STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

Benchmark ID

SuSe_zLinux

Total Checks

550

Tags

linux

CAT I: 24CAT II: 460CAT III: 66

The SUSE Linux Enterprise Server Ver 11 for System z Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil

Export CKL Export CSV Export JSON

Checks (550)

V-1010MEDIUMPublic directories must be the only world-writable directories and world-writable files must be located only in public directories.V-1011LOWInetd or xinetd logging/tracing must be enabled.V-1023MEDIUMThe system must not run an Internet Network News (INN) server.V-1025MEDIUMThe /etc/access.conf file must be owned by root.V-1026MEDIUMThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.V-1027MEDIUMThe /etc/smb.conf file must be owned by root.V-1028MEDIUMThe /etc/smb.conf file must have mode 0644 or less permissive.V-1029MEDIUMThe /etc/smbpasswd file must be owned by root.V-1030MEDIUMThe smb.conf file must use the hosts option to restrict access to Samba.V-1032MEDIUMUsers must not be able to change passwords more than once every 24 hours.V-1046HIGHRoot passwords must never be passed over a network in clear text form.V-1047MEDIUMThe system must not permit root logins using remote access programs such as ssh.V-1054MEDIUMThe /etc/access.conf file must have a privileged group owner.V-1055MEDIUMThe /etc/security/access.conf file must have mode 0640 or less permissive.V-1056MEDIUMThe /etc/smb.conf file must be group-owned by root, bin, sys, or system.V-1058MEDIUMThe smbpasswd file must be group-owned by root.V-1059MEDIUMThe smbpasswd file must have mode 0600 or less permissive.V-1062LOWThe root shell must be located in the / file system.V-11940HIGHThe operating system must be a supported release.V-11945MEDIUMA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.V-11946MEDIUMUIDs reserved for system accounts must not be assigned to non-system accounts.V-11947MEDIUMThe system must require passwords contain a minimum of 15 characters.V-11948MEDIUMThe system must require passwords contain at least one uppercase alphabetic character.V-11972MEDIUMThe system must require passwords contain at least one numeric character.V-11973MEDIUMThe system must require passwords contain at least one special character.V-11975MEDIUMThe system must require passwords contain no more than three consecutive repeating characters.V-11976MEDIUMUser passwords must be changed at least every 60 days.V-11977MEDIUMAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.V-11979MEDIUMThe root account must not be used for direct log in.V-11980MEDIUMThe system must log successful and unsuccessful access to the root account.V-11981MEDIUMAll global initialization files must have mode 0644 or less permissive.V-11982MEDIUMAll global initialization files must be owned by root.V-11983MEDIUMAll global initialization files must be group-owned by root, sys, bin, other, system, or the system default.V-11984MEDIUMAll skeleton files and directories (typically in /etc/skel) must be owned by root or bin.V-11985MEDIUMAll global initialization files executable search paths must contain only absolute paths.V-11986MEDIUMAll local initialization files executable search paths must contain only absolute paths.V-11987MEDIUMThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.V-11988HIGHThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.V-11989MEDIUMThe .rhosts file must not be supported in PAM.V-11990MEDIUMAll public directories must be group-owned by root or an application group.V-11994MEDIUMCrontabs must be owned by root or the crontab creator.V-11995MEDIUMDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.V-11996LOWProcess core dumps must be disabled unless needed.V-11997LOWThe kernel core dump data directory must be owned by root.V-11999MEDIUMThe system must implement non-executable program stacks.V-12002MEDIUMThe system must not forward IPv4 source-routed packets.V-12003LOWA separate file system must be used for user home directories (such as /home or an equivalent).V-12004MEDIUMThe system must log informational authentication data.V-12005MEDIUMInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.V-12006MEDIUMThe SMTP service HELP command must not be enabled.V-12010MEDIUMUnencrypted FTP must not be used on the system.V-12011MEDIUMAll FTP users must have a default umask of 077.V-12019MEDIUMThe snmpd.conf file must be owned by root.V-12020MEDIUMThe system must not be used as a syslog server (loghost) for systems external to the enclave.V-12021MEDIUMThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.V-12022MEDIUMThe SSH daemon must be configured for IP filtering.V-12023MEDIUMIP forwarding for IPv4 must not be enabled, unless the system is a router.V-12024MEDIUMThe system must not have a public Instant Messaging (IM) client installed.V-12025MEDIUMThe system must not have any peer-to-peer file-sharing application installed.V-12026MEDIUMNIS maps must be protected through hard-to-guess domain names.V-12028MEDIUMThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.V-12030MEDIUMThe systems access control program must be configured to grant or deny system access to specific hosts.V-12038MEDIUMThe /etc/securetty file must be group-owned by root, sys, or bin.V-12039MEDIUMThe /etc/securetty file must be owned by root.V-12040MEDIUMThe /etc/securetty file must have mode 0600 or less permissive.V-12049MEDIUMNetwork analysis tools must not be installed.V-12765MEDIUMThe system must use and update a virus scan program.V-22290MEDIUMThe system clock must be synchronized continuously, or at least daily.V-22291MEDIUMThe system must use at least two time sources for clock synchronization.V-22292LOWThe system must use time sources that are local to the enclave.V-22294MEDIUMThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.V-22295MEDIUMThe time synchronization file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.V-22296MEDIUMThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.V-22297MEDIUMThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.V-22298LOWThe system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.V-22299LOWThe system must display the date and time of the last successful account login upon login.V-22302MEDIUMThe system must enforce compliance of the entire password during authentification.V-22303MEDIUMThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.V-22304MEDIUMThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.V-22305MEDIUMThe system must require passwords contain at least one lowercase alphabetic character.V-22306MEDIUMThe system must require at least eight characters be changed between the old and new passwords during a password change.V-22307MEDIUMThe system must prevent the use of dictionary words for passwords.V-22308LOWThe system must restrict the ability to switch to the root user to members of a defined group.V-22309MEDIUMThe root accounts home directory must not have an extended ACL.V-22310MEDIUMThe root accounts library search path must be the system default and must contain only absolute paths.V-22311MEDIUMThe root accounts list of preloaded libraries must be empty.V-22312MEDIUMAll files and directories must have a valid group-owner.V-22313MEDIUMAll network services daemon files must not have extended ACLs.V-22314MEDIUMAll system command files must not have extended ACLs.V-22315MEDIUMSystem log files must not have extended ACLs, except as needed to support authorized software.V-22316LOWAll manual page files must not have extended ACLs.V-22317MEDIUMAll library files must not have extended ACLs.V-22318MEDIUMNIS/NIS+/yp command files must not have extended ACLs.V-22319MEDIUMThe /etc/resolv.conf file must be owned by root.V-22320MEDIUMThe /etc/resolve.conf file must be group-owned by root, bin, sys or system.V-22321MEDIUMThe /etc/resolv.conf file must have mode 0644 or less permissive.V-22322MEDIUMThe /etc/resolv.conf file must not have an extended ACL.V-22323MEDIUMThe /etc/hosts file must be owned by root.V-22324MEDIUMThe /etc/hosts file must be group-owned by root, bin, sys or system.V-22325MEDIUMThe /etc/hosts file must have mode 0644 or less permissive.V-22326MEDIUMThe /etc/hosts file must not have an extended ACL.V-22327MEDIUMThe /etc/nsswitch.conf file must be owned by root.V-22328MEDIUMThe /etc/nsswitch.conf file must be group-owned by root, bin, sys or system.V-22329MEDIUMThe /etc/nsswitch.conf file must have mode 0644 or less permissive.V-22330MEDIUMThe /etc/nsswitch.conf file must not have an extended ACL.V-22331LOWFor systems using DNS resolution, at least two name servers must be configured.V-22332MEDIUMThe /etc/passwd file must be owned by root.V-22333MEDIUMThe /etc/passwd file must be group-owned by root, bin, sys or system.V-22334MEDIUMThe /etc/passwd file must not have an extended ACL.V-22335MEDIUMThe /etc/group file must be owned by root.V-22336MEDIUMThe /etc/group file must be group-owned by root, bin, sys, or system.V-22337MEDIUMThe /etc/group file must have mode 0644 or less permissive.V-22338MEDIUMThe /etc/group file must not have an extended ACL.V-22339MEDIUMThe /etc/shadow file (or equivalent) must be group-owned by root, bin, sys, or shadow.V-22340MEDIUMThe /etc/shadow file must not have an extended ACL.V-22347MEDIUMThe /etc/passwd file must not contain password hashes.V-22348MEDIUMThe /etc/group file must not contain any group password hashes.V-22350LOWUser home directories must not have extended ACLs.V-22351MEDIUMAll files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.V-22352MEDIUMAll files and directories contained in user home directories must not have extended ACLs.V-22353MEDIUMAll run control scripts must have no extended ACLs.V-22354MEDIUMRun control scripts library search paths must contain only absolute paths.V-22355MEDIUMRun control scripts lists of preloaded libraries must contain only absolute paths.V-22356MEDIUMAll global initialization files must not have extended ACLs.V-22357MEDIUMSkeleton files must not have extended ACLs.V-22358MEDIUMAll skeleton files (typically in /etc/skel) must be group-owned by root, bin or sys.V-22359MEDIUMGlobal initialization files library search paths must contain only absolute paths.V-22360MEDIUMGlobal initialization files lists of preloaded libraries must contain only absolute paths.V-22361MEDIUMLocal initialization files must be group-owned by the users primary group or root.V-22362MEDIUMLocal initialization files must not have extended ACLs.V-22363MEDIUMLocal initialization files library search paths must contain only absolute paths.V-22364MEDIUMLocal initialization files lists of preloaded libraries must contain only absolute paths.V-22365MEDIUMAll shell files must be group-owned by root, bin, sys, or system.V-22366MEDIUMAll shell files must not have extended ACLs.V-22368MEDIUMRemovable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.V-22369MEDIUMAll system audit files must not have extended ACLs.V-22370LOWSystem audit tool executables must be owned by root.V-22371LOWSystem audit tool executables must be group-owned by root, bin, sys, or system.V-22372LOWSystem audit tool executables must have mode 0750 or less permissive.V-22373LOWSystem audit tool executables must not have extended ACLs.V-22374LOWThe audit system must alert the SA in the event of an audit processing failure.V-22375MEDIUMThe audit system must alert the SA when the audit storage volume approaches its capacity.V-22376LOWThe audit system must be configured to audit account creation.V-22377LOWThe audit system must be configured to audit account modification.V-22378LOWThe audit system must be configured to audit account disabling.V-22382LOWThe audit system must be configured to audit account termination.V-22383MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.V-22384MEDIUMThe cron.allow file must not have an extended ACL.V-22385MEDIUMCrontab files must be group-owned by root, cron, or the crontab creators primary group.V-22386MEDIUMCrontab files must not have extended ACLs.V-22387MEDIUMCron and crontab directories must not have extended ACLs.V-22388MEDIUMThe cron log files must not have extended ACLs.V-22389MEDIUMThe cron.deny file must not have an extended ACL.V-22390MEDIUMThe at.allow file must not have an extended ACL.V-22391MEDIUMThe cron.allow file must be group-owned by root, bin, sys, or cron.V-22392MEDIUMThe at.deny file must have mode 0600 or less permissive.V-22393MEDIUMThe at.deny file must not have an extended ACL.V-22394MEDIUMThe cron.deny file must be group-owned by root, bin, sys.V-22395MEDIUMThe at directory must not have an extended ACL.V-22396MEDIUMThe atjobs directory must be group-owned by root, bin, daemon, sys, or at.V-22397MEDIUMThe at.allow file must be group-owned by root, bin, sys, or cron.V-22398MEDIUMThe at.deny file must be group-owned by root, bin, sys, or cron.V-22399LOWThe system must be configured to store any process core dumps in a specific, centralized directory.V-22400LOWThe centralized process core dump data directory must be owned by root.V-22401LOWThe centralized process core dump data directory must be group-owned by root, bin, sys, or system.V-22402LOWThe centralized process core dump data directory must have mode 0700 or less permissive.V-22403LOWThe centralized process core dump data directory must not have an extended ACL.V-22404MEDIUMKernel core dumps must be disabled unless needed.V-22405LOWThe kernel core dump data directory must be group-owned by root, bin, sys, or system.V-22406LOWThe kernel core dump data directory must have mode 0700 or less permissive.V-22407LOWThe kernel core dump data directory must not have an extended ACL.V-22408MEDIUMNetwork interfaces must not be configured to allow user control.V-22409LOWThe system must not process Internet Control Message Protocol (ICMP) timestamp requests.V-22410MEDIUMThe system must not respond to Internet Control Message Protocol v4 (ICMPv4) echoes sent to a broadcast address.V-22411MEDIUMThe system must not respond to Internet Control Message Protocol (ICMP) timestamp requests sent to a broadcast address.V-22412MEDIUMThe system must not apply reversed source routing to TCP responses.V-22413MEDIUMThe system must prevent local applications from generating source-routed packets.V-22414MEDIUMThe system must not accept source-routed IPv4 packets.V-22415MEDIUMProxy Address Resolution Protocol (Proxy ARP) must not be enabled on the system.V-22416MEDIUMThe system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.V-22417MEDIUMThe system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.V-22418LOWThe system must log martian packets.V-22419MEDIUMThe system must be configured to use TCP syncookies when experiencing a TCP SYN flood.V-22421MEDIUMThe system must not be configured for network bridging.V-22422LOWAll local file systems must employ journaling or another mechanism ensuring file system consistency.V-22423MEDIUMThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.V-22424MEDIUMThe inetd.conf and xinetd.conf files must not have extended ACLs.V-22425MEDIUMThe xinetd.d directory must have mode 0755 or less permissive.V-22426MEDIUMThe xinetd.d directory must not have an extended ACL.V-22427MEDIUMThe services file must be group-owned by root, bin, sys, or system.V-22428MEDIUMThe services file must not have an extended ACL.V-22429MEDIUMThe portmap or rpcbind service must not be running unless needed.V-22430MEDIUMThe portmap or rpcbind service must not be installed unless needed.V-22431MEDIUMThe rshd service must not be installed.V-22432MEDIUMThe rlogind service must not be running.V-22433MEDIUMThe rlogind service must not be installed.V-22434MEDIUMThe rexecd service must not be installed.V-22435MEDIUMThe hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.V-22436MEDIUMThe hosts.lpd (or equivalent) file must not have an extended ACL.V-22437MEDIUMThe traceroute file must not have an extended ACL.V-22438MEDIUMThe aliases file must be group-owned by root, sys, bin, or system.V-22439MEDIUMThe alias file must not have an extended ACL.V-22440MEDIUMFiles executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.V-22441MEDIUMFiles executed through a mail aliases file must not have extended ACLs.V-22442MEDIUMThe SMTP service log file must not have an extended ACL.V-22444MEDIUMThe ftpusers file must be group-owned by root, bin, sys, or system.V-22445MEDIUMThe ftpusers file must not have an extended ACL.V-22446MEDIUMThe .Xauthority files must not have extended ACLs.V-22447MEDIUMThe SNMP service must use only SNMPv3 or its successors.V-22448MEDIUMThe SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.V-22449MEDIUMThe SNMP service must require the use of a FIPS 140-2 approved encryption algorithm for protecting the privacy of SNMP messages.V-22450MEDIUMManagement Information Base (MIB) files must not have extended ACLs.V-22451MEDIUMThe snmpd.conf file must be group-owned by root, bin, sys, or system.V-22452MEDIUMThe snmpd.conf file must not have an extended ACL.V-22453MEDIUMThe /etc/syslog.conf file must have mode 0640 or less permissive.V-22454MEDIUMThe /etc/syslog.conf file must not have an extended ACL.V-22455MEDIUMThe system must use a remote syslog server (loghost).V-22456MEDIUMThe SSH client must be configured to only use the SSHv2 protocol.V-22457MEDIUMThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.V-22458MEDIUMThe SSH daemon must be configured to only use FIPS 140-2 approved ciphers.V-22459MEDIUMThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.V-22460MEDIUMThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.V-22461MEDIUMThe SSH client must be configured to only use FIPS 140-2 approved ciphers.V-22462MEDIUMThe SSH client must be configured to not use Cipher-Block Chaining (CBC)-based ciphers.V-22463MEDIUMThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.V-22470MEDIUMThe SSH daemon must restrict login ability to specific users and/or groups.V-22471MEDIUMThe SSH public host key files must have mode 0644 or less permissive.V-22472MEDIUMThe SSH private host key files must have mode 0600 or less permissive.V-22473LOWThe SSH daemon must not permit GSSAPI authentication unless needed.V-22474LOWThe SSH client must not permit GSSAPI authentication unless needed.V-22475LOWThe SSH daemon must not permit Kerberos authentication unless needed.V-22482LOWThe SSH daemon must limit connections to a single session.V-22485MEDIUMThe SSH daemon must perform strict mode checking of home directory configuration files.V-22486MEDIUMThe SSH daemon must use privilege separation.V-22487MEDIUMThe SSH daemon must not allow rhosts RSA authentication.V-22488MEDIUMThe SSH daemon must not allow compression or must only allow compression after successful authentication.V-22489MEDIUMThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.V-22490MEDIUMThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.V-22491MEDIUMThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.V-22492MEDIUMThe Network File System (NFS) export configuration file must be group-owned by root, bin, sys, or system.V-22493LOWThe Network File System (NFS) exports configuration file must not have an extended ACL.V-22496MEDIUMAll Network File System (NFS) exported system files and system directories must be group-owned by root, bin, sys, or system.V-22497MEDIUMThe /etc/smb.conf file must not have an extended ACL.V-22498MEDIUMThe /etc/smbpasswd file must not have an extended ACL.V-22499MEDIUMSamba must be configured to use an authentication mechanism other than share.V-22500MEDIUMSamba must be configured to use encrypted passwords.V-22501MEDIUMSamba must be configured to not allow guest access to shares.V-22502MEDIUMThe /etc/news/incoming.conf file must not have an extended ACL.V-22503MEDIUMThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.V-22504MEDIUMThe /etc/news/nnrp.access file must not have an extended ACL.V-22505MEDIUMThe /etc/news/passwd.nntp file must not have an extended ACL.V-22506MEDIUMThe system package management tool must be used to verify system software periodically.V-22507LOWThe file integrity tool must be configured to verify ACLs.V-22508LOWThe file integrity tool must be configured to verify extended attributes.V-22509LOWThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.V-22511MEDIUMThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.V-22514MEDIUMThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.V-22517MEDIUMThe Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.V-22520MEDIUMThe Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.V-22524MEDIUMThe AppleTalk protocol must be disabled or not installed.V-22530MEDIUMThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.V-22533MEDIUMThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.V-22539MEDIUMThe Bluetooth protocol handler must be disabled or not installed.V-22541MEDIUMThe IPv6 protocol handler must not be bound to the network stack unless needed.V-22542MEDIUMThe IPv6 protocol handler must be prevented from dynamic loading unless needed.V-22545MEDIUMThe system must not have 6to4 enabled.V-22546MEDIUMThe system must not have Teredo enabled.V-22547MEDIUMThe system must not have IP tunnels configured.V-22548MEDIUMThe DHCP client must be disabled if not needed.V-22549MEDIUMThe DHCP client must not send dynamic DNS updates.V-22550MEDIUMThe system must ignore IPv6 ICMP redirect messages.V-22552MEDIUMThe system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.V-22553MEDIUMThe system must not forward IPv6 source-routed packets.V-22554MEDIUMThe system must not accept source-routed IPv6 packets.V-22555MEDIUMIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.V-22556MEDIUMIf the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI.V-22557MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA.V-22558MEDIUMIf the system is using LDAP for authentication or account information, the system must verify the LDAP servers certificate has not been revoked.V-22559MEDIUMIf the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.V-22560MEDIUMIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.V-22561MEDIUMIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.V-22562MEDIUMIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.V-22563MEDIUMIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.V-22564MEDIUMIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.V-22565MEDIUMIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.V-22566MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.V-22567MEDIUMFor systems using NSS LDAP, the TLS certificate file must be owned by root.V-22568MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.V-22569MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.V-22570MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL.V-22571MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.V-22572MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, or sys.V-22573MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.V-22574MEDIUMIf the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.V-22577LOWAutomated file system mounting tools must not be enabled unless needed.V-22582MEDIUMThe system must employ a local firewall.V-22583MEDIUMThe systems local firewall must implement a deny-all, allow-by-exception policy.V-22585MEDIUMThe systems boot loader configuration file(s) must not have extended ACLs.V-22586MEDIUMThe systems boot loader configuration files must be owned by root.V-22587MEDIUMThe systems boot loader configuration file(s) must be group-owned by root, bin, sys, or system.V-22588LOWThe system package management tool must cryptographically verify the authenticity of software packages during installation.V-22589LOWThe system package management tool must not automatically obtain updates.V-22595MEDIUMThe /etc/security/access.conf file must not have an extended ACL.V-22596MEDIUMThe /etc/sysctl.conf file must not have an extended ACL.V-22665MEDIUMThe system must not be running any routing protocol daemons, unless the system is a router.V-22702MEDIUMSystem audit logs must be group-owned by root, bin, sys, or system.V-23732MEDIUMThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.V-23736LOWThe system must use a separate file system for /var.V-23738LOWThe system must use a separate file system for the system audit data path.V-23739LOWThe system must use a separate file system for /tmp (or equivalent).V-23741MEDIUMTCP backlog queue sizes must be set appropriately.V-23952MEDIUMMail relaying must be restricted.V-23953MEDIUMThe ldd command must be disabled unless it protects against the execution of untrusted files.V-23972MEDIUMThe system must not respond to ICMPv6 echo requests sent to a broadcast address.V-24357LOWThe system must be configured to send audit records to a remote audit server.V-24384MEDIUMIf the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.V-24386HIGHThe telnet daemon must not be running.V-27250MEDIUMA file integrity baseline including cryptographic hashes must be created.V-27251MEDIUMA file integrity baseline including cryptographic hashes must be maintained.V-27275MEDIUMThe system must not have the unnecessary news account.V-27276MEDIUMThe system must not have the unnecessary gopher account.V-27279MEDIUMThe system must not have the unnecessary ftp account.V-29236MEDIUMThe audit system must be configured to audit failed attempts to access files and programs.V-29237MEDIUMThe audit system must be configured to audit failed attempts to access files and programs.V-29238MEDIUMThe audit system must be configured to audit failed attempts to access files and programs.V-29239MEDIUMThe audit system must be configured to audit failed attempts to access files and programs.V-29240MEDIUMThe audit system must be configured to audit file deletions.V-29241MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29242MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29243MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29245MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29246MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29247MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29248MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29249MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-29250MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29251MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29252MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29253MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29255MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29257MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29259MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29261MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29272MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29274MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29275MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29279MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-29281MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules - delete_module.V-29284MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/insmod.V-29286MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules -/sbin/modprobe.V-29288MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/rmmod V-29289MEDIUMFiles in cron script directories must have mode 0700 or less permissive.V-29376MEDIUMThe system must not have the unnecessary games account.V-34936MEDIUMGlobal settings defined in common-{account,auth,password,session} must be applied in the pam.d definition files.V-35025MEDIUMThe /etc/rsyslog.conf file must be owned by root.V-35026MEDIUMThe /etc/rsyslog.conf file must be group-owned by root, bin, sys, or system.V-4084MEDIUMThe system must prohibit the reuse of passwords within five iterations.V-4087MEDIUMUser start-up files must not execute world-writable programs.V-4089MEDIUMAll system start-up files must be owned by root.V-4090MEDIUMAll system start-up files must be group-owned by root, sys, bin, other, or system.V-4091MEDIUMSystem start-up files must only execute programs owned by a privileged UID or an application.V-4250MEDIUMThe systems boot loader configuration file(s) must have mode 0600 or less permissive.V-4268HIGHThe system must not have special privilege accounts, such as shutdown and halt.V-4269MEDIUMThe system must not have unnecessary accounts.V-4273MEDIUMThe /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive.V-4274MEDIUMThe /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.V-4275MEDIUMThe /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive.V-4276MEDIUMThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.V-4277MEDIUMFiles in /etc/news must be owned by root or news.V-4278MEDIUMThe files in /etc/news must be group-owned by root or news.V-4295HIGHThe SSH daemon must be configured to only use the SSHv2 protocol.V-4298MEDIUMRemote consoles must be disabled or protected from unauthorized access.V-4301MEDIUMThe system clock must be synchronized to an authoritative DoD time source.V-4304MEDIUMThe root file system must employ journaling or another mechanism ensuring file system consistency.V-4321MEDIUMThe system must not run Samba unless needed.V-4334MEDIUMThe /etc/sysctl.conf file must be owned by root.V-4335MEDIUMThe /etc/sysctl.conf file must be group-owned by root.V-4336MEDIUMThe /etc/sysctl.conf file must have mode 0600 or less permissive.V-4339HIGHThe Linux NFS Server must not have the insecure file locking option.V-4346MEDIUMThe Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.V-4357MEDIUMAudit logs must be rotated daily.V-4358MEDIUMThe cron.deny file must have mode 0600 or less permissive.V-4360LOWCron programs must not set the umask to a value less restrictive than 077.V-4361MEDIUMThe cron.allow file must be owned by root, bin, or sys.V-4364MEDIUMThe at directory must have mode 0755 or less permissive.V-4365MEDIUMThe atjobs directory must be owned by root, bin, daemon or at.V-4366MEDIUMAt jobs must not set the umask to a value less restrictive than 077.V-4367MEDIUMThe at.allow file must be owned by root, bin, or sys.V-4368MEDIUMThe at.deny file must be owned by root, bin, or sys.V-4369MEDIUMThe traceroute command owner must be root.V-4370MEDIUMThe traceroute command must be group-owned by sys, bin, root, or system.V-4371MEDIUMThe traceroute file must have mode 0700 or less permissive.V-4382HIGHAdministrative accounts must not run a web browser, except as needed for local service administration.V-4384LOWThe SMTP services SMTP greeting must not provide version information.V-4385MEDIUMThe system must not use .forward files.V-4387HIGHAnonymous FTP accounts must not have a functional shell.V-4388MEDIUMThe anonymous FTP account must be configured to use chroot or a similarly isolated environment.V-4392MEDIUMIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.V-4393MEDIUMThe /etc/rsyslog.conf file must be owned by root.V-4394MEDIUMThe /etc/rsyslog.conf file must be group-owned by root, bin, sys, or system.V-4395MEDIUMThe system must only use remote syslog servers (log hosts) that is justified and documented using site-defined procedures.V-4397MEDIUMThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.V-4398MEDIUMA system used for routing must not run other network services or applications.V-4399HIGHThe system must not use UDP for NIS/NIS+.V-4427MEDIUMAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.V-4428MEDIUMAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.V-4430MEDIUMThe cron.deny file must be owned by root, bin, or sys.V-4687HIGHThe rsh daemon must not be running.V-4688HIGHThe rexec daemon must not be running.V-4689HIGHThe SMTP service must be an up-to-date version.V-4690HIGHThe sendmail server must have the debug feature disabled.V-4691HIGHThe SMTP service must not have a uudecode alias active.V-4692LOWThe SMTP service must not have the EXPN feature active.V-4693LOWThe SMTP service must not have the Verify (VRFY) feature active.V-4694LOWThe sendmail service must not have the wizard backdoor active.V-4695HIGHAny active TFTP daemon must be authorized and approved in the system accreditation package.V-4696MEDIUMThe system must not have the UUCP service active.V-4697HIGHX displays must not be exported to the world.V-4701LOWThe system must not have the finger service active.V-4702MEDIUMIf the system is an anonymous FTP server, it must be isolated to the DMZ network.V-72825MEDIUMWireless network adapters must be disabled.V-756MEDIUMThe system must require authentication upon booting into single-user and maintenance modes.V-760MEDIUMDirect logins must not be permitted to shared, default, application, or utility accounts.V-761MEDIUMAll accounts on the system must have unique user or account names.V-762MEDIUMAll accounts must be assigned unique User Identification Numbers (UIDs).V-763MEDIUMThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.V-765MEDIUMSuccessful and unsuccessful logins and logouts must be logged.V-766MEDIUMThe system must disable accounts after three consecutive unsuccessful login attempts.V-768MEDIUMThe delay between login prompts following a failed login attempt must be at least 4 seconds.V-769MEDIUMThe root user must not own the logon session for an application requiring a continuous display.V-770HIGHThe system must not have accounts configured with blank or null passwords.V-773MEDIUMThe root account must be the only account having a UID of 0.V-774LOWThe root users home directory must not be the root directory (/).V-775MEDIUMThe root accounts home directory (other than /) must have mode 0700.V-776MEDIUMThe root accounts executable search path must be the vendor default and must contain only absolute paths.V-777MEDIUMThe root account must not have world-writable directories in its executable search path.V-778MEDIUMThe system must prevent the root account from directly logging in except from the system console.V-780MEDIUMGIDs reserved for system accounts must not be assigned to non-system groups.V-781LOWAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.V-782MEDIUMThe system must have a host-based intrusion detection tool installed.V-783MEDIUMSystem security patches and updates must be installed and up-to-date.V-784MEDIUMSystem files and directories must not have uneven access permissions.V-785MEDIUMAll files and directories must have a valid owner.V-786MEDIUMAll network services daemon files must have mode 0755 or less permissive.V-787MEDIUMSystem log files must have mode 0640 or less permissive.V-788MEDIUMAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.V-789MEDIUMNIS/NIS+/yp files must be owned by root, sys, or bin.V-790MEDIUMNIS/NIS+/yp files must be group-owned by root, sys, or bin.V-791MEDIUMThe NIS/NIS+/yp command files must have mode 0755 or less permissive.V-792LOWManual page files must have mode 0644 or less permissive.V-793MEDIUMLibrary files must have mode 0755 or less permissive.V-794MEDIUMAll system command files must have mode 0755 or less permissive.V-795MEDIUMAll system files, programs, and directories must be owned by a system account.V-796MEDIUMSystem files, programs, and directories must be group-owned by a system group.V-797MEDIUMThe /etc/shadow (or equivalent) file must be owned by root.V-798MEDIUMThe /etc/passwd file must have mode 0644 or less permissive.V-800MEDIUMThe /etc/shadow (or equivalent) file must have mode 0400.V-801MEDIUMThe owner, group-owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.V-802MEDIUMThe owner, group-owner, mode, ACL and location of files with the setgid bit set must be documented using site-defined procedures.V-803MEDIUMThe system must be checked weekly for unauthorized setuid files as well as unauthorized modification to authorized setuid files.V-804MEDIUMThe system must be checked weekly for unauthorized setgid files as well as unauthorized modification to authorized setgid files.V-805MEDIUMRemovable media, remote file systems, and any file system not containing approved setuid files must be mounted with the nosuid option.V-806LOWThe sticky bit must be set on all public directories.V-807MEDIUMAll public directories must be owned by root or an application account.V-808MEDIUMThe system and user default umask must be 077.V-810MEDIUMDefault system accounts must be disabled or removed.V-811MEDIUMAuditing must be implemented.V-812MEDIUMSystem audit logs must be owned by root.V-813MEDIUMSystem audit logs must have mode 0640 or less permissive.V-814MEDIUMThe audit system must be configured to audit failed attempts to access files and programs.V-815MEDIUMThe audit system must be configured to audit file deletions.V-816MEDIUMThe audit system must be configured to audit all administrative, privileged, and security actions.V-818MEDIUMThe audit system must be configured to audit login, logout, and session initiation.V-819MEDIUMThe audit system must be configured to audit all discretionary access control permission modifications.V-821MEDIUMThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.V-822MEDIUMThe xinetd.conf files must have mode 0640 or less permissive.V-823MEDIUMThe services file must be owned by root or bin.V-824MEDIUMThe services file must have mode 0644 or less permissive.V-825LOWGlobal initialization files must contain the mesg -n or mesg n commands.V-827MEDIUMThe hosts.lpd file (or equivalent) must not contain a + character.V-828MEDIUMThe hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.V-829MEDIUMThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.V-831MEDIUMThe alias file must be owned by root.V-832MEDIUMThe alias file must have mode 0644 or less permissive.V-833HIGHFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.V-834MEDIUMFiles executed through a mail aliases file must have mode 0755 or less permissive.V-835LOWSendmail logging must not be set to less than nine in the sendmail.cf file.V-836MEDIUMThe system syslog service must log informational and more severe SMTP service messages.V-837MEDIUMThe SMTP service log file must be owned by root.V-838MEDIUMThe SMTP service log file must have mode 0644 or less permissive.V-840MEDIUMThe ftpusers file must exist.V-841MEDIUMThe ftpusers file must contain account names not allowed to use FTP.V-842MEDIUMThe ftpusers file must be owned by root.V-843MEDIUMThe ftpusers file must have mode 0640 or less permissive.V-845LOWThe FTP daemon must be configured for logging or verbose mode.V-846MEDIUMAnonymous FTP must not be active on the system unless authorized.V-847HIGHThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.V-848HIGHThe TFTP daemon must have mode 0755 or less permissive.V-849MEDIUMThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell such as /bin/false, and a home directory owned by the TFTP user.V-850MEDIUMAny X Windows host must write .Xauthority files.V-867MEDIUMThe Network Information System (NIS) protocol must not be used.V-899LOWAll interactive users must be assigned a home directory in the /etc/passwd file.V-900LOWAll interactive user home directories defined in the /etc/passwd file must exist.V-901MEDIUMAll user home directories must have mode 0750 or less permissive.V-902MEDIUMAll interactive user home directories must be owned by their respective users.V-903MEDIUMAll interactive user home directories must be group-owned by the home directory owners primary group.V-904MEDIUMAll local initialization files must be owned by the home directorys user or root.V-905MEDIUMAll local initialization files must have mode 0740 or less permissive.V-906MEDIUMAll run control scripts must have mode 0755 or less permissive.V-907MEDIUMRun control scripts executable search paths must contain only absolute paths.V-910HIGHRun control scripts must not execute world-writable programs or scripts.V-913MEDIUMThere must be no .netrc files on the system.V-914LOWAll files and directories contained in interactive user home directories must be owned by the home directorys owner.V-915LOWAll files and directories contained in user home directories must have mode 0750 or less permissive.V-916MEDIUMThe /etc/shells (or equivalent) file must exist.V-917MEDIUMAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.V-918MEDIUMAccounts must be locked upon 35 days of inactivity.V-921MEDIUMAll shell files must be owned by root or bin.V-922HIGHAll shell files must have mode 0755 or less permissive.V-923LOWThe system must be checked for extraneous device files at least weekly.V-924MEDIUMDevice files and directories must only be writable by users with a system account or as configured by the vendor.V-925MEDIUMDevice files used for backup must only be readable and/or writable by root or the backup user.V-928MEDIUMThe Network File System (NFS) export configuration file must be owned by root.V-929LOWThe Network File System (NFS) export configuration file must have mode 0644 or less permissive.V-931MEDIUMAll Network File System (NFS) exported system files and system directories must be owned by root.V-932MEDIUMThe Network File System (NFS) anonymous UID and GID must be configured to values without permissions.V-933MEDIUMThe Network File System (NFS) server must be configured to restrict file system access to local hosts.V-935MEDIUMThe Network File System (NFS) server must not allow remote root access.V-936MEDIUMThe nosuid option must be enabled on all Network File System (NFS) client mounts.V-940MEDIUMThe system must use an access control program.V-941MEDIUMThe systems access control program must log each system access attempt.V-974MEDIUMAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).V-975MEDIUMThe cron.allow file must have mode 0600 or less permissive.V-976MEDIUMCron must not execute group-writable or world-writable programs.V-977MEDIUMCron must not execute programs in, or subordinate to, world-writable directories.V-978MEDIUMCrontab files must have mode 0600 or less permissive.V-979MEDIUMCron and crontab directories must have mode 0755 or less permissive.V-980MEDIUMCron and crontab directories must be owned by root or bin.V-981MEDIUMCron and crontab directories must be group-owned by root, sys, bin or cron.V-982MEDIUMCron logging must be implemented.V-983MEDIUMThe cronlog file must have mode 0600 or less permissive.V-984MEDIUMAccess to the at utility must be controlled via the at.allow and/or at.deny file(s).V-985MEDIUMThe at.deny file must not be empty if it exists.V-986MEDIUMDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.V-987MEDIUMThe at.allow file must have mode 0600 or less permissive.V-988MEDIUMThe at daemon must not execute group-writable or world-writable programs.V-989MEDIUMThe at daemon must not execute programs in, or subordinate to, world-writable directories.V-993HIGHSNMP communities, users, and passphrases must be changed from the default.V-994MEDIUMThe snmpd.conf file must have mode 0600 or less permissive.V-995MEDIUMManagement Information Base (MIB) files must have mode 0640 or less permissive.