STIG User Guide

8/20/2019 STIG User Guide

1/18

STIG User Guide i

STIG User Guide

iDX Release 3.1

March 27, 2012

http://-/?-http://-/?-


2/18

ii STIG User Guide

Copyright © 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission isprohibited. Information contained herein is subject to change without notice. The specifications and informationregarding the products in this document are subject to change without notice. All statements, information, andrecommendations in this document are believed to be accurate, but are presented without warranty of any kind,express, or implied. Users must take full responsibility for their application of any products. Trademarks, brandnames and products mentioned in this document are the property of their respective owners. All such references

are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product'srightful owner.

Document Name: UG_STIG User Guide iDX 3.1 Rev A_03272012.pdf

Document Part Number: T0000435

http://-/?-http://-/?-


3/18

STIG User Guide iii

Revision History

The following table shows all revisions for this document. If you do not have the revision that

applies to your release, or you are not sure, please contact iDirect.

Revision Date Released Reason for Change(s) Who Updated?

A 03/27/2012 Revision A for iDX Release 3.1 JVespoli

http://-/?-http://-/?-


4/18

iv STIG User Guide

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Configuring Hub Servers for UNIX STIG Compliance. . . . . . . . . . . . . 1

1. STIG Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2. Installing the STIG package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3. Executing the iDirect STIG Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4. Logs Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

5. Backups of Files Replaced by the Patch Scripts . . . . . . . . . . . . . . . . . . . . . . . 3

6. Performing Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Procedure 1: GEN000400, GEN000420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Procedure 2: LNX00140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Procedure 3: GEN001260 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

7. STIG Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

8. PDIs Not Enforced by iDirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

9. Explanation of Specific Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

9.1 CAT I Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

9.2 CAT II Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

10. Open Findings Fixed by the STIG Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 10

http://-/?-http://-/?-


5/18

STIG User Guide v

About This Guide

PurposeThe STIG User Guide provides instructions for implementing compliance with the

recommendations specified in the UNIX Security Technical Implementation Guide (STIG) on

iDirect hub servers such as the NMS servers and protocol processor blades.

iDirect strives to produce documentation that is technically accurate, easy to use, and helpful

to our customers. Your feedback is welcomed! Send your comments to [email protected].

Intended AudienceThe STIG User Guide is intended for UNIX system administrators responsible for implementing

the STIG feature on their iDirect UNIX servers.

Contents Of This GuideThis document contains the following major sections:

• STIG Feature Overview

• Installing the STIG package

• Executing the iDirect STIG Scripts

• Logs Directory

• Backups of Files Replaced by the Patch Scripts

• Performing Manual Updates

• STIG Exceptions

• PDIs Not Enforced by iDirect

• Open Findings Fixed by the STIG Scripts

http://-/?-http://-/?-


6/18

vi STIG User Guide

Document ConventionsThis section illustrates and describes the conventions used throughout the user guide.

Convention Description Example

BlueCourierfont

Used when the user is

required to enter a command

at a command line prompt or

in a console.

Enter the command:

service idirect_nms stop

Courier

font

Used when showing software

code or output from a

command that was entered at

a command line or on a

console.

rpm -qa | grep sendmail

sendmail-devel-8.12.11-4.RHEL3.1

sendmail-8.12.11-4.RHEL3.1

sendmail-cf-8.12.11-4.RHEL3.1

Bold

Trebuchet

font

Used when referring to text

that appears on the screen on

a windows-type GraphicalUser Interface (GUI).

Used when specifying names

of commands, menus,

folders, tabs, dialogs, list

boxes, and options.

Launch PuTTY using iMonitor by right-clicking the

blade in the Network Tree and selecting Connect.

Blue

Trebuchet

font

Used to show all hyperlinked

text within a document.

See “Open Findings Fixed by the STIG Scripts” on

page

17 for a list of the modifications made by the

iDirect scripts.

Bold italicTrebuchet font

Used to emphasize

information for the user, such

as in notes.

Note: This procedure applies only to NMS servermachines.

Red italicTrebuchet

font

Used when the user needs tostrictly follow the

instructions or have

additional knowledge about a

procedure or action.

WARNING! The following procedure may cause anetwork outage.

http://-/?-http://-/?-


7/18

STIG User Guide 1

STIG Feature Overview

Configuring Hub Servers forUNIX STIG Compliance

Security Technical Implementation Guides (STIGs) are checklists of recommended settings for

various computer platforms. They define configuration standards for DOD Information

Assurance (IA) and IA-enabled systems. The STIGs can be found at the Web site of theInformation Assurance Support Environment (IASE), http://iase.disa.mil/. This document

describes the iDirect STIG feature for compliance with the STIG recommendations applicable

to the Linux operating environment deployed on iDirect hub servers. It contains the following

major sections:

• “STIG Feature Overview” on page 1

• “Installing the STIG package” on page

2

• “Executing the iDirect STIG Scripts” on page

3

• “Logs Directory” on page

3

• “Backups of Files Replaced by the Patch Scripts” on page

3

• “Performing Manual Updates” on page

4

• “STIG Exceptions” on page

6

• “PDIs Not Enforced by iDirect” on page 6

• “Explanation of Specific Open Findings” on page 6

• “Open Findings Fixed by the STIG Scripts” on page 10

Note: This version of the STIG User Guide applies only to iDirect hub servers runningiDX Release 3.1.

1. STIG Feature OverviewiDirect provides a set of scripts that you can run to modify your hub servers to meet many of

the recommendations specified in the UNIX Security Checklist dated July, 2011. iDirect’simplementation addresses both general UNIX recommendations and Linux-specific

recommendations documented in the Security Technical Implementation Guide (STIG).

A STIG contains a list of security requirements for a specific operating environment. Each

security requirement is identified by a Potential Discrepancy Item (PDI). A PDI consists of a

Short Description Identifier (SDID) and a severity code.

http://-/?-http://-/?-


8/18

2 STIG User Guide

Installing the STIG package

Results of the STIG installation are written to log files, which you can then examine to verify

that the changes were properly applied to the system. The procedure for installing the

package on your hub servers is contained in “Installing the STIG package” on page

2. The

format of the log files is specified in “Logs Directory” on page

3.

In addition to the STIG recommendations that are automatically applied by the scripts, iDirectsupports a number of manual configuration changes to meet additional STIG

recommendations. Instructions for manually applying these additional changes are contained

in “Performing Manual Updates” on page

4.

Some STIG recommendations are either not applicable to the iDirect system or are the direct

responsibility of your Security Administrator (SA). These recommendations are listed in the

section “PDIs Not Enforced by iDirect” on page 6.

Note: Several UNIX STIG recommendations cannot be implemented on iDirect serversbecause meeting those recommendations would interfere with iDirect systemoperation. These recommendations are listed as exceptions in the STIG log. See“STIG Exceptions” on page 6 for a list of PDIs not supported by iDirect systems.

Note: Since STIG recommendations are continually changing, there is a strong possibility that you will discover issues not discussed in this document whenconducting evaluations against later versions of the UNIX STIG. Please reportall such findings to the iDirect TAC so that iDirect can determine whether or notthese issues can be addressed in future updates to the STIG feature.

2. Installing the STIG packageYou can automatically install the STIG package and execute the iDirect STIG scripts when you

upgrade to, or perform a new installation of, this release.

• If you installed your iDirect release using a security enhanced Kickstart option (for

example, SE-NMS or SE-Protocol Processor) then the STIG package was automatically

installed and the STIG scripts were automatically executed during the installation.• You can upgrade a non-STIG server to a STIG server by executing the idsUpdate script

with the --harden and --force options. For example:

mkdir -p /media/cdrom

mount /dev/cdrom /media/cdrom

/media/cdrom/iDirect/install/idsUpdate --harden --force

eject

• You can upgrade a server with STIG already installed by the executing the idsUpdate script with the --harden option. The --force option is not required.

Note: When using the --force option, the --harden option is also required.

Note: In order to remain STIG compliant you should pass the --harden option toidsUpdate whenever you upgrade to a new iDirect release.

Note: For more information, see the Network Upgrade Procedure or SoftwareInstallation Guide for your iDX Release.

http://-/?-http://-/?-


9/18

STIG User Guide 3

Executing the iDirect STIG Scripts

3. Executing the iDirect STIG ScriptsThe procedure in this section executes the iDirect STIG scripts. You can run the iDirect scripts

at any time. For example, you may want to re-run the scripts after making changes to your

system.

Follow these steps to execute the iDirect STIG scripts:

1. Log on to the root account of the server on which you want to execute the STIG scripts.

2. On an NMS server, ensure that all NMS and mysql services are stopped by entering thecommands:

service idirect_nms stop

service mysql stop

3. From the command line of the root account, change to the STIG directory by entering thecommand:

cd /opt/stig

4. Enter the following command to run the STIG scripts:

./idirect_stig

The results are displayed to the user.

When you run the iDirect scripts, the operating environment is updated to meet the STIG

recommendations.

Note: Once you have run the STIG scripts or performed the manual updatesdocumented on page page 4, you must reboot the server.

4. Logs DirectoryResults of the iDirect STIG scripts are written to the following directory:

/opt/stig/logs/

Each time you run the iDirect STIG scripts, the results are logged in a new file in that

directory with the name:

.log

where is the date and time that the STIG scripts were executed.

The STIG log files contain detailed output for each PDI fixed by the iDirect STIG scripts,

including all changes made to the system.

5. Backups of Files Replaced by the Patch ScriptsWhenever a file is replaced by the iDirect patch scripts, the original file is copied to the

following directory:

/opt/stig/bak

Each file is backed up to a subdirectory of /opt/stig/bak that includes the full path of the

original file and a timestamp indicating when the file was backed up.

http://-/?-http://-/?-


10/18

4 STIG User Guide

Performing Manual Updates

For example, if a script modifies the file /etc/ssh/sshd_config, the backup of that file is

written to the following directory:

/opt/stig/bak/etc/ssh/sshd_config.

where represents the date and time that the file was backed up.

6. Performing Manual UpdatesThis section describes manual configuration changes that you can make on your iDirect Linux

servers to comply with a number of PDIs not addressed by the iDirect scripts. These

procedures correct a number of open findings that remain outstanding after the iDirect scripts

have been executed.

Note: There are some open findings that cannot be addressed on iDirect servers. See“STIG Exceptions” on page 6 for a list of PDIs associated with these findings.

Follow the procedures in this section to make your server compliant with the specified PDIs.

Each procedure consists of one or more PDIs and the steps required to modify the server

configuration to comply with those PDIs.

Note: After you have made these changes, be sure to reboot your server.

Procedure 1: GEN000400, GEN000420

(GEN000400: CAT II) (Previously – G010) The SA will ensure a logon-warning banner isdisplayed on all devices and sessions at the initial logon.

(GEN000420: CAT II) (Previously – G011) The IAO will ensure the Legal Notice LogonWarning Banner includes the five points outlined in the CJCSM 6510.01. All DOD AISs willdisplay, as a minimum, an electronic logon notice and consent banner that advises usersof the following principles:

- The system is a DOD system.

- The system is subject to monitoring.

- Monitoring is authorized in accordance with applicable laws and regulations andconducted for purposes of systems management and protection, protection againstimproper or unauthorized use or access, and verification of applicable security featuresor procedures.

- Use of the system constitutes consent to monitoring.

- This system is for authorized US government use only.

Follow the below steps to modify the login banner:

1. Edit the file /etc/motd.

2. Enter the content to comply with the PDI requirements.

3. Save the changes to /etc/motd.

http://-/?-http://-/?-


11/18

STIG User Guide 5

Performing Manual Updates

Procedure 2: LNX00140

(LNX00140: CAT I) The GRUB boot-loader does not use an MD5 encrypted password.

Follow these steps to comply with the above PDI:

1. From the command line, enter the following command:grub-md5-crypt

2. When prompted, enter the password to obtain the password hash. Sample output is shownhere:

Password:

Retype password:

$1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31

3. Add the password hash to the grub configuration file /boot/grub/grub.conf as shown inthe example below:

default=0

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenu

password --md5 $1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31title Red Hat Enterprise Linux Server (2.6.18-164.6.1.el5)

root (hd0,0)

kernel /vmlinuz-2.6.18-164.6.1.el5 ro root=LABEL=/

initrd /initrd-2.6.18-164.6.1.el5.img

Procedure 3: GEN001260

(GEN001260: CAT II) System log file permissions are more permissive than 640.

Follow the steps below to comply with the above PDI:

1. Find all files with permissions greater than 640 in the directory /var/log:

find /var/log -perm /137 -ls

2. For every log file found in Step 1 (after determining that the log file's permissions can besafely changed) modify the file permissions using the following command:

chmod 640

Where is the name of the log file.

Note: Due to the fact that log files can be created from many different processes thatare not under iDirect’s control, iDirect cannot ensure 100% automatedcompliance with GEN001260. Upon execution, to the extent possible, theiDirect STIG hardening scripts set the permissions on existing log files properlyand change the configuration options for future log files to comply with thisPDI. However, there is no guarantee that new log files, rotated log files, or logconfiguration options will have or maintain the proper permissions. See theUNIX Security Checklist for more details.

http://-/?-http://-/?-


12/18

6 STIG User Guide

STIG Exceptions

7. STIG ExceptionsiDirect servers are not compliant with the PDIs listed in this section. Complying with the PDIs

in this list will interfere with the normal operations of iDirect networks. For complete

definitions of these PDIs, see the UNIX Security Technical Implementation Guide.

Note: iDirect does not support customer updates of any Operating System installedsoftware. For example, customer upgrades to openssl or any other software package are not supported.

*GEN001560 is an exception only on the NMS server, not on the protocol processorblades.

8. PDIs Not Enforced by iDirectNot all PDIs are directly enforced on iDirect systems as part of the STIG feature. Some

unenforced PDIs are not applicable to iDirect servers. Others describe policies, periodic

procedures, or utilities (such as auditing tools) that are the responsibility of the SecurityAdministrator (SA) and are therefore outside of the scope of the iDirect STIG feature. You are

free to enforce these PDIs as required by your policies. For definitions of PDIs that are the

responsibility of the SA, see the UNIX Security Technical Implementation Guide.

The PDIs discussed here differ from the PDI exceptions listed in “STIG Exceptions” on page

6,

since compliance with the exceptions would interfere with normal operations of iDirect

systems.

9. Explanation of Specific Open FindingsThis section provides an explanation of a number of open findings not fixed by the iDirect

scripts. These open findings may appear after running the STIG scripts. Only CAT I and CAT II

open findings are documented.

9.1 CAT I Open Findings

2001-A-0013: Ssh is vulnerable to a remote integer overflow.

Resolution: False Positive

Table 1. List of UNIX STIG PDIs Not Supported on iDirect Servers

PDI Exceptions Description

GEN000120 Vendor Recommended and Security Patches are not installed or are out-of-

date.

GEN000760 An account is not locked after 35 days of inactivity.

GEN001560* User directories contain undocumented non-startup files with access

permissions greater than 750.

GEN006640 An approved DoD virus scan program is not used and/or updated.

http://-/?-http://-/?-


13/18

STIG User Guide 7

Explanation of Specific Open Findings

Vulnerable Systems:

• OpenSSH 1.2, 1.2.1 - 1.2.3

• OpenSSH 2.1, 2.1.1, 2.2.0

The version of openssh we provide is greater than or equal to 4.3p2-41.el5.

2002-T-0011: There are vulnerabilities in the OpenSSH Challenge ResponseHandling routine.


Vulnerable Systems:

• OpenSSH: Versions 2.3.1p1 through version 3.3 are vulnerable.


2003-A-0015: There are multiple vulnerabilities in OpenSSL.


Vulnerable Systems:• OpenSSL Project OpenSSL 0.9.6

• OpenSSL Project OpenSSL 0.9.6 a

• OpenSSL Project OpenSSL 0.9.6 b

• OpenSSL Project OpenSSL 0.9.6 c

• OpenSSL Project OpenSSL 0.9.6 d

• OpenSSL Project OpenSSL 0.9.6 e

• OpenSSL Project OpenSSL 0.9.6 g

• OpenSSL Project OpenSSL 0.9.6 h

• OpenSSL Project OpenSSL 0.9.6 i

• OpenSSL Project OpenSSL 0.9.6 j• OpenSSL Project OpenSSL 0.9.7

• OpenSSL Project OpenSSL 0.9.7 a

• OpenSSL Project OpenSSL 0.9.7 b

• OpenSSL Project OpenSSL 0.9.7 beta1



The version of openssl we provide is greater than or equal to

0.9.8e-12.el5_4.6.

2009-T-0024: Multiple Vulnerabilities in Linux Kernel.


The Unix Checklist states:

Compliance Checking:

Red Hat Enterprise Linux 3 is vulnerable to CVE-2009-1265. RHEL4 and RHEL5 are not.

However, this IAVA does cover more than one CVE. A response from the Red Hat

Knowledge base indicates RHEL3 will not be patched and it will always be a finding on

http://-/?-http://-/?-


14/18

8 STIG User Guide


the system. RHEL4 does not appear to have any fixes, so this will be a finding. Execute

uname -a to determine the kernel version. RHEL5 does have a kernel update for the CIFS

vulnerability. If the kernel version is less than 2.6.18-128.1.14.el5, this is a finding.

The kernel version we provide is greater than 2.6.18-128.1.14.el5.

2010-A-0041: Multiple Apache HTTP Server Vulnerabilities


CVE-2010-0408

Fixed by Red Hat in version 2.2.3-31.el5_4.4 or later. We provide a later release.

Source: https://rhn.redhat.com/errata/RHSA-2010-0168.html

2010-A-0050: OpenSSL Remote Denial of Service Vulnerability.


CVE-2010-0740Official Statement from Red Hat (03/24/2010):

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat

Enterprise Linux 3, 4, or 5.

Source: https://www.redhat.com/security/data/cve/CVE-2010-0740.html

2010-A-0099: Multiple Vulnerabilities in Apache httpd


iDirect servers currently run version 2.2.3-53 of the Apache httpd daemon. Based on the

problem description from the Apache Web site this issue was not introduced until version

2.2.9 and only affects Windows, Netware and OS operating systems. Therefore this finding is

not applicable to servers supplied by iDirect.

Source: http://httpd.apache.org/security/vulnerabilities_22.html

9.2 CAT II Open Findings

2001-T-0017: The OpenSSH UseLogin feature has Multiple Vulnerabilities.


Vulnerable Systems:

• OpenSSH versions prior to 2.1.1


2003-T-0020: OpenSSH buffer mismanagement and multiple portable OpenSSHPAM vulnerabilities


Vulnerable Systems:

• OpenSSH versions prior to 3.7.1

http://-/?-http://-/?-


15/18

STIG User Guide 9



GEN001020: The root account is logged onto directly.

Resolution: false positive

This may show up as an open finding if the root account was logged onto directly before theidirect_stig package was installed. The government-provided SRR script checks for

unauthorized log ons using the last command. This views historical data and doesn't reflect

the machines current state.

To eliminate the false positive finding, you can empty the file /var/log/wtmp file as

follows:

cp /var/log/wtmp /var/log/wtmp.bakcat /dev/null > /var/log/wtmp

WARNING! This will reset the output of the last command.

GEN001060: Successful and unsuccessful accesses to the root account are notlogged.


This may show up as an open finding if no user ever executed the su - command.

To eliminate the false positive finding, you can do the following:

1. Log on as a user other than the root user.

2. Execute the following command to log on to the root account:

su -

2008-A-0011: SQL Injection in Cisco Unified Communications Manager


The Cisco Unified Communications Manager is not installed on iDirect server platforms. The

SRR script that generates this finding merely checks that the Operating System being run is

Linux. If so, it generates this open finding and marks it for manual review.

http://-/?-http://-/?-


16/18

10 STIG User Guide

Open Findings Fixed by the STIG Scripts

10. Open Findings Fixed by the STIG ScriptsTable 2 contains a list of the UNIX STIG recommendations addressed by the iDirect scripts.

When the scripts are executed on an iDirect server, the server is modified to comply with the

recommendations described in these tables.

Table 2. Open Findings Fixed by iDirect Scripts

PDI Description

GEN000020 The UNIX host is bootable in single user mode without a password.

GEN000040 The UNIX host is not configured to require a password when booted to single-user

mode and is not documented.

GEN000060 The UNIX host cannot be configured to require a password when booted to single-

user mode and is not located in a controlled access area.

GEN000460 After three consecutive unsuccessful login attempts the account is not disabled.

GEN000480 The login delay between login prompts after a failed login is set to less than four

seconds.

GEN000540 Passwords can be changed more than once every 24 hours.

GEN000580 A password does not contain a minimum of 14 characters.

GEN000600 A password does not contain at least one upper case and one lower case character.

GEN000620 A password does not contain at least one numeric character.

GEN000640 A password does not contain at least one special character.

GEN000700 Passwords are not changed at least every 60 days.

GEN000800 Passwords are reused within the last five changes.

GEN000820 Global password configuration files are not configured per guidelines.

GEN000980 The root account can be directly logged into from other than the system console.

GEN001260 System log file permissions are more permissive than 640.

GEN001280 Manual page file permissions are more permissive than 644.

GEN001880 Local initialization files are more permissive than 740.

GEN002560 The system and user default umask is not 077.

GEN002680 System audit logs are readable by unauthorized users.

GEN002700 System audit logs are more permissive than 640.

GEN002720 The audit system is not configured to audit failed attempts to access files and

programs.

GEN002740 The audit system is not configured to audit files and programs deleted by the user.

GEN002760 The audit system is not configured to audit all administrative, privileged, and

security actions.

GEN002960 Access to the cron utility is not controlled via the cron.allow and/or cron.deny files.

GEN003080 Crontab files are more permissive than 600 (700 on some linux systems).

GEN003320 Default accounts are listed in the at.allow file.

http://-/?-http://-/?-


17/18

STIG User Guide 11

Open Findings Fixed by the STIG Scripts

GEN003600 Network parameters are not securely set.

GEN004000 The traceroute command is more permissive than 700.

GEN004540 The sendmail help command is not disabled.

GEN004560 The O Smtp greeting in sendmail.cf, or equivalent, has not been changed to mask

the version.

GEN004640 The sendmail decode command is not disabled.

GEN005320 The snmpd.conf file is more permissive than 700.

GEN005360 The snmpd.conf file is not owned by root and group owned by sys or the application.

GEN005400 The /etc/syslog.conf is not owned by root or is more permissive than 640.

GEN005540 Encrypted communications are not configured for IP filtering and logon warning

banners.

GEN006620 The access control program is not configured to grant and deny system access to

specific hosts.

LNX00320 Special privilege accounts, such as shutdown and halt have not been deleted.

LNX00440 The /etc/login.access or /etc/security/access.conf file is more permissive than 640.

LNX00520 The /etc/sysctl.conf file is more permissive than 600.

Table 2. Open Findings Fixed by iDirect Scripts (continued)

PDI Description

http://-/?-http://-/?-


18/18

Date post:	07-Aug-2018
Category:	Documents
Upload:	kira019
View:	230 times
Download:	0 times

STIG User Guide

Documents