STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-6 — Least Privilege

CCI-000225

Definition

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned organizational tasks.

Parent Control

AC-6Least PrivilegeAccess Control

Linked STIG Checks (200)

V-25386CAT IIAccess to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.IBM Hardware Management Console (HMC) STIG V-256872CAT IIAccess to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-223468CAT IIThe CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.IBM z/OS ACF2 Security Technical Implementation Guide V-1025CAT IIThe /etc/access.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1027CAT IIThe /etc/smb.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1028CAT IIThe /etc/smb.conf file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1029CAT IIThe /etc/smbpasswd file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1030CAT IIThe smb.conf file must use the hosts option to restrict access to Samba.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1054CAT IIThe /etc/access.conf file must have a privileged group owner.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1055CAT IIThe /etc/security/access.conf file must have mode 0640 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1056CAT IIThe /etc/smb.conf file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1058CAT IIThe smbpasswd file must be group-owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-1059CAT IIThe smbpasswd file must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11981CAT IIAll global initialization files must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11982CAT IIAll global initialization files must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11983CAT IIAll global initialization files must be group-owned by root, sys, bin, other, system, or the system default.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11984CAT IIAll skeleton files and directories (typically in /etc/skel) must be owned by root or bin.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11990CAT IIAll public directories must be group-owned by root or an application group.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11994CAT IICrontabs must be owned by root or the crontab creator.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11995CAT IIDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-11997CAT IIIThe kernel core dump data directory must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-12011CAT IIAll FTP users must have a default umask of 077.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-12019CAT IIThe snmpd.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-12038CAT IIThe /etc/securetty file must be group-owned by root, sys, or bin.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-12039CAT IIThe /etc/securetty file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-12040CAT IIThe /etc/securetty file must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22294CAT IIThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22295CAT IIThe time synchronization file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22296CAT IIThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22297CAT IIThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22309CAT IIThe root accounts home directory must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22313CAT IIAll network services daemon files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22316CAT IIIAll manual page files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22318CAT IINIS/NIS+/yp command files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22319CAT IIThe /etc/resolv.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22320CAT IIThe /etc/resolve.conf file must be group-owned by root, bin, sys or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22321CAT IIThe /etc/resolv.conf file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22322CAT IIThe /etc/resolv.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22323CAT IIThe /etc/hosts file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22324CAT IIThe /etc/hosts file must be group-owned by root, bin, sys or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22325CAT IIThe /etc/hosts file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22326CAT IIThe /etc/hosts file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22327CAT IIThe /etc/nsswitch.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22328CAT IIThe /etc/nsswitch.conf file must be group-owned by root, bin, sys or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22329CAT IIThe /etc/nsswitch.conf file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22330CAT IIThe /etc/nsswitch.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22332CAT IIThe /etc/passwd file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22333CAT IIThe /etc/passwd file must be group-owned by root, bin, sys or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22334CAT IIThe /etc/passwd file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22335CAT IIThe /etc/group file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22336CAT IIThe /etc/group file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22337CAT IIThe /etc/group file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22338CAT IIThe /etc/group file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22339CAT IIThe /etc/shadow file (or equivalent) must be group-owned by root, bin, sys, or shadow.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22340CAT IIThe /etc/shadow file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22348CAT IIThe /etc/group file must not contain any group password hashes.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22350CAT IIIUser home directories must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22351CAT IIAll files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22352CAT IIAll files and directories contained in user home directories must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22353CAT IIAll run control scripts must have no extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22356CAT IIAll global initialization files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22357CAT IISkeleton files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22358CAT IIAll skeleton files (typically in /etc/skel) must be group-owned by root, bin or sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22361CAT IILocal initialization files must be group-owned by the users primary group or root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22362CAT IILocal initialization files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22365CAT IIAll shell files must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22366CAT IIAll shell files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22384CAT IIThe cron.allow file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22385CAT IICrontab files must be group-owned by root, cron, or the crontab creators primary group.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22386CAT IICrontab files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22387CAT IICron and crontab directories must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22388CAT IIThe cron log files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22389CAT IIThe cron.deny file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22390CAT IIThe at.allow file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22391CAT IIThe cron.allow file must be group-owned by root, bin, sys, or cron.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22392CAT IIThe at.deny file must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22393CAT IIThe at.deny file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22394CAT IIThe cron.deny file must be group-owned by root, bin, sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22395CAT IIThe at directory must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22396CAT IIThe atjobs directory must be group-owned by root, bin, daemon, sys, or at.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22397CAT IIThe at.allow file must be group-owned by root, bin, sys, or cron.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22398CAT IIThe at.deny file must be group-owned by root, bin, sys, or cron.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22399CAT IIIThe system must be configured to store any process core dumps in a specific, centralized directory.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22400CAT IIIThe centralized process core dump data directory must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22401CAT IIIThe centralized process core dump data directory must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22402CAT IIIThe centralized process core dump data directory must have mode 0700 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22403CAT IIIThe centralized process core dump data directory must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22405CAT IIIThe kernel core dump data directory must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22406CAT IIIThe kernel core dump data directory must have mode 0700 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22407CAT IIIThe kernel core dump data directory must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22408CAT IINetwork interfaces must not be configured to allow user control.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22423CAT IIThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22424CAT IIThe inetd.conf and xinetd.conf files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22425CAT IIThe xinetd.d directory must have mode 0755 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22426CAT IIThe xinetd.d directory must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22427CAT IIThe services file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22428CAT IIThe services file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22435CAT IIThe hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22436CAT IIThe hosts.lpd (or equivalent) file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22437CAT IIThe traceroute file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22438CAT IIThe aliases file must be group-owned by root, sys, bin, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22439CAT IIThe alias file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22440CAT IIFiles executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22441CAT IIFiles executed through a mail aliases file must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22442CAT IIThe SMTP service log file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22444CAT IIThe ftpusers file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22445CAT IIThe ftpusers file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22446CAT IIThe .Xauthority files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22450CAT IIManagement Information Base (MIB) files must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22451CAT IIThe snmpd.conf file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22452CAT IIThe snmpd.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22453CAT IIThe /etc/syslog.conf file must have mode 0640 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22454CAT IIThe /etc/syslog.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22470CAT IIThe SSH daemon must restrict login ability to specific users and/or groups.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22471CAT IIThe SSH public host key files must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22472CAT IIThe SSH private host key files must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22485CAT IIThe SSH daemon must perform strict mode checking of home directory configuration files.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22486CAT IIThe SSH daemon must use privilege separation.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22492CAT IIThe Network File System (NFS) export configuration file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22493CAT IIIThe Network File System (NFS) exports configuration file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22496CAT IIAll Network File System (NFS) exported system files and system directories must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22497CAT IIThe /etc/smb.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22498CAT IIThe /etc/smbpasswd file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22502CAT IIThe /etc/news/incoming.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22503CAT IIThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22504CAT IIThe /etc/news/nnrp.access file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22505CAT IIThe /etc/news/passwd.nntp file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22559CAT IIIf the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22560CAT IIIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22561CAT IIIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22562CAT IIIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22563CAT IIIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22564CAT IIIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22565CAT IIIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22566CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22567CAT IIFor systems using NSS LDAP, the TLS certificate file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22568CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22569CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22570CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22571CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22572CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, or sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22573CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22574CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22585CAT IIThe systems boot loader configuration file(s) must not have extended ACLs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22586CAT IIThe systems boot loader configuration files must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22587CAT IIThe systems boot loader configuration file(s) must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22595CAT IIThe /etc/security/access.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22596CAT IIThe /etc/sysctl.conf file must not have an extended ACL.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-29289CAT IIFiles in cron script directories must have mode 0700 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-35025CAT IIThe /etc/rsyslog.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-35026CAT IIThe /etc/rsyslog.conf file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4087CAT IIUser start-up files must not execute world-writable programs.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4089CAT IIAll system start-up files must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4090CAT IIAll system start-up files must be group-owned by root, sys, bin, other, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4091CAT IISystem start-up files must only execute programs owned by a privileged UID or an application.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4250CAT IIThe systems boot loader configuration file(s) must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4268CAT IThe system must not have special privilege accounts, such as shutdown and halt.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4273CAT IIThe /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4274CAT IIThe /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4275CAT IIThe /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4276CAT IIThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4277CAT IIFiles in /etc/news must be owned by root or news.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4278CAT IIThe files in /etc/news must be group-owned by root or news.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4334CAT IIThe /etc/sysctl.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4335CAT IIThe /etc/sysctl.conf file must be group-owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4336CAT IIThe /etc/sysctl.conf file must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4339CAT IThe Linux NFS Server must not have the insecure file locking option.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4346CAT IIThe Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4358CAT IIThe cron.deny file must have mode 0600 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4360CAT IIICron programs must not set the umask to a value less restrictive than 077.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4361CAT IIThe cron.allow file must be owned by root, bin, or sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4364CAT IIThe at directory must have mode 0755 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4365CAT IIThe atjobs directory must be owned by root, bin, daemon or at.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4366CAT IIAt jobs must not set the umask to a value less restrictive than 077.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4367CAT IIThe at.allow file must be owned by root, bin, or sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4368CAT IIThe at.deny file must be owned by root, bin, or sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4369CAT IIThe traceroute command owner must be root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4370CAT IIThe traceroute command must be group-owned by sys, bin, root, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4371CAT IIThe traceroute file must have mode 0700 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4382CAT IAdministrative accounts must not run a web browser, except as needed for local service administration.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4387CAT IAnonymous FTP accounts must not have a functional shell.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4393CAT IIThe /etc/rsyslog.conf file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4394CAT IIThe /etc/rsyslog.conf file must be group-owned by root, bin, sys, or system.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4428CAT IIAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4430CAT IIThe cron.deny file must be owned by root, bin, or sys.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4695CAT IAny active TFTP daemon must be authorized and approved in the system accreditation package.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-4697CAT IX displays must not be exported to the world.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-769CAT IIThe root user must not own the logon session for an application requiring a continuous display.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-775CAT IIThe root accounts home directory (other than /) must have mode 0700.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-784CAT IISystem files and directories must not have uneven access permissions.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-786CAT IIAll network services daemon files must have mode 0755 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-788CAT IIAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-789CAT IINIS/NIS+/yp files must be owned by root, sys, or bin.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-790CAT IINIS/NIS+/yp files must be group-owned by root, sys, or bin.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-791CAT IIThe NIS/NIS+/yp command files must have mode 0755 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-792CAT IIIManual page files must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-797CAT IIThe /etc/shadow (or equivalent) file must be owned by root.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-798CAT IIThe /etc/passwd file must have mode 0644 or less permissive.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-800CAT IIThe /etc/shadow (or equivalent) file must have mode 0400.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-805CAT IIRemovable media, remote file systems, and any file system not containing approved setuid files must be mounted with the nosuid option.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide