.
Upgrade to BIND 8.2.3 or later.
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0270V000752 Category:I
8
MAC/Confidentiality Levels:
Previously:
G556
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0008
Vulnerable Systems:
BIND 8.2.2
BIND 4.9.5 - 4.9.7
BIND 4.9.3 - 4.9.5-P1
Compliance Checking:
To examine the version number of named perform:
#
named v
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 360
named d0
Users of BIND 4.9.x or 8.2.2 must upgrade to BIND 8.2.3 or later, or BIND 9.1 or later.
Because BIND 4 is no longer actively maintained, users must upgrade to either BIND 8.2.3 or later, or BIND 9.1
or later
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0275V000752 Category:I
9
MAC/Confidentiality Levels:
Previously:
G557
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0001
Vulnerable Systems:
BIND versions 4.9.2 to 4.9.10
BIND versions 8.1
BIND versions 8.2 to 8.2.6
BIND versions 8.3.0 to 8.3.3
Conectiva Linux 6.0
Debian Linux 3.0
Debian Linux 2.2
Secure Linux 1.0.1
FreeBSD 4.4, 4.5, 4.6, 4.7
Mandrake Linux 7.2
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 361
named v
named d0
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0280V000753 Category:I
0
MAC/Confidentiality Levels:
Previously:
G558
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 362
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-0006
Vulnerable Systems:
Caldera
Compaq
Conectiva
Debian
Engarde
FreeBSD
GNU
Hewlett-Packard (HP)
IBM AIX
Internet Software Consortium (ISC) BIND
Mandrake
NetBSD
OpenBSD
Red Hat
SCO
Sun Microsystems
Trustix
Compliance Checking:
To examine the version number of named perform:
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 363
#
#
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
Solaris 2.5.1
103663-19
Solaris 2.5.1_x86
103664-19
Solaris 2.6
105755-12
Solaris 2.6_x86
105756-12
Solaris 7
106938-06
Solaris 7_x86
Solaris 8
Solaris 8_x86
Solaris 9
106939-06
109326-09
109327-09
112970-02
HP-UX
HP-UX 10.10
PHNE_27792
HP-UX 10.20
PHNE_27792
HP-UX 11.0
PHNE_27793
HP-UX 11.04
PHNE_28415
HP-UX 11.11
PHNE_27794
AIX 4.3
AIX
AIX 4.3.1
AIX 4.3.2
AIX 4.3.3
AIX 5.1
glibc 2.1.1-2.1.6
glibc 2.1.1-2.1.6
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 364
Red Hat
glibc-2.1.3-24.rpm
bind-9.2.1-0.6x.3.rpm
Remediation Guidelines:
Apply the applicable patch, upgrade to, at the least, the required software release, or remove the
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0285V000360 Category I
9
:
MAC/Confidentiality Levels:
Previously:
G559
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-B-0001
Vulnerable Systems:
F-Secure SSH versions 3.1.0 build 11 and earlier
Pragma SecureShell 2.0
Compliance Checking:
To determine the ssh version:
#
ssh V
Upgrade to 3.0
Upgrade to a higher release than 3.1.0 build 11
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 365
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G561
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0001
Vulnerable Systems:
Solaris 8
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.8_x86
Solaris 5.8
111571-04
111570-04
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 366
MAC/Confidentiality Levels:
Previously:
G563
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0002
Vulnerable Systems:
Solaris 10.0 _x86
Solaris 10.0
Solaris 9.0 _x86
Solaris 9.0
Solaris 8.0 _x86
Solaris 8.0
Compliance Checking:
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:
Solaris
5.8
5.8_x86
5.9
5.9_x86
5.10
5.10_x86
111313-03
111314-03
116807-02
116808-02
121308-01
121309-01
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 367
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0310V000754 Category II
4
:
MAC/Confidentiality Levels:
Previously:
G564
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0043
Vulnerable Systems:
Oracle 9i Release 9.0.2 and 9.0.3
Compliance Checking:
Swith user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
$ORACLE_HOME/bin/runInstaller
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home to find the version.
Note: Repeat for each Oracle installation.
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 368
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G567
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0004
Vulnerable Systems:
1.0.1
FreeBSD
GNU
HP-UX with Kerberos - 9000/700 and 9000/800 series 10.20, 11.00, 11.04, 11.11, and 11.22
NETBSD 1.4 - 1.5.3
Red Hat Linux 6.2 - i386, 7.0 - i386 i686, 7.1 - i386 i686, 7.2 - i386 i686 ia4, 7.3 - i386 i686, 8.0 - i386
i686
Sun Solaris
Compliance Checking:
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:
Solaris
5.6
5.6_x86
5.7
105401-44
105402-44
106942-27
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
5.7_x86
5.8
5.8_x86
5.9
5.9_x86
Page 369
106943-27
108993-18
108994-18
113319-11
113719-04
HP-UX
B.10.20
PHCO_26158 or PHCO_31920
B.10.24
B.11.00P
B.11.11
Red Hat
6.2
glibc-2.1.3-29.i386.rpm
7.0
glibc-2.2.4-18.7.0.9.i386.rpm
7.1
glibc-2.2.4-32.i386.rpm
7.2
glibc-2.2.4-32.i386.rpm
7.3
glibc-2.2.5-43.i386.rpm
8. glibc-2.3.2-4.80.i386.rpm
9. krb5-libs-1.2.7-14.i386.rpm
SuSE
1. glibc-2.2-26.i386.rpm
2. glibc-2.2.2-68.i386.rpm
3. glibc-2.2.4-78.i386.rpm
8.0
8.1
glibc-2.2.5-177.i386.rpm
glibc-2.2.5-177.i686.rpm
IRIX
6.5.15m
6.5.15f
6.5.16m
4986
4987
4988
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 370
6.5.16f
6.5.17m
4989
4990
6.5.17f
6.5.18m
4991
5014
6.5.18f
6.5.19m
5015
4992
6.5.19f
4993
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0320V000361 Category II
5
:
MAC/Confidentiality Levels:
Previously:
G569
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0007
Vulnerable Systems:
Sendmail Versions 8.12.8 and earlier
Conectiva Linux 9.0
Conectiva Linux 8.0
Conectiva Linux 7.0
Conectiva Linux 6.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 371
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 372
IRIX 6.5.18
IRIX 6.5.19
Solaris 2.6
Solaris 7
Solaris 8
Solaris 9
SuSE Linux 7.1, 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Slackware 8.0
Slackware 8.1
Slackware 9.0
Compliance Checking:
To determine the version of sendmail, use the following command:
# sendmail -d0 -bt < /dev/null | grep -i Version
Systems using sendmail below version 8.12.9, or are not patched, are affected.
Upgrade to 8.12.9 or check for the following patches utilizing Appendix F:
Solaris
Solaris 2.6
Solaris 2.6_x86
Solaris 7
Solaris 7_x86
105395-09
105396-09
107684-09
107685-09
Solaris 8
110615-09
Solaris 8_x86
110616-09
Solaris 9
Solaris 9_x86
113575-04
114137-03
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 373
HP-UX
If a fix has been installed the following command will list a 'version.c" line:
#
sendmail-8.11.6-1.62.3.i386.rpm
sendmail-8.11.6-25.70.i386.rpm
sendmail-8.11.6-25.71.i386.rpm
sendmail-8.11.6-25.72.i386.rpm
sendmail-8.11.6-25.73. i386.rpm
sendmail-8.12.8-5.80.i386.rpm
sendmail-8.12.8-5.90.i386.rpm
AIX
AIX 4.3.3
IY42629
AIX 5.1.0
IY42630
AIX 5.2.0
IY42631
SuSE-7.1
sendmail-8.11.2-45.i386.rpm
SuSE
SuSE-7.2
sendmail-8.11.3-108.i386.rpm
SuSE-7.3
sendmail-8.11.6-164.i386.rpm
SuSE-8.0
sendmail-8.12.3-75.i386.rpm
SuSE-8.1
sendmail-8.12.6-109.i586.rpm
IRIX
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
All Version
Page 374
patch #5045
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0330V000368 Category II
1
:
MAC/Confidentiality Levels:
Previously:
G575
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-B-0003
Vulnerable Systems:
Adobe Acrobat Reader (UNIX) 5.0.0 6
Xpdf Xpdf 1.0.0 1
MandrakeSoft Linux Mandrake 7.2.0
MandrakeSoft Linux Mandrake 8.0.0
MandrakeSoft Linux Mandrake 8.1.0
MandrakeSoft Linux Mandrake 8.2.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9
Sun Linux 5.0 (LX50) with xpdf-0.92-9 or earlier
Compliance Checking:
For both Red Hat and Sun Linux sytems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 375
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0335V000373 Category II
9
:
MAC/Confidentiality Levels:
Previously:
G577
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0015
Vulnerable Systems:
Helix Universal Server 9
Real Server 5
Real Server 6
Real Server 7
Real Server 9
Real Server G2
Compliance Checking:
Use the following command to verify if the Real Server plug-in is installed:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 376
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G579
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0018
Vulnerable Systems:
Systems running versions of OpenSSH prior to 3.7.1
Systems that use or derive code from vulnerable versions of OpenSSH
Compliance Checking:
If Secure Shell is running, verify it is OpenSSH. If it is OpenSSH, check the version by locating the ssh
command and performing:
#
./ssh V
The command will return the version. If it is less than 3.7.1, this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 377
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G580
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0020
Vulnerable Systems:
This vulnerability applies only to Sun systems running the Solstice AdminSuite with sadmind implemented.
Compliance Checking:
The patches listed apply only to version 2.3 and later. If a version earlier than 2.3 is running, the site must
upgrade to 2.3 before installing any of the patches. To upgrade to Solstice 2.3 install the following patches:
Solstice AdminSuite patches to upgrade to Solstice 2.3:
Solaris 2.3
104468-20
Solaris 2.3_x86
104469-20
To resolve the vulnerability on the following and on systems with older AdminSuite installations, install patches
listed below immediately. Systems with versions prior to 2.3 must upgrade to 2.3 before installing patches, as
noted above.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 378
Solaris 5.9
116453-01
Soalris 5.9_x86
116454-01
Solaris 5.8
116455-01
Solaris 5.8_x86
116442-01
Trusted_Solaris_8
Solaris 7
116455-01
108662-01
Solaris 7_x86
Solaris 2.6
Solaris 2.6_x86
Solaris 2.5.1
108663-01
108660-01
108661-01
108658-02
Solaris 2.5.1_x86
108659-02
Solaris 2.5
108656-02
Solaris 2.5_x86
108657-02
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
Vulnerable Systems:
Any product using one of the following:
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.6 a
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 d
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.7
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 379
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
Vulnerable Systems:
SDK and JRE 1.4.1_03 and earlier
SDK and JRE 1.3.1_08 and earlier
SDK and JRE 1.2.2_015 and earlier
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 380
To tell what version of Java you are running, from the directory Java is loaded, run:
#
./java version
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G583
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0022
Vulnerable Systems:
EnGarde
EnGarde Secure Linux 1.0.1
RedHat Linux 6.2.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 381
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 382
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 383
MAC/Confidentiality Levels:
Previously:
G584
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-T-0024
Vulnerable Systems:
Check Point Software Firewall-1 4.1.0
Check Point Software Firewall-1 4.1.0 SP1
Check Point Software Firewall-1 4.1.0 SP2
Check Point Software Firewall-1 4.1.0 SP3
Check Point Software Firewall-1 4.1.0 SP4
Check Point Software Firewall-1 4.1.0 SP5
Check Point Software Firewall-1 4.1.0 SP6
Check Point Software Next Generation
Check Point Software Next Generation FP1
Check Point Software Next Generation FP2
Check Point Software Next Generation FP3
Check Point Software Next Generation FP3 HF1
Check Point Software Next Generation FP3 HF2
Check Point Software NG-AI
Check Point Software NG-AI R54
Check Point Software NG-AI R55
Check Point Software Firewall-1 4.1.0 SP5a
Check Point Software FireWall-1 Next Generation FP0
Check Point Software FireWall-1 Next Generation FP1
Check Point Software VPN-1 4.1.0
Check Point Software VPN-1 4.1.0 SP1
Check Point Software VPN-1 4.1.0 SP2
Check Point Software VPN-1 4.1.0 SP3
Check Point Software VPN-1 4.1.0 SP4
Check Point Software VPN-1 4.1.0 SP5
Check Point Software VPN-1 4.1.0 SP5a
Check Point Software VPN-1 Next Generation FP0
Check Point Software VPN-1 Next Generation FP1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 384
Compliance Checking:
To determine the version number of the Check Point that your are running, use the following command:
#
$FWDIR/bin/fw ver
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0375V000454 Category:I
6
MAC/Confidentiality Levels:
Previously:
G585
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-A-0002
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 385
Vulnerable Systems:
Debian GNU/Linux 3.0
Red Hat Linux 9
Check Point Software Firewall-1 4.0.0 SP1
Check Point Software Firewall-1 4.0.0 SP2
Check Point Software Firewall-1 4.0.0 SP3
Check Point Software Firewall-1 4.0.0 SP4
Check Point Software Firewall-1 4.0.0 SP5
Check Point Software Firewall-1 4.0.0 SP6
Check Point Software Firewall-1 4.0.0 SP7
Check Point Software Firewall-1 4.0.0 SP8
Check Point Software Firewall-1 4.1.0
Check Point Software Firewall-1 4.1.0 SP1
Check Point Software Firewall-1 4.1.0 SP2
Check Point Software Firewall-1 4.1.0 SP3
Check Point Software Firewall-1 4.1.0 SP4
Check Point Software Firewall-1 4.1.0 SP5
Check Point Software Firewall-1 4.1.0 SP6
Check Point Software Firewall-1 [VPN+DES+STRONG] 4.1.0 Build 41439
Check Point Software Firewall-1 [VPN+DES+STRONG] 4.1.0 SP2 Build 41716
Check Point Software Firewall-1 [VPN+DES] 4.1.0
Check Point Software Next Generation
Check Point Software Next Generation FP1
Check Point Software Next Generation FP2
Check Point Software Next Generation FP3
Check Point Software Next Generation FP3 HF1
Check Point Software Next Generation FP3 HF2
Check Point Software Next Generation with Application Intelligence
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Debian
pwlib1.2.5-5woody1
Redhat
pwlib-1.4.7-4.1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 386
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0380V000454 Category II
7
:
MAC/Confidentiality Levels:
Previously:
G586
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-B-0002
Vulnerable Systems:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
Running on the following Operating Systems:
Solaris 8
Solaris 9
RedHat Linux Professional
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 387
RedHat Enterprise
IBM AIX
Hewlett-Packard HP-UX
Compliance Checking:
Locate the issDaemon:
#
./issDaemon v
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0385V000455 Category:I
4
MAC/Confidentiality Levels:
Previously:
G587
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 388
Reference:
IAVA 2004-A-0004
Vulnerable Systems:
Apache-SSL 1.3.28+1.52 and earlier versions.
Compliance Checking:
To check the version:
#
httpd v
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding..
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0390V000456 Category II
7
:
MAC/Confidentiality Levels:
Previously:
G588
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0003
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 389
Vulnerable Systems:
tcpdump
Apple
Caldera
Debian
EnGarde
FreeBSD
Mandrake
Redhat
SCO
SGI
SuSE
Trustix
Turbolinux
Compliance Checking:
To check the version of tcpdump on most systems:
#
tcpdump -version
The version should be at least 3.8.3. If it is not, then upgrade both tcpdump to at least 3.8.3 and libpcap
to 0.8.3. Check the IAVA for specific vendor patches or upgrades.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 390
IAVA0395V000456 Category II
8
:
MAC/Confidentiality Levels:
Previously:
G589
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0008
Vulnerable Systems:
FreeBSD 4.6.2
FreeBSD 4.7.0
FreeBSD 4.8.0
FreeBSD 4.9.0
FreeBSD 5.0.0
FreeBSD 5.1.0
FreeBSD 5.2.0
OpenBSD 3.3
OpenBSD 3.4
Compliance Checking:
Upgrade to the FreeBSD stable branch (4-STABLE) or to the RELENG_5_2, RELENG_4_9, or RELENG_
4_8 security branch or apply the applicable patch.
FreeBSD 4.8
tcp47.patch
FreeBSD 4.9
tcp47.patch
FreeBSD 5.2
tcp52.patch
OpenBSD 3.3
018_tcp.patch
OpenBSD 3.4
013_tcp.patch
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 391
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G590
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-B-0005
Vulnerable Systems:
Solaris 8.0
Solaris 8.0_x86
Solaris 9.0
Solaris 9.0_x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 8.0
Solaris 8.0_x86
Solaris 9.0
Solaris 9.0_x86
108993-32 or later
108994-32 or later
113476-11 or later
114242-07 or later
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 392
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G591
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0006
Vulnerable Systems:
Apple
Avaya
Check Point
Cisco
Citrix
FreeBSD
Hewlett Packard
NetScreen
Novell
OpenBSD
OpenSSL
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.6 c
Conectiva Linux 8.0.0
Debian Linux 3.0.0
MandrakeSoft Linux Mandrake 8.2.0
S.u.S.E. Linux 8.0.0
S.u.S.E. Linux 8.0.0 i386
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 393
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 394
FreeBSD 5.0.0
Redhat Linux
RSA
SCO
SGI
Stonesoft
Tarantella
Compliance Checking:
All versions from 0.9.6c to 0.9.6l and versions 0.9.7a to 0.9.7c are affected. This vulnerability requires
multiple updates. Ensure OpenSSL libraries are, at least, 0.9.7d or 0.9.6m. Check for the correct version of
OpenSSL libraries by performing either, of these commands:
#
openssl version v
#
ls lLd /usr/lib/*ssl*
or
#
ls lLd /usr/local/lib/*ssl*
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0410V000457 Category II
1
:
MAC/Confidentiality Levels:
Previously:
G592
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-B-0006
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 395
Vulnerable Systems:
Linux systems with:
HP Web Jetadmin 6.5.0 and prior
HP Web Jetadmin 7.0.0
Compliance Checking:
#
./jetadmin
If it is less than version 7.5, this is a finding. If it is 7.5 or higher, this is not a finding.
Remediation Guidelines:
PDI:
IAVA0415V000462 Category I
1
:
MAC/Confidentiality Levels:
Previously:
G593
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-B-0007
72. IAVA0420 2004-T-0014 CDE Remote Login
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 396
HP HP-UX 11.0.0
HP HP-UX 11.0.0 4
HP HP-UX 11.11.0
HP HP-UX 11.22.0
HP HP-UX 11.23.0
IBM AIX 4.3.3
IBM AIX 5.1.0
IBM AIX 5.2.0
SCO Unixware 7.1.1
SGI3
http://www .sgi.com/support/security/advisories.html
Solaris 7.0.0
Solaris 7.0.0 _x86
Sun Solaris 8.0.0
Sun Solaris 8.0.0 _x86
Sun Solaris 9.0.0
Sun Solaris 9.0.0 _x86
Sun Solaris 9.0.0 _x86 Update 2
Open Group CDE Common Desktop Environment 2.1.0 Sun Solaris 9
Sun Solaris 9 _x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Sun 7.0 107180-31
Sun 7.0_x86 107171-31
Sun 8.0 108919-21
Sun 8.0_x86 108920-21
Sun 9.0 112807-09
Sun 9.0_x86 114210-08
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 397
MAC/Confidentiality Levels:
Previously:
G594
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-00 14
Vulnerable Systems:
All systems with Sendmail.
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 7.0
107684-11 or later
Solaris 7.0_x86
Solaris 8.0
107685-11 or later
110615-11 or later
Solaris 8.0_x86
110616-11 or later
Solaris 9.0
113575-05 or later
Solaris 9.0_x86
114137-04 or later
HPUX:
#
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 398
HP-UX B.11.00:
SMAIL-811.INETSVCS-SMAIL
InternetSrvcs.INETSVCS-RUN
HP-UX B.11.04:
InternetSrvcs.INETSVCS-RUN
HP-UX B.11.11:
SMAIL-811.INETSVCS-SMAIL
InternetSrvcs.INETSVCS-RUN
HP-UX B.11.22:
Install sendmail.811.11.22.r5 file
AIX 4.3.3
IY48659
AIX 5.1.0
IY48658
AIX 5.2.0
IY48657
Linux
ftp://updates.Red Hat.com/7.1/en/os/i386/sendmail-8.11.6-27.71.i386.rpm
ftp://updates.Red Hat.com/7.2/en/os/i386/sendmail-8.11.6-27.72.i386.rpm
ftp://updates.Red Hat.com/7.3/en/os/i386/sendmail-8.11.6-27.73.i386.rpm
ftp://updates.Red Hat.com/8.0/en/os/i386/sendmail-8.12.8-9.80.i386.rpm
ftp://updates.Red Hat.com/9/en/os/i386/sendmail-8.12.8-9.90.i386.rpm
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 399
IAVA0425V000471 Category II
6
:
MAC/Confidentiality Levels:
Previously:
G595
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-B-0005
Vulnerable Systems:
Sun Solaris 8
Sun Solaris 8 _x86
Sun Solaris 9
Sun Solaris 9 _x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Sun Solaris 8
Sun Solaris 8 _x86
Sun Solaris 9
Sun Solaris 9 _x86
111313-02 or later
111314-02 or later
116807-01 or later
116808-01 or later
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G596
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 400
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0016
Vulnerable Systems:
All releases of MIT Kerberos 5, up to and including krb5-1.3.3.
Conectiva Linux 8.0.0
Debian Linux 3.0.0
Debian Linux 3.0.0 alpha
Debian Linux 3.0.0 arm
Debian Linux 3.0.0 hppa
Debian Linux 3.0.0 ia-32
Debian Linux 3.0.0 ia-64
Debian Linux 3.0.0 m68k
Debian Linux 3.0.0 mips
Debian Linux 3.0.0 mipsel
Debian Linux 3.0.0 ppc
Debian Linux 3.0.0 s/390
Debian Linux 3.0.0 sparc
MandrakeSoft Linux Mandrake 8.1.0
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Linux Mandrake 8.2.0
MandrakeSoft Linux Mandrake 8.2.0 ppc
MandrakeSoft Multi Network Firewall 8.2.0
MandrakeSoft Corporate Server 2.1.0
MandrakeSoft Linux Mandrake 9.0.0
MandrakeSoft Linux Mandrake 9.1.0
MandrakeSoft Linux Mandrake 9.1.0 ppc
OpenBSD OpenBSD 3.1.0
OpenBSD OpenBSD 3.2.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 401
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 402
Solaris 5.7
112536-05
Solaris 5.7_x86
112537-05
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
112908-15
Solaris 5.9_x86
115168-05
Redhat
# rpm qa | grep krb5-workstation
The version in the second field should be at least 1.3.3-7.
Debian
Mandrake
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G597
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0017
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 403
Solaris
The dhcpd binary should be:
/usr/lib/inet/in.dhcpd
HP-UX
The dhcpd binary should be: /usr/lbin/dhcpserverd
# strings <dhcpd_binary> | grep "Internet Software Consortium
AIX
The dhcpd binary should be: /usr/sbin/dhcpsd
# strings <dhcpd_binary> | grep "Internet Software Consortium
IRIX
The dhcpd binary should be: /usr/sbin/dhcpd
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 404
Linux
The dhcpd binary should be: /usr/sbin/dhcpd
# strings <dhcpd_binary> | grep "Internet Software Consortium
If the string "Internet Software Consortium is found, confirm the version is 3.0.1 rc14 or later.
# <dhcpd_binary> | more
Remediation Guidelines:
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
MAC/Confidentiality Levels:
Previously:
G598
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0018
Vulnerable Systems:
Apache 2.0.51 and prior versions
Apache 1.3.31 and prior versions
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 405
Or
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
Solaris 5.9_x86
116973-01
116974-01
113146-05
114145-04
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0445V000501 Category I
4
:
MAC/Confidentiality Levels:
Previously:
G599
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0032
Vulnerable Systems:
Debian 2.2
Redhat 6.x
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 406
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Debian
nfs-common_0.1.9.1-1.deb
Redhat
nfs-utils-0.1.9.1-1.i386.rpm
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0455V000100 Category I
4
:
MAC/Confidentiality Levels:
L010
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0005
Vulnerable Systems:
IRIX versions 3.x through 6.5.9
Compliance Checking:
To check the version:
# uname R
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 407
Or
Perform procedures in Appendix F, Patch Control, to check for the following patches:
IRIX 3.x through 6.4 (except 6.2) Upgrade to IRIX 6.5.10 or higher
IRIX 6.2 apply patch #4050 or upgrade to 6.5.10
IRIX 6.5 through 6.5.9 apply patch #4060 or upgrade to 6.5.10
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0460V000099 Category II
9
:
MAC/Confidentiality Levels:
Previously:
SG01
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0002
Vulnerable Systems:
IRIX
Compliance Checking:
# grep AUTHENTICATION /usr/lib/array/arrayd.auth
Confirm AUTHENTICATION NONE is commented out.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 408
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
IAVA0465V000100 Category II
0
:
MAC/Confidentiality Levels:
Previously:
SG03
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1999-B-0002
81.
Vulnerable Systems:
IRIX 3.x
IRIX 4.x
IRIX 5.0.x
IRIX 5.1.x
IRIX 5.2
IRIX 5.3
IRIX 6.0.x
IRIX 6.1
IRIX 6.2
IRIX 6.3
IRIX 6.4
IRIX 6.5
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 409
Patch
5.3
2090
6.2
2090
6.3
2090
6.4
2091
5.3
3463
6.2
3289
For df:
6.3
3722
6.4
3883
For pset:
3. 2176
6.2
3704
6.3
2792
For eject:
3. 3191
6.2
3722
6.4
3883
For login:
5.3
2216
6.1
1010
6.2
2181
6.3
3183
For ordist:
5.3
6.2-6.4
2212
2213
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 410
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0470V000100 Category:I
1
MAC/Confidentiality Levels:
Previously:
SG05
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1998-A-0010
Vulnerable Systems:
For rpc.statd:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
For automountd:
Solaris 5.5.1
Solaris 5.5.1_x86
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 411
Perform procedures in Appendix F, Patch Control, to check for the following patches:
For rpc.statd:
Solaris 5.5.1
104166-05
Solaris 5.5.1_x86
104167-05
Solaris 5.6
106592-04
Solaris 5.6_x86
106593-04
For automountd:
Solaris 5.5.1
Solaris 5.5.1_x86
104654-05
104655-05
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0475V000100 Category I
3
:
MAC/Confidentiality Levels:
Previously:
SO25
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1999-A-0006
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 412
Solaris 5.7
Solaris 5.7_x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
109721-01
109722-01
109719-01
109720-01
109709-01
109710-01
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0485V000106 Category I
5
:
MAC/Confidentiality Levels:
Previously:
SO27
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-T-0002
Vulnerable Systems:
Solaris 5.7
Solaris 5.7_x86
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 413
Solaris 5.8
Solaris 5.8_x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.7
Solaris 5.7_x86
107709-19
107710-19
Solaris 5.8
108869-17
Solaris 5.8_x86
108870-17
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0490V000106 Category:I
6
MAC/Confidentiality Levels:
Previously:
SO28
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0003
Vulnerable Systems:
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 414
Solaris 5.8
Solaris 5.8_x86
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.6
Solaris 5.6_x86
106235-10
106236-10
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
107115-10
107116-10
109320-05
109321-05
Remediation Guidelines:
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0495V000106 Category I
8
:
MAC/Confidentiality Levels:
Previously:
SO29
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-T-0007
Vulnerable Systems:
MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
MIT Kerberos 4 patch 10, and likely earlier releases as well
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 415
to look for the presence of a Kerberos 5 configuration file on the system. If the file is found, look for the
presence of the default domain and v4_instance_convert configuration variables in the [realms]
section of the file. If these two variables are present and configured then this is a finding as Kerberos is working
in Version IV compatibility mode. If /etc/krb4.conf exists this is also a finding without the applied
patches. Upgrade to version 5-1.0.X and apply the patch provided by MIT. Only the patches for the krb_rd_req()
vulnerability need to be applied to version 4 to address the issues described in this advisory.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0500V000470 Category II
4
:
MAC/Confidentiality Levels:
Previously:
V064
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0003
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
ProFTPD
wu-ftpd
Page 416
1.2.Oprel
All versions prior to 2.4.2
Compliance Checking:
Confirm the version is 1.2.Opre2or later, or 2.4.2 or later, respectively.
# /usr/ccs/bin/what <ftp_daemon>
Or
# strings <ftp_daemon>
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0510V000469 Category:I
9
MAC/Confidentiality Levels:
Previously:
V324
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1999-A-0003
Vulnerable Systems:
wu-ftpd
2.6.0 or earlier
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 417
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0515V000470 Category I
0
:
MAC/Confidentiality Levels:
Previously:
V3375
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
Vulnerable Systems:
Sendmail prior to 8.13.6
Compliance Checking:
Within certain operating system architectures, a remote attacker may be able to force certain timing conditions
that would allow execution of arbitrary code or commands on a vulnerable system. Systems running an MTA are
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 418
typically deployed in the DMZ as a gateway for delivering inbound and outbound email, though they may also be
used for internal email delivery between systems or applications.. A system is vulnerable to this IAVA if the
sendmail version is less than 8.13.6 or does not contain up-to-date patches. To check for the vulnerability check
the version of sendmail the system is running. There are two easy methods: 1. Perform the following command;
telnet hostname 25. That connects to the sendmail server port and the server usually tells its version. Since we
tell everybody to hide the version, though, the alternate is the following command; cd to the sendmail binary
directory, usually /usr/lib , and execute echo \$Z | sendmail -bt -d0 . Sendmail will return some extraneous
information including the version number, i.e., Version 8.13.6. Obtain the latest version of sendmail. The
acceptable version to answer this IAVA is 8.13.6, or higher or a version patched to fix the vulnerability.
Solaris
5.8_x86
110616-14
5.8
110615-14
5.9_x86
5.9
5.10_x86
5.10
114137-05
113575-06
122857-01
122856-01
HPUX
AIX
IRIX
B.11.00
sendmail-811_01.006.depot
B.11.11
sendmail-8.13_1111.depot
B.11.23
sendmail-8.13_1123.depot
5.1.0
IY82992
5.2.0
IY82993
5.3.0
IY82994
6.5
patch 7082
Linux
Redhat
SuSe
sendmail-8.12.11-4
sendmail-8.13.3-5.3
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 419
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0520V001173 Category I
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-A-0013
Vulnerable Systems:
Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Compliance Checking:
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for multiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Switch user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 420
# $ORACLE_HOME/bin/runInstaller
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle E-Business Suite is listed, then expand it to view any installed patches.
Please ensure all of the patches listed for the installed version are installed;
11.5.10 CU2: 4865928, 4756429
11.5.10: 4333555, 4756429
11.5.9: 4666822, 4710802. 3453273, 3428504, 4756429, 4690594
11.5.8 through 11.5.4: 4746210. 3453273, 4756429, 4690594
11.5.3 and 11.5.2: 4746210. 4756429, 4690594
11.5.1: 4746210. 4690594
11.5.0: none
Note: Repeat for each Oracle installation.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0530V000758 Category I
7
:
MAC/Confidentiality Levels:
Previously:
G566
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-A-0007
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 421
Vulnerable Systems:
Solaris 5.9
Solaris 5.9_x86
Solaris 10
Solaris 10_x86
HP-UX B.11.00 IPSec.IPSEC2-KRN
HP-UX B.11.11 IPSec.IPSEC2-KRN
HP-UX B.11.11 IPSec.IPSEC2-KRN,revision=A.02.00
HP-UX B.11.23 IPSec.IPSEC2-KRN
Compliance Checking:
Solaris
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris 5.9
113451-10
Solaris 5.9_x86
114435-09
Solaris 10
118371-06
Solaris 10_x86
118372-06
HPUX
To determine if an HP-UX system has an affected version, search the command output for one of the filesets
listed below.
# swlist -a revision -l fileset
B.11.00 IPSec.IPSEC2-KRN
install revision A.01.05.01 or subsequent
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 422
B.11.11 IPSec.IPSEC2-KRN
install revision A.01.07.02 or subsequent
B.11.11 IPSec.IPSEC2-KRN,revision=A.02.00
install revision A.02.01 or subsequent
B.11.23 IPSec.IPSEC2-KRN
install revision A.02.01 or subsequent
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0545V000759 Category:I
0
MAC/Confidentiality Levels:
Previously:
G571
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-B-0019
Vulnerable Systems:
Oracle Diagnostics, versions 2.3 and lower *
* Available only on:
Oracle E-Business Suite Release 11i, versions 11.5.4 and higher
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 423
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for multiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Switch user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
$ORACLE_HOME/bin/runInstaller
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle E-Business Suite is listed, then expand it to discover any entry for Oracle
Diagnostics. If listed, search for any entry indicating the Oracle Diagnostics 2.3 Rollup Patch (RUP) A is
installed.
Note: Repeat for each Oracle Diagnostics installation.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0550V000759 Category I
1
:
MAC/Confidentiality Levels:
Previously:
G572
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-A-0011
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 424
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 425
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0555V001174 Category I
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-A-0020
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 426
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0570
V0012321
Category I
:
Previously:
N/A
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-A-00 32
Vulnerable Systems:
Firefox versions prior to 1.5.0.6
Thunderbird versions prior to 1.5.0.5
SeaMonkey versions prior to 1.0.4
Compliance Checking:
Perform the following to check the Firefox version:
# ./firefox v
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 427
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0590V001249 Category I
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-T-0020
Vulnerable Systems:
SPARC Platform
Sun ONE Application Server 7 without Update 9
Sun Java System Application Server 7 2004Q2 without Update 5
Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-08
or (SVR4) patch 119166-16
x86 Platform
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 428
Compliance Checking:
To determine the version of Sun Java System Application server on a system, the following command can be run:
# <AS_INSTALL>/bin/asadmin version verbose
If the version is one of those listed in the vulnerable systems, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0595V001205 Category II
5
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2006-T-0016
97. IAVA0600 1998-0011 General Internet Message Access Protocol (IMAP) and Post
Office Protocol (POP) Vulnerabilities
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 429
Vulnerable Systems:
All platforms running IMAP or POP servers
Compliance Checking:
Perform the following to determine if the IMAP or POP is installed and listening:
# netstat a |grep LISTEN
If port 110 or port 143 are shown, then the mail servers are enabled. If the mail servers are enabled and are not
a required service, then this is a finding. If the service is required and SSL is not being utilized, then this is also
a finding. Ask the SA if SSL is being utilized with the mail server connections.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0600V000574 Category I
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1998-0011
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 430
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0605V000574 Category I
9
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1999-0001
Vulnerable Systems:
UNIX systems running the WU-FTPD daemon or its
derivatives.
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 431
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0610V000575 Category I
1
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 1999-0003
100. IAVA0615 2000-T-0015 BMC Best/1 Version 6.3 Performance Management System
Vulnerability
Vulnerable Systems:
BMC Best/1 Version 6.3 Performance Management System
Compliance Checking:
Ask the system administrator if the BMC Best/1 product is installed on the system. If the product is installed and
less than version 6.5, then this is a finding.
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 432
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0615V000579 Category II
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-T-0015
Vulnerable Systems:
BIND v8.2.1
Compliance Checking:
Perform the following to determine the version of BIND.
# named v
Or
# what /usr/sbin/named -v
If the version of BIND is not greater than 8.2.1, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 433
IAVA0620V000578 Category I
0
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0001
Vulnerable Systems:
Netscape Navigator prior to version 4.72
Compliance Checking:
If a Netscape browser is installed, check the browser version by opening the browser application and selecting
Help/About Netscape to obtain the version. If the version is not at least 4.73, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0625V000578 Category I
1
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0002
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 434
Vulnerable Systems:
All web servers and browsers
Compliance Checking:
If a web browser is installed, view the advanced options and ensure to disable any scripting such as javascript.
Web server software such as Apache and the Sun Java web server and associated web pages should be reviewed
for dynamic content that may become vulnerable to malicious scripting by the web server administrator and web
site developers.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0630V000577 Category I
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-A-0001
Vulnerable Systems:
Snort prior to 1.8.1
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 435
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0635V000581 Category I
1
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-B-0003
Vulnerable Systems:
Oracle9i Database Server
Oracle8i Database Server
Oracle8 Database Server
Compliance Checking:
Check that the Oracle9i Database Server has had the patches applied. To check for patches, execute the
following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click on the Installed Products button at
the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view the installed
patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. Version 9.2.0.3
patch 3056404 Version 9.2.0.3 patch 2973634 .
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 436
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0640V000585 Category II
2
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0005
Vulnerable Systems:
Oracle9i Application Server
Compliance Checking:
Check that the Oracle9i Application Server has had the patches applied. To check for patches, execute the
following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click on the Installed Products button at
the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view the installed
patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. Version 1.2.0.x
Patch 2128936, 2209455
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 437
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0645V000585 Category II
3
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0006
Vulnerable Systems:
ISC BIND 9.0 through 9.2
Compliance Checking:
Execute the following command to check the version of BIND.
# /usr/sbin/named v
If the version output of the preceeding command is not at least 9.2.1, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0650V000585 Category II
7
:
MAC/Confidentiality Levels:
Previously:
N/A
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 438
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-0010
Vulnerable Systems:
Ncipher Nfast800 NET-SNMP for Linux/Solaris
Compliance Checking:
Ask the systems administrator if the ncipher product is installed. If the product is installed, ask the
systems administrator to verify the patches have been downloaded and installed from : http://www.ncipher.com/
members/download.php?resource_id=55 . If the system administrator does not have a login to the above website,
then this is a good indication that the product has not been patched. If the product has been installed and patched
properly, then this is not a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0655V000586 Category II
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-T-SNMP-003
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 439
Vulnerable Systems:
DNCP-HPUX
Compliance Checking:
DNCP( Distributed Network Control Platform) manufactures edge devices utilizing the HP-UX operating
systems. Check this device for the following patch with the procedures listed in Appendix F.
PHSS_26138
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0660V000583 Category I
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 440
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0665V000583 Category I
9
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-SNMP-005
Vulnerable Systems:
IRIX versions 5.3 to 6.4
Tivoli v7.1 NetView for UNIX
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 441
Irix
If the Irix operating system version is not at least 6.5, then this is a finding. Perform the following to
determine the operating system version:
# uname a
Tivoli
If Tivoli Netview 7.1 is installed, ask the SA if they have applied all vendor patches for SNMP
vulnerabilities. If the patches have not been installed, then this is a finding. The IAVA and vendor do not list
specific patches to install.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0670V000584 Category I
0
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-SNMP-006
Vulnerable Systems:
Oracle 8 8.0.6
Oracle 8i 8.0.x
Oracle 8i 8.1.7
Oracle 8i 8.1.x
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 442
Oracle 9i 9.0.2
Oracle 9i 9.0.1.3
Oracle 9i 9.0.1.2
Oracle 9i 9.0.1
Oracle 9i 9.0
Oracle 9i Release 1, 9.0.x
Oracle 9i Release 2, 9.2.2
Oracle 9i Release 2, 9.2.x
Oracle 9i Release 2, 9.2.1
Compliance Checking:
To check for patches, execute the following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click
on the Installed Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If patches listed are not there or the Oneoffs selection is not there, then
this is a Finding.
Ensure the following patches are installed:
2642117 Oracle Database Server DIRECTORY Buffer Overflow Vulnerability
2642267 Oracle Database Server TZ_OFFSET Buffer Overflow Vulnerability
2642439 Oracle Database Server TO_TIMESTAMP_TZ Buffer Overflow Vulnerability
2620726 Oracle Database Server ORACLE.EXE Buffer Overflow Vulnerability
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0675V000587 Category I
3
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2003-A-0006
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 443
Vulnerable Systems:
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle9i Application Server Release 2, version 9.0.2.1 and earlier versions
Oracle9i Application Server Release 2, version 9.0.3.0 and 9.0.3.1Oracle9i Database Server Release 2,
version 9.2.0.2
Oracle9i Database Server Release 1, version 9.0.1.4
Compliance Checking:
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory detail command. Patches
required are 2701372 or 2701717.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0680V000592 Category II
4
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0002
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 444
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0685V000592 Category II
8
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0005
115. IAVA0690 2004-T-0011 Oracle Application Server Web Cache HTTP Request Method
Heap Overrun Vulnerability
Vulnerable Systems:
Oracle Application Server Web Cache 10g 9.0.4 .0
Oracle Application Server 10g 9.0.4 .0
Oracle Oracle9i Application Server Web Cache 2.0.0 .0.4
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server Web Cache 9.0.2 .2
Oracle iStore 11i 11i.IBE.O
Oracle Oracle9i Application Server Web Cache 9.0.2 .3
Oracle Oracle9i Application Server Web Cache 9.0.3 .1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 445
Compliance Checking:
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory command to include at least
one of the following patches: Patch 3319824 (10g), 3621435 (9iAS WC 9.0.3.1.0), 3573405 (9iAS WC 9.0.2.3.0)
, 3611297 (9iAS WC 2.0.0.4.0)
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0690V000594 Category II
0
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0011
116. IAVA0695 2004-T-0022 Check Point VPN-1 ASN.1 Buffer Overflow Vulnerabil ity
Vulnerable Systems:
Linux and Solaris running Checkpoint Firewall products
Compliance Checking:
Each specific firewall product provided by Checkpoint contains a different patch to be applied. Due to the
large number of patches to be applied for each product, it is best to refer to https://www.jtfgno.mil/bulletins/
dodcert2004/2004-t-0022.htm to check for compliance.
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 446
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0695V000596 Category II
4
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0022
117. IAVA0700 2004-T-0026 Mozilla Network Security Services Library Remote Heap
Overflow Vulnerability
Vulnerable Systems:
HP-UX B.11.23 and prior
Mozilla Network Security Services (NSS) 3.9.0 and prior
Mozilla Browser 1.4.0-1.5.0
Sun ONE Application Server 7.0.0 and prior
Sun ONE Directory Server 5.2.0 and prior
Sun ONE Web Server 6.1.0 and prior
Sun Java Enterprise System
Compliance Checking:
HP-UX
To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an
affected fileset. The following filesets should be checked for:
NetscapeDirSvr6.NDS-SLAPD
NetscapeDirSvr6.NDS-ADM
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 447
No patches exist for this vulnerability, but the IAVA does list specific work around procedures. If the
workaround has not been applied, then this is a finding.
For Solaris 8 sparc check for the following patches with procedures in Appendix F:
114045-12 or later
115924-09 or later
For Solaris 9 sparc check for the following patches with procedures in Appendix F:
114049-12 or later
115926-10 or later
For Solaris 9 x86 check for the following patches with procedures in Appendix F:
114050-12 or later
115927-10 or later
Check the version of the Mozilla NSS. If the version is not at 3.9.2, then this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 448
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0700V000596 Category II
9
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-0026
Vulnerable Systems:
Kerberos V
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux WS 3
Sun SEAM 1.0.2
Sun Solaris 9.0.0
Sun Solaris 9.0.0 _x86
Compliance Checking:
Redhat
# rpm qa |grep krb5
If any of the Kerberos packages are installed, then either the workstation or server package with its version
number should be returned from the preceeding command. If the package version is not at least 1.3.4-5, then
this is a finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 449
Solaris 9
# grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm ___
If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for
Kerberos and this check is not applicable. Otherwise, perform procedures in Appendix F, Patch Control, to check
for the following patches:
Sparc- 112908-16 or later
x86- 115168-05 or later
If the patches are not found on the system and Kerberos is utilized, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0705V000597 Category II
0
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-T-00 27
119. IAVA0710 2004-B-0009 Oracle E-Business Suite Mult iple SQL Injection
Vulnerable Systems:
Oracle Applications 11.0 (all releases)
Oracle E-Business Suite Release 11i, 11.5.1 through 11.5.8
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 450
Compliance Checking:
To check for patches, open the Oracle Universal Installer: On the Welcome screen, click on the Installed
Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view
the installed patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. At
least one of the patches should be listed for each occurrence of an installed component: E-business suite patch
3644626, Applications suite patch 3648066.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0710V000595 Category I
4
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2004-B-0009
Vulnerable Systems:
Computer Associates Advantage Data Transport 3.0.0
Computer Associates AdviseIT 2.4.0
Computer Associates BrightStor Portal 11.1.0
Computer Associates BrightStor SAN Manager 1.1.0
Computer Associates BrightStor SAN Manager 1.1.0 SP1
Computer Associates BrightStor SAN Manager 1.1.0 SP2
Computer Associates BrightStor SAN Manager 11.1.0
Computer Associates CAM 1.5.0
Computer Associates CAM 1.7.0
Computer Associates CAM 1.11.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 451
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 452
Compliance Checking:
Simply running camstat will return the version information in the top line of the output on any platform. The
camstat command is located in the bin subfolder of the installation directory.
The /etc/catngcampath text file holds the CAM install location
The version should be at least CAM 1.07 Build 220_13 or CAM 1.11 Build 29_13 depending on the installation
major release number.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0715V001168 Category II
0
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-T-0031
Vulnerable Systems:
Symantec AntiVirus Corporate Edition 8.0.0 1
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 9.0.0
Symantec AntiVirus for Caching
Symantec AntiVirus for Network Attached Storage
Symantec AntiVirus for SMTP 3.1.0
Symantec AntiVirus Scan Engine 4.0.0
Symantec AntiVirus Scan Engine 4.3.0
Symantec AntiVirus Scan Engine for Bluecoat 4.0.0
Symantec AntiVirus Scan Engine for Bluecoat 4.3.0
Symantec AntiVirus Scan Engine for Caching 4.3.0
Symantec AntiVirus Scan Engine for Filers 4.3.0
Symantec AntiVirus Scan Engine for ISA 4.0.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 453
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0720V000601 Category I
5
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2005-B-0007
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 454
122. IAVA0725 2005-B-0008 Trend Micro VSAPI ARJ Hand ling Heap Overflow
Vulnerable Systems:
Trend Micro InterScan Messaging Security Suite for Linux
Trend Micro InterScan Messaging Security Suite for Solaris
Trend Micro InterScan VirusWall for Linux
Trend Micro InterScan VirusWall for HP-UX
Trend Micro InterScan VirusWall for AIX
Trend Micro InterScan VirusWall for Solaris
Trend Micro InterScan Web Security Suite for Linux
Trend Micro InterScan Web Security Suite for Solaris
Trend Micro ServerProtect for Linux
Compliance Checking:
Ask the system administrator if any of the above products are installed on the machine. If any of the above
products are installed, ask the system administrator if an appropriate vendor patch has been installed from https://
www.jtfgno.mil. If the specific patch listed in the IAVA has not been installed, then this is a finding.
Control Manager
File
Program
Platform
Version
vsapi-solaris-7.510- Solaris
1002.tar.z
Engine
Version
Size
Release
Date
992.0KBFeb 24,
2005
File
vsapi-x86-linux7.510-1002.tar.z
Program
Platform
Version
Linux
Engine
Version
http://s3.amazonaws.com/0706/819143.html
Size
Release
Date
892.0KBFeb 24,
2005
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
vsapi-solaris-7.5101002.tar.z
Page 455
Solaris
992.0KBFeb 24,
2005
InterScan VirusWall
Program
Platform
Version
Engine
Version
vsapi-x86-linux7.510-1002.tar.z
Linux
3.01 and
above
7.510
892.0KBFeb 24,
2005
vsapi-solaris-7.5101002.tar.z
Solaris
992.0KBFeb 24,
2005
vsapi-hpux-7.5101002.tar.z
vsapi-aix-7.5101002.tar.z
AIX
File
3.6
7.510
Size
Release
Date
File
Program
Platform
Version
Engine
Version
Size
Release
Date
vsapi-x86-linux7.510-1002.tar.z
Linux
892.0KBFeb 24,
2005
vsapi-solaris-7.5101002.tar.z
Solaris
992.0KBFeb 24,
2005
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 456
Program
Platform
Version
File
vsapi-x86-linux7.510-1002.tar.z
Linux
Engine
Version
Size
Release
Date
892.0KBFeb 24,
2005
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
123. IAVA0730 2005-A-0043 Symantec AntiVirus Library RAR Decompression
Vulnerable Systems:
Symantec AntiVirus/Filtering for Domino (AIX, Linux, Solaris)3.0.11
Symantec Scan Engine 5.0
Symantec AntiVirus Scan Engine 4.1.8 4.3.12
Symantec AntiVirus for Messaging 4.3.12
Symantec AntiVirus for NAS 4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer 4.0 4.3
Symantec AntiVirus Scan Engine for NetApp NetCache 4.0 4.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0 4.3
Symantec AntiVirus for Clearswift 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3.12
Symantec AntiVirus for SMTP 3.1 4.1.9
Symantec Client Security 3.X
Symantec Web Security 3.0.1
Symantec Gateway Security 5000 Series 3.0
Symantec Gateway Security 5400 Series 2.0
Symantec Gateway Security 1.0
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 457
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
124. IAVA0735 2006-T-0002 Multiple Vulnerabilities within BEA WebLogic Software
Vulnerable Systems:
BEA Systems WebLogic Express 6.1.0
BEA Systems WebLogic Express 6.1.0 SP 1-8
BEA Systems WebLogic Express 7.0.0
BEA Systems Weblogic Server 6.1.0 SP 1-7
BEA Systems Weblogic Server 7.0.0
BEA Systems Weblogic Server 7.0.0 SP 1-6
BEA Systems Weblogic Server 7.0.0 .0.1
BEA Systems Weblogic Server 7.0.0 .0.1 SP 1-4
BEA Systems Weblogic Server 8.1.0
BEA Systems Weblogic Server 8.1.0 SP 1-5
BEA Systems Weblogic Server 9.0
Compliance Checking:
To determine the version number run the setEnv.sh script which is under:
# WL_HOME/config/{your-domain}/setEnv.sh
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 458
Then run java weblogic.version which should produce version string output.
This can also be checked from the weblogic console directly by:
Mydomain > Servers > myserver and select the Monitoring/Versions tab.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
125. IAVA0740 2006-T-0005 Multiple Vulnerabilities in Mozilla Products
Vulnerable Systems:
Firefox and Thunderbird prior to version 1.5.0.1
Seamonkey prior to version 1.0.
Compliance Checking:
Check that FireFox and Thunderbird has been updated to version 1.5.0.1 or higher. Seamonkey should be at v
ersion 1.0 or higher. The versions can usually be checked from the Help|About menu within the graphical menu
toolbar.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
126. IAVA0745 2006-T-0007 Veritas NetBackup Multiple Remote Buffer Overflow
Vulnerable Systems:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 459
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
127. IAVA0755 2006-T-0009 Multiple Vulnerabilities i n Symantec AntiVirus Engine
Vulnerable Systems:
Symantec Anti-virus scan engine prior to 5.1
Compliance Checking:
To determine which version of Symantec Antivirus you have, start the application and select Help|About.
This should display the scan version engine. Some instances display the engine version on the main application
window.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 460
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
128. IAVA0760 2006-T-0013 RealVNC Remote Aut hentication Bypass
Vulnerable Systems:
Real VNC 4.1.1
Compliance Checking:
To determine if the vnc software is installed on a unix machine perform the following:
# find / -name vncserver print
If the software is found, perform the following to retrieve the version information:
# vncserver help
This will display the version on the first line returned. If the version is not at least 4.2.3, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
129. IAVA0765 2006-T-0023 Multiple Vulnerabilities in Wireshark
Vulnerable Systems:
Wireshark 0.99.2 or Ethereal 0.99.0 or earlier
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 461
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
130. IAVA0770 2006-T-0035 Sun Java System/iPlane t Messaging Server
Vulnerable Systems:
iPlanet Messaging Server 5.2 (for Solaris 8 and 9) without patch 5.2hf2.13
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 8, 9, and 10) without patch 118207-56
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 9 and 10) without patch 118208-56
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for RHEL 2.1 and 3.0) without patch 118209-56
Compliance Checking:
To determine if Sun Java System Messaging Server is installed on a system, the following command can be run:
# pkginfo SUNWmsgco
application SUNWmsgco Sun Java System Messaging Server Core Libraries
To determine the version of iPlanet Messaging Server on a system, the following command can be run:
# cat /etc/msgregistry.inf
A list of instances and installs will displayed (if any) if this file exists.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 462
To determine the version of Sun Java Messaging Server on a system, the following command can be run:
# /opt/SUNWmsgsr/sbin/imsimta version
If the software is installed without the patches mentioned in the vulnerable systems section, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
131. IAVA0775 2006-B-0016 Multiple Remote Denial of Service Vulnerabilities within ISC
BIND
Vulnerable Systems:
BIND 9.3.0, BIND 9.3.1, BIND 9.3.2, BIND 9.3.3b1 and BIND 9.3.3rc1
BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6 and 9.4.0b1
Compliance Checking:
Perfrom the following to determine the version of BIND.
# named v
Or
# what /usr/sbin/named -v
If the version is not one of the following: BIND 9.3.2-P1, BIND 9.2.7 or BIND 9.2.6-P1, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 463
Vulnerable Systems:
Flash Player 8.0.24.0 and prior
Flash Professional 8
Flash Basic
Flash MX
2004Adobe Flex 1.5
Compliance Checking:
To verify the Flash Player version number, access the About Flash Player page, or right-click on Flash
content and select About Macromedia Flash Player from the menu. If you use multiple browsers, perform the
check and the installation for each browser . If the version is Adobe Flash Player 8.0.24 and earlier then this is a
finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
133. IAVA0785 2006-A-0008 Computer Associates (CA) iTechnology iGateway Service
Vulnerability
Vulnerable Systems:
Computer Associates: CA iTechnology iGateway 4.0
Compliance Checking:
Check for the following version of iGateway 4.0.051230. If the version is not at least 4.0.051230 then this is a
finding. Patches can be obtained from
ftp://ftp.ca.com/pub/iTech/downloads
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 464
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0785V001172 Category I
4
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
PDI Description:
Reference:
IAVA 2006-A-0008
Vulnerable Systems:
Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Oracle9i Application Server Release 1, version 1.0.2.2
Compliance Checking:
To check for patches, open the Oracle Universal Installer: On the Welcome screen, click on the Installed
Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view
the installed patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed: 11.5.10 CU2: 5447522, 5486407, 5479643, 5500118,
5335967, 5483388 11.5.10 and CU1: 5447522, 5486407, 5479643, 5500118, 5335967, 4580011 11.5.9:
5447522, 5486408, 5479643, 5500118, 4665644, 5483382, 5534762 11.5.8: 5447522, 5479643, 5500118,
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 465
5549711, 5483377, 5534752 11.5.7: 5447522, 5479643, 5500118, 5534742 For Oracle Mobile Field Service
(MFS) customers: 5483388, 5483382, 5483377 For Oracle Trading Community Architecture customers: If your
instance is at 11i.HZ.G or 11i.HZ.H, then apply patch 5521537. If your instance is at 11i.HZ.I to 11i.HZ.L, then
apply patch 3748842. If your instance is at 11i.HZ.M, then apply patch 5521476. If your instance is at 11i.HZ.N,
then apply patch 5526897. Versions earlier than 11.5.7 are no longer supported.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
135. IAVA0810 2007-T-0001 MIT Kerberos 5 RPC Library Remote Code Execution
Vulnerability
Vulnerable Systems:
MIT Kerberos 5 1.5.1 and earlier
Compliance Checking:
#
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
136. IAVA0815 2007-T-0002 MIT Kerberos 5 Administration Daemon Remote Code
Execution Vulnerability
Vulnerable Systems:
MIT Kerberos 5 1.5 and Kerberos 5.1.5.1
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 466
Compliance Checking:
#
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
137. IAVA0820 2007-T-0003 Sun Java RunTime Environment GIF Images Buffer Overflow
Vulnerability
Vulnerable Systems:
JDK and JRE 5.0 Update 9 and earlier
SDK and JRE 1.4.2_12 and earlier
SDK and JRE 1.3.1_18 and earlier
Compliance Checking:
To determine the version of Java on a system, the following command can be run:
#
java fullversion
Or
#
java version
If the version is not at least equal to or greater than one of the following, then this is a finding:
JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_13 or later
SDK and JRE 1.3.1_19 or later
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 467
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 468
IAVA0825V001357 Category I
7
:
MAC/Confidentiality Levels:
Previously:
N/A
IA Controls:
ECMT-1, ECMT-2,VIVM-1
PDI Description:
Reference:
IAVA 2007-A-0001
139. IAVA0830 2007-A-0002 Snort GRE Packet Decoding Integer Underflow Vulnerability
Vulnerable Systems:
Snort 1.3.1 or later with the special option for developers for experimental pre-processor.
Compliance Checking:
To determine the version of snort, issue the following command:
# snort -V
I f the version is 2.6.1.2, ask the SA if the executable binary was compiled against source code with the
developers option enabled. If it has been, then this is a finding.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
140. IAVA0835 2007-A-0006 Multiple Vulnerabilities in Adobe Acrobat
Vulnerable Systems:
Adobe Acrobat version s 6.0.5 and prior and versions 7.0.8 and prior.
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 469
If the version is not at least one of the following, then this is a finding:
Acrobat 6.0.6 or later OR 7.0.9 or later OR 8.0 or later.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
141. IAVA0840 2007-A-0007 Multiple Vulnerabilities in Oracle Database Server
Vulnerable Systems:
Oracle Database 10 g Release 2, versions 10.2.0.1, 10.2.0.2, 10.2.0.3
Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
Compliance Checking:
To check for patches, execute the following: runInstaller.exe
On the Welcome screen, click on the Installed Products button at the bottom of the screen. Expand each Oracle
Home. Expand the Oneoffs selection and view the installed patches. If patches listed are not there or the
Oneoffs selection is not there, then this is a Finding.
Version
Version
9.2.0.5
2/5/2007
10.1.0.4
5689894
9.2.0.6
2/5/2007
10.1.0.5
5689908
9.2.0.7
5689875
10.2.0.1
5689937
9.2.0.8
5490859
10.2.0.2
5689957
10.1.0.3
2/5/2007
10.2.0.3
NA
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 470
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
142. IAVA0845 2007-A-0008 Multiple Vulnerabilities in Oracle Application Server
Vulnerable Systems:
Oracle Application Server 10g Release 3, versions 10.1.3.0.0, 10.1.3.1.0
Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
Oracle Application Server 10g (9.0.4), versions 9.0.4.2, 9.0.4.3
Compliance Checking:
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
143. IAVA0850 2007-A-0009 Multiple Vulnerabilities in Oracle Collaboration Suite
Vulnerable Systems:
Oracle9 i Database Release 1, version 9.0.1.4
Oracle9i Application Server Release 2, version 9.0.2.3
Compliance Checking:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 471
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
Remediation Guidelines:
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
145. IAVA0860 2007-A-0011 Multiple Vulnerabilities in Oracle Enterprise Manager
Vulnerable Systems:
Oracle Enterprise Manager 10 g Grid Control Release 2, version 10.2.0.1
Oracle Enterprise Manager 10g Grid Control Release 1, versions 10.1.0.4, 10.1.0.5
Compliance Checking:
Remediation Guidelines:
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 472
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT I finding may be downgraded to a CAT II.
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM