Вы находитесь на странице: 1из 18

STIG User Guide

iDX Release 3.1

March 27, 2012

STIG User Guide

Copyright 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission is
prohibited. Information contained herein is subject to change without notice. The specifications and information
regarding the products in this document are subject to change without notice. All statements, information, and
recommendations in this document are believed to be accurate, but are presented without warranty of any kind,
express, or implied. Users must take full responsibility for their application of any products. Trademarks, brand
names and products mentioned in this document are the property of their respective owners. All such references
are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product's
rightful owner.

Document Name: UG_STIG User Guide iDX 3.1 Rev A_03272012.pdf


Document Part Number: T0000435

ii

STIG User Guide

Revision History

The following table shows all revisions for this document. If you do not have the revision that
applies to your release, or you are not sure, please contact iDirect.

Revision

Date Released

Reason for Change(s)

Who Updated?

03/27/2012

Revision A for iDX Release 3.1

JVespoli

STIG User Guide

iii

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v


Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Configuring Hub Servers for UNIX STIG Compliance. . . . . . . . . . . . . 1


1. STIG Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Installing the STIG package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Executing the iDirect STIG Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Logs Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Backups of Files Replaced by the Patch Scripts . . . . . . . . . . . . . . . . . . . . . . . 3
6. Performing Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Procedure 1: GEN000400, GEN000420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Procedure 2: LNX00140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Procedure 3: GEN001260 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

7. STIG Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8. PDIs Not Enforced by iDirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9. Explanation of Specific Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1 CAT I Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.2 CAT II Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

10. Open Findings Fixed by the STIG Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 10

iv

STIG User Guide

About This Guide

Purpose
The STIG User Guide provides instructions for implementing compliance with the
recommendations specified in the UNIX Security Technical Implementation Guide (STIG) on
iDirect hub servers such as the NMS servers and protocol processor blades.
iDirect strives to produce documentation that is technically accurate, easy to use, and helpful
to our customers. Your feedback is welcomed! Send your comments to techpubs@idirect.net.

Intended Audience
The STIG User Guide is intended for UNIX system administrators responsible for implementing
the STIG feature on their iDirect UNIX servers.

Contents Of This Guide


This document contains the following major sections:

STIG Feature Overview

Installing the STIG package

Executing the iDirect STIG Scripts

Logs Directory

Backups of Files Replaced by the Patch Scripts

Performing Manual Updates

STIG Exceptions

PDIs Not Enforced by iDirect

Open Findings Fixed by the STIG Scripts

STIG User Guide

Document Conventions
This section illustrates and describes the conventions used throughout the user guide.
Convention Description

Example

Blue
Courier
font

Used when the user is


required to enter a command
at a command line prompt or
in a console.

Enter the command:

Courier
font

Used when showing software


code or output from a
command that was entered at
a command line or on a
console.

rpm -qa | grep sendmail


sendmail-devel-8.12.11-4.RHEL3.1
sendmail-8.12.11-4.RHEL3.1
sendmail-cf-8.12.11-4.RHEL3.1

Bold
Trebuchet
font

Used when referring to text


that appears on the screen on
a windows-type Graphical
User Interface (GUI).

Launch PuTTY using iMonitor by right-clicking the


blade in the Network Tree and selecting Connect.

service idirect_nms stop

Used when specifying names


of commands, menus,
folders, tabs, dialogs, list
boxes, and options.

vi

Blue
Trebuchet
font

Used to show all hyperlinked


text within a document.

See Open Findings Fixed by the STIG Scripts on


page17 for a list of the modifications made by the
iDirect scripts.

Bold italic
Trebuchet
font

Used to emphasize
information for the user, such
as in notes.

Note:

Red italic
Trebuchet
font

Used when the user needs to


strictly follow the
instructions or have
additional knowledge about a
procedure or action.

WARNING! The following procedure may cause a

This procedure applies only to NMS server


machines.

network outage.

STIG User Guide

STIG Feature Overview

Configuring Hub Servers for


UNIX STIG Compliance

Security Technical Implementation Guides (STIGs) are checklists of recommended settings for
various computer platforms. They define configuration standards for DOD Information
Assurance (IA) and IA-enabled systems. The STIGs can be found at the Web site of the
Information Assurance Support Environment (IASE), http://iase.disa.mil/. This document
describes the iDirect STIG feature for compliance with the STIG recommendations applicable
to the Linux operating environment deployed on iDirect hub servers. It contains the following
major sections:

STIG Feature Overview on page1

Installing the STIG package on page2

Executing the iDirect STIG Scripts on page3

Logs Directory on page3

Backups of Files Replaced by the Patch Scripts on page3

Performing Manual Updates on page4

STIG Exceptions on page6

PDIs Not Enforced by iDirect on page6

Explanation of Specific Open Findings on page6

Open Findings Fixed by the STIG Scripts on page10

Note:

1.

This version of the STIG User Guide applies only to iDirect hub servers running
iDX Release 3.1.

STIG Feature Overview


iDirect provides a set of scripts that you can run to modify your hub servers to meet many of
the recommendations specified in the UNIX Security Checklist dated July, 2011. iDirects
implementation addresses both general UNIX recommendations and Linux-specific
recommendations documented in the Security Technical Implementation Guide (STIG).
A STIG contains a list of security requirements for a specific operating environment. Each
security requirement is identified by a Potential Discrepancy Item (PDI). A PDI consists of a
Short Description Identifier (SDID) and a severity code.

STIG User Guide

Installing the STIG package

Results of the STIG installation are written to log files, which you can then examine to verify
that the changes were properly applied to the system. The procedure for installing the
package on your hub servers is contained in Installing the STIG package on page2. The
format of the log files is specified in Logs Directory on page3.
In addition to the STIG recommendations that are automatically applied by the scripts, iDirect
supports a number of manual configuration changes to meet additional STIG
recommendations. Instructions for manually applying these additional changes are contained
in Performing Manual Updates on page4.
Some STIG recommendations are either not applicable to the iDirect system or are the direct
responsibility of your Security Administrator (SA). These recommendations are listed in the
section PDIs Not Enforced by iDirect on page6.

2.

Note:

Several UNIX STIG recommendations cannot be implemented on iDirect servers


because meeting those recommendations would interfere with iDirect system
operation. These recommendations are listed as exceptions in the STIG log. See
STIG Exceptions on page6 for a list of PDIs not supported by iDirect systems.

Note:

Since STIG recommendations are continually changing, there is a strong


possibility that you will discover issues not discussed in this document when
conducting evaluations against later versions of the UNIX STIG. Please report
all such findings to the iDirect TAC so that iDirect can determine whether or not
these issues can be addressed in future updates to the STIG feature.

Installing the STIG package


You can automatically install the STIG package and execute the iDirect STIG scripts when you
upgrade to, or perform a new installation of, this release.

If you installed your iDirect release using a security enhanced Kickstart option (for
example, SE-NMS or SE-Protocol Processor) then the STIG package was automatically
installed and the STIG scripts were automatically executed during the installation.

You can upgrade a non-STIG server to a STIG server by executing the idsUpdate script
with the --harden and --force options. For example:
mkdir -p /media/cdrom
mount /dev/cdrom /media/cdrom
/media/cdrom/iDirect/install/idsUpdate --harden --force
eject

You can upgrade a server with STIG already installed by the executing the idsUpdate
script with the --harden option. The --force option is not required.

Note:

When using the --force option, the --harden option is also required.

Note:

In order to remain STIG compliant you should pass the --harden option to
idsUpdate whenever you upgrade to a new iDirect release.

Note:

For more information, see the Network Upgrade Procedure or Software


Installation Guide for your iDX Release.

STIG User Guide

Executing the iDirect STIG Scripts

3.

Executing the iDirect STIG Scripts


The procedure in this section executes the iDirect STIG scripts. You can run the iDirect scripts
at any time. For example, you may want to re-run the scripts after making changes to your
system.
Follow these steps to execute the iDirect STIG scripts:
1. Log on to the root account of the server on which you want to execute the STIG scripts.
2. On an NMS server, ensure that all NMS and mysql services are stopped by entering the
commands:
service idirect_nms stop
service mysql stop
3. From the command line of the root account, change to the STIG directory by entering the
command:
cd /opt/stig
4. Enter the following command to run the STIG scripts:
./idirect_stig
The results are displayed to the user.
When you run the iDirect scripts, the operating environment is updated to meet the STIG
recommendations.
Note:

4.

Once you have run the STIG scripts or performed the manual updates
documented on page page 4, you must reboot the server.

Logs Directory
Results of the iDirect STIG scripts are written to the following directory:
/opt/stig/logs/
Each time you run the iDirect STIG scripts, the results are logged in a new file in that
directory with the name:
<Timestamp>.log
where <Timestamp> is the date and time that the STIG scripts were executed.
The STIG log files contain detailed output for each PDI fixed by the iDirect STIG scripts,
including all changes made to the system.

5.

Backups of Files Replaced by the Patch Scripts


Whenever a file is replaced by the iDirect patch scripts, the original file is copied to the
following directory:
/opt/stig/bak
Each file is backed up to a subdirectory of /opt/stig/bak that includes the full path of the
original file and a timestamp indicating when the file was backed up.

STIG User Guide

Performing Manual Updates

For example, if a script modifies the file /etc/ssh/sshd_config, the backup of that file is
written to the following directory:
/opt/stig/bak/etc/ssh/sshd_config.<Timestamp>
where <Timestamp> represents the date and time that the file was backed up.

6.

Performing Manual Updates


This section describes manual configuration changes that you can make on your iDirect Linux
servers to comply with a number of PDIs not addressed by the iDirect scripts. These
procedures correct a number of open findings that remain outstanding after the iDirect scripts
have been executed.
Note:

There are some open findings that cannot be addressed on iDirect servers. See
STIG Exceptions on page6 for a list of PDIs associated with these findings.

Follow the procedures in this section to make your server compliant with the specified PDIs.
Each procedure consists of one or more PDIs and the steps required to modify the server
configuration to comply with those PDIs.
Note:

After you have made these changes, be sure to reboot your server.

Procedure 1: GEN000400, GEN000420


(GEN000400: CAT II) (Previously G010) The SA will ensure a logon-warning banner is
displayed on all devices and sessions at the initial logon.
(GEN000420: CAT II) (Previously G011) The IAO will ensure the Legal Notice Logon
Warning Banner includes the five points outlined in the CJCSM 6510.01. All DOD AISs will
display, as a minimum, an electronic logon notice and consent banner that advises users
of the following principles:
- The system is a DOD system.
- The system is subject to monitoring.
- Monitoring is authorized in accordance with applicable laws and regulations and
conducted for purposes of systems management and protection, protection against
improper or unauthorized use or access, and verification of applicable security features
or procedures.
- Use of the system constitutes consent to monitoring.
- This system is for authorized US government use only.
Follow the below steps to modify the login banner:
1. Edit the file /etc/motd.
2. Enter the content to comply with the PDI requirements.
3. Save the changes to /etc/motd.

STIG User Guide

Performing Manual Updates

Procedure 2: LNX00140
(LNX00140: CAT I) The GRUB boot-loader does not use an MD5 encrypted password.
Follow these steps to comply with the above PDI:
1. From the command line, enter the following command:
grub-md5-crypt
2. When prompted, enter the password to obtain the password hash. Sample output is shown
here:
Password: <passwd>
Retype password: <passwd>
$1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31
3. Add the password hash to the grub configuration file /boot/grub/grub.conf as shown in
the example below:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31
title Red Hat Enterprise Linux Server (2.6.18-164.6.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-164.6.1.el5 ro root=LABEL=/
initrd /initrd-2.6.18-164.6.1.el5.img

Procedure 3: GEN001260
(GEN001260: CAT II) System log file permissions are more permissive than 640.
Follow the steps below to comply with the above PDI:
1. Find all files with permissions greater than 640 in the directory /var/log:
find /var/log -perm /137 -ls
2. For every log file found in Step 1 (after determining that the log file's permissions can be
safely changed) modify the file permissions using the following command:
chmod 640 <log file name>
Where <log file name> is the name of the log file.
Note:

STIG User Guide

Due to the fact that log files can be created from many different processes that
are not under iDirects control, iDirect cannot ensure 100% automated
compliance with GEN001260. Upon execution, to the extent possible, the
iDirect STIG hardening scripts set the permissions on existing log files properly
and change the configuration options for future log files to comply with this
PDI. However, there is no guarantee that new log files, rotated log files, or log
configuration options will have or maintain the proper permissions. See the
UNIX Security Checklist for more details.

STIG Exceptions

7.

STIG Exceptions
iDirect servers are not compliant with the PDIs listed in this section. Complying with the PDIs
in this list will interfere with the normal operations of iDirect networks. For complete
definitions of these PDIs, see the UNIX Security Technical Implementation Guide.
Note:

iDirect does not support customer updates of any Operating System installed
software. For example, customer upgrades to openssl or any other software
package are not supported.
Table 1. List of UNIX STIG PDIs Not Supported on iDirect Servers

PDI Exceptions

Description

GEN000120

Vendor Recommended and Security Patches are not installed or are out-ofdate.

GEN000760

An account is not locked after 35 days of inactivity.

GEN001560*

User directories contain undocumented non-startup files with access


permissions greater than 750.

GEN006640

An approved DoD virus scan program is not used and/or updated.

*GEN001560 is an exception only on the NMS server, not on the protocol processor
blades.

8.

PDIs Not Enforced by iDirect


Not all PDIs are directly enforced on iDirect systems as part of the STIG feature. Some
unenforced PDIs are not applicable to iDirect servers. Others describe policies, periodic
procedures, or utilities (such as auditing tools) that are the responsibility of the Security
Administrator (SA) and are therefore outside of the scope of the iDirect STIG feature. You are
free to enforce these PDIs as required by your policies. For definitions of PDIs that are the
responsibility of the SA, see the UNIX Security Technical Implementation Guide.
The PDIs discussed here differ from the PDI exceptions listed in STIG Exceptions on page6,
since compliance with the exceptions would interfere with normal operations of iDirect
systems.

9.

Explanation of Specific Open Findings


This section provides an explanation of a number of open findings not fixed by the iDirect
scripts. These open findings may appear after running the STIG scripts. Only CAT I and CAT II
open findings are documented.

9.1

CAT I Open Findings

2001-A-0013: Ssh is vulnerable to a remote integer overflow.


Resolution: False Positive

STIG User Guide

Explanation of Specific Open Findings

Vulnerable Systems:
OpenSSH 1.2, 1.2.1 - 1.2.3

OpenSSH 2.1, 2.1.1, 2.2.0

The version of openssh we provide is greater than or equal to 4.3p2-41.el5.

2002-T-0011: There are vulnerabilities in the OpenSSH Challenge Response


Handling routine.
Resolution: False Positive
Vulnerable Systems:
OpenSSH: Versions 2.3.1p1 through version 3.3 are vulnerable.
The version of openssh we provide is greater than or equal to 4.3p2-41.el5.

2003-A-0015: There are multiple vulnerabilities in OpenSSL.


Resolution: False Positive
Vulnerable Systems:
OpenSSL Project OpenSSL 0.9.6

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.6 b

OpenSSL Project OpenSSL 0.9.6 c

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 e

OpenSSL Project OpenSSL 0.9.6 g

OpenSSL Project OpenSSL 0.9.6 h

OpenSSL Project OpenSSL 0.9.6 i

OpenSSL Project OpenSSL 0.9.6 j

OpenSSL Project OpenSSL 0.9.7

OpenSSL Project OpenSSL 0.9.7 a

OpenSSL Project OpenSSL 0.9.7 b

OpenSSL Project OpenSSL 0.9.7 beta1

OpenSSL Project OpenSSL 0.9.7 beta2

OpenSSL Project OpenSSL 0.9.7 beta3

The version of openssl we provide is greater than or equal to


0.9.8e-12.el5_4.6.

2009-T-0024: Multiple Vulnerabilities in Linux Kernel.


Resolution: False Positive
The Unix Checklist states:
Compliance Checking:
Red Hat Enterprise Linux 3 is vulnerable to CVE-2009-1265. RHEL4 and RHEL5 are not.
However, this IAVA does cover more than one CVE. A response from the Red Hat
Knowledge base indicates RHEL3 will not be patched and it will always be a finding on

STIG User Guide

Explanation of Specific Open Findings

the system. RHEL4 does not appear to have any fixes, so this will be a finding. Execute
uname -a to determine the kernel version. RHEL5 does have a kernel update for the CIFS
vulnerability. If the kernel version is less than 2.6.18-128.1.14.el5, this is a finding.
The kernel version we provide is greater than 2.6.18-128.1.14.el5.

2010-A-0041: Multiple Apache HTTP Server Vulnerabilities


Resolution: False Positive
CVE-2010-0408
Fixed by Red Hat in version 2.2.3-31.el5_4.4 or later. We provide a later release.
Source: https://rhn.redhat.com/errata/RHSA-2010-0168.html

2010-A-0050: OpenSSL Remote Denial of Service Vulnerability.


Resolution: False Positive
CVE-2010-0740
Official Statement from Red Hat (03/24/2010):
Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat
Enterprise Linux 3, 4, or 5.
Source: https://www.redhat.com/security/data/cve/CVE-2010-0740.html

2010-A-0099: Multiple Vulnerabilities in Apache httpd


Resolution: False Positive
iDirect servers currently run version 2.2.3-53 of the Apache httpd daemon. Based on the
problem description from the Apache Web site this issue was not introduced until version
2.2.9 and only affects Windows, Netware and OS operating systems. Therefore this finding is
not applicable to servers supplied by iDirect.
Source: http://httpd.apache.org/security/vulnerabilities_22.html

9.2

CAT II Open Findings

2001-T-0017: The OpenSSH UseLogin feature has Multiple Vulnerabilities.


Resolution: False Positive
Vulnerable Systems:
OpenSSH versions prior to 2.1.1
The version of openssh we provide is greater than or equal to 4.3p2-41.el5.

2003-T-0020: OpenSSH buffer mismanagement and multiple portable OpenSSH


PAM vulnerabilities
Resolution: False Positive
Vulnerable Systems:
OpenSSH versions prior to 3.7.1

STIG User Guide

Explanation of Specific Open Findings

The version of openssh we provide is greater than or equal to 4.3p2-41.el5.

GEN001020: The root account is logged onto directly.


Resolution: false positive
This may show up as an open finding if the root account was logged onto directly before the
idirect_stig package was installed. The government-provided SRR script checks for
unauthorized log ons using the last command. This views historical data and doesn't reflect
the machines current state.
To eliminate the false positive finding, you can empty the file /var/log/wtmp file as
follows:
cp /var/log/wtmp /var/log/wtmp.bak
cat /dev/null > /var/log/wtmp

WARNING! This will reset the output of the last command.


GEN001060: Successful and unsuccessful accesses to the root account are not
logged.
Resolution: False Positive
This may show up as an open finding if no user ever executed the su - command.
To eliminate the false positive finding, you can do the following:
1. Log on as a user other than the root user.
2. Execute the following command to log on to the root account:
su -

2008-A-0011: SQL Injection in Cisco Unified Communications Manager


Resolution: False Positive
The Cisco Unified Communications Manager is not installed on iDirect server platforms. The
SRR script that generates this finding merely checks that the Operating System being run is
Linux. If so, it generates this open finding and marks it for manual review.

STIG User Guide

Open Findings Fixed by the STIG Scripts

10. Open Findings Fixed by the STIG Scripts


Table 2 contains a list of the UNIX STIG recommendations addressed by the iDirect scripts.
When the scripts are executed on an iDirect server, the server is modified to comply with the
recommendations described in these tables.
Table 2. Open Findings Fixed by iDirect Scripts
PDI

10

Description

GEN000020

The UNIX host is bootable in single user mode without a password.

GEN000040

The UNIX host is not configured to require a password when booted to single-user
mode and is not documented.

GEN000060

The UNIX host cannot be configured to require a password when booted to singleuser mode and is not located in a controlled access area.

GEN000460

After three consecutive unsuccessful login attempts the account is not disabled.

GEN000480

The login delay between login prompts after a failed login is set to less than four
seconds.

GEN000540

Passwords can be changed more than once every 24 hours.

GEN000580

A password does not contain a minimum of 14 characters.

GEN000600

A password does not contain at least one upper case and one lower case character.

GEN000620

A password does not contain at least one numeric character.

GEN000640

A password does not contain at least one special character.

GEN000700

Passwords are not changed at least every 60 days.

GEN000800

Passwords are reused within the last five changes.

GEN000820

Global password configuration files are not configured per guidelines.

GEN000980

The root account can be directly logged into from other than the system console.

GEN001260

System log file permissions are more permissive than 640.

GEN001280

Manual page file permissions are more permissive than 644.

GEN001880

Local initialization files are more permissive than 740.

GEN002560

The system and user default umask is not 077.

GEN002680

System audit logs are readable by unauthorized users.

GEN002700

System audit logs are more permissive than 640.

GEN002720

The audit system is not configured to audit failed attempts to access files and
programs.

GEN002740

The audit system is not configured to audit files and programs deleted by the user.

GEN002760

The audit system is not configured to audit all administrative, privileged, and
security actions.

GEN002960

Access to the cron utility is not controlled via the cron.allow and/or cron.deny files.

GEN003080

Crontab files are more permissive than 600 (700 on some linux systems).

GEN003320

Default accounts are listed in the at.allow file.

STIG User Guide

Open Findings Fixed by the STIG Scripts

Table 2. Open Findings Fixed by iDirect Scripts (continued)


PDI

Description

GEN003600

Network parameters are not securely set.

GEN004000

The traceroute command is more permissive than 700.

GEN004540

The sendmail help command is not disabled.

GEN004560

The O Smtp greeting in sendmail.cf, or equivalent, has not been changed to mask
the version.

GEN004640

The sendmail decode command is not disabled.

GEN005320

The snmpd.conf file is more permissive than 700.

GEN005360

The snmpd.conf file is not owned by root and group owned by sys or the application.

GEN005400

The /etc/syslog.conf is not owned by root or is more permissive than 640.

GEN005540

Encrypted communications are not configured for IP filtering and logon warning
banners.

GEN006620

The access control program is not configured to grant and deny system access to
specific hosts.

LNX00320

Special privilege accounts, such as shutdown and halt have not been deleted.

LNX00440

The /etc/login.access or /etc/security/access.conf file is more permissive than 640.

LNX00520

The /etc/sysctl.conf file is more permissive than 600.

STIG User Guide

11