of 8
8/20/2019 STIG User Guide
1/18
STIG User Guide i
STIG User Guide
iDX Release 3.1
March 27, 2012
http://-/?-http://-/?-
8/20/2019 STIG User Guide
2/18
ii STIG User Guide
Copyright © 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission isprohibited. Information contained herein is subject to change without notice. The specifications and informationregarding the products in this document are subject to change without notice. All statements, information, andrecommendations in this document are believed to be accurate, but are presented without warranty of any kind,express, or implied. Users must take full responsibility for their application of any products. Trademarks, brandnames and products mentioned in this document are the property of their respective owners. All such references
are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product'srightful owner.
Document Name: UG_STIG User Guide iDX 3.1 Rev A_03272012.pdf
Document Part Number: T0000435
http://-/?-http://-/?-
8/20/2019 STIG User Guide
3/18
STIG User Guide iii
Revision History
The following table shows all revisions for this document. If you do not have the revision that
applies to your release, or you are not sure, please contact iDirect.
Revision Date Released Reason for Change(s) Who Updated?
A 03/27/2012 Revision A for iDX Release 3.1 JVespoli
http://-/?-http://-/?-
8/20/2019 STIG User Guide
4/18
iv STIG User Guide
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Configuring Hub Servers for UNIX STIG Compliance. . . . . . . . . . . . . 1
1. STIG Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Installing the STIG package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Executing the iDirect STIG Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Logs Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Backups of Files Replaced by the Patch Scripts . . . . . . . . . . . . . . . . . . . . . . . 3
6. Performing Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Procedure 1: GEN000400, GEN000420 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Procedure 2: LNX00140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Procedure 3: GEN001260 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. STIG Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8. PDIs Not Enforced by iDirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9. Explanation of Specific Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1 CAT I Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.2 CAT II Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
10. Open Findings Fixed by the STIG Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 10
http://-/?-http://-/?-
8/20/2019 STIG User Guide
5/18
STIG User Guide v
About This Guide
PurposeThe STIG User Guide provides instructions for implementing compliance with the
recommendations specified in the UNIX Security Technical Implementation Guide (STIG) on
iDirect hub servers such as the NMS servers and protocol processor blades.
iDirect strives to produce documentation that is technically accurate, easy to use, and helpful
to our customers. Your feedback is welcomed! Send your comments to [email protected].
Intended AudienceThe STIG User Guide is intended for UNIX system administrators responsible for implementing
the STIG feature on their iDirect UNIX servers.
Contents Of This GuideThis document contains the following major sections:
• STIG Feature Overview
• Installing the STIG package
• Executing the iDirect STIG Scripts
• Logs Directory
• Backups of Files Replaced by the Patch Scripts
• Performing Manual Updates
• STIG Exceptions
• PDIs Not Enforced by iDirect
• Open Findings Fixed by the STIG Scripts
http://-/?-http://-/?-
8/20/2019 STIG User Guide
6/18
vi STIG User Guide
Document ConventionsThis section illustrates and describes the conventions used throughout the user guide.
Convention Description Example
BlueCourierfont
Used when the user is
required to enter a command
at a command line prompt or
in a console.
Enter the command:
service idirect_nms stop
Courier
font
Used when showing software
code or output from a
command that was entered at
a command line or on a
console.
rpm -qa | grep sendmail
sendmail-devel-8.12.11-4.RHEL3.1
sendmail-8.12.11-4.RHEL3.1
sendmail-cf-8.12.11-4.RHEL3.1
Bold
Trebuchet
font
Used when referring to text
that appears on the screen on
a windows-type GraphicalUser Interface (GUI).
Used when specifying names
of commands, menus,
folders, tabs, dialogs, list
boxes, and options.
Launch PuTTY using iMonitor by right-clicking the
blade in the Network Tree and selecting Connect.
Blue
Trebuchet
font
Used to show all hyperlinked
text within a document.
See “Open Findings Fixed by the STIG Scripts” on
page
17 for a list of the modifications made by the
iDirect scripts.
Bold italicTrebuchet font
Used to emphasize
information for the user, such
as in notes.
Note: This procedure applies only to NMS servermachines.
Red italicTrebuchet
font
Used when the user needs tostrictly follow the
instructions or have
additional knowledge about a
procedure or action.
WARNING! The following procedure may cause anetwork outage.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
7/18
STIG User Guide 1
STIG Feature Overview
Configuring Hub Servers forUNIX STIG Compliance
Security Technical Implementation Guides (STIGs) are checklists of recommended settings for
various computer platforms. They define configuration standards for DOD Information
Assurance (IA) and IA-enabled systems. The STIGs can be found at the Web site of theInformation Assurance Support Environment (IASE), http://iase.disa.mil/. This document
describes the iDirect STIG feature for compliance with the STIG recommendations applicable
to the Linux operating environment deployed on iDirect hub servers. It contains the following
major sections:
• “STIG Feature Overview” on page 1
• “Installing the STIG package” on page
2
• “Executing the iDirect STIG Scripts” on page
3
• “Logs Directory” on page
3
• “Backups of Files Replaced by the Patch Scripts” on page
3
• “Performing Manual Updates” on page
4
• “STIG Exceptions” on page
6
• “PDIs Not Enforced by iDirect” on page 6
• “Explanation of Specific Open Findings” on page 6
• “Open Findings Fixed by the STIG Scripts” on page 10
Note: This version of the STIG User Guide applies only to iDirect hub servers runningiDX Release 3.1.
1. STIG Feature OverviewiDirect provides a set of scripts that you can run to modify your hub servers to meet many of
the recommendations specified in the UNIX Security Checklist dated July, 2011. iDirect’simplementation addresses both general UNIX recommendations and Linux-specific
recommendations documented in the Security Technical Implementation Guide (STIG).
A STIG contains a list of security requirements for a specific operating environment. Each
security requirement is identified by a Potential Discrepancy Item (PDI). A PDI consists of a
Short Description Identifier (SDID) and a severity code.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
8/18
2 STIG User Guide
Installing the STIG package
Results of the STIG installation are written to log files, which you can then examine to verify
that the changes were properly applied to the system. The procedure for installing the
package on your hub servers is contained in “Installing the STIG package” on page
2. The
format of the log files is specified in “Logs Directory” on page
3.
In addition to the STIG recommendations that are automatically applied by the scripts, iDirectsupports a number of manual configuration changes to meet additional STIG
recommendations. Instructions for manually applying these additional changes are contained
in “Performing Manual Updates” on page
4.
Some STIG recommendations are either not applicable to the iDirect system or are the direct
responsibility of your Security Administrator (SA). These recommendations are listed in the
section “PDIs Not Enforced by iDirect” on page 6.
Note: Several UNIX STIG recommendations cannot be implemented on iDirect serversbecause meeting those recommendations would interfere with iDirect systemoperation. These recommendations are listed as exceptions in the STIG log. See“STIG Exceptions” on page 6 for a list of PDIs not supported by iDirect systems.
Note: Since STIG recommendations are continually changing, there is a strong possibility that you will discover issues not discussed in this document whenconducting evaluations against later versions of the UNIX STIG. Please reportall such findings to the iDirect TAC so that iDirect can determine whether or notthese issues can be addressed in future updates to the STIG feature.
2. Installing the STIG packageYou can automatically install the STIG package and execute the iDirect STIG scripts when you
upgrade to, or perform a new installation of, this release.
• If you installed your iDirect release using a security enhanced Kickstart option (for
example, SE-NMS or SE-Protocol Processor) then the STIG package was automatically
installed and the STIG scripts were automatically executed during the installation.• You can upgrade a non-STIG server to a STIG server by executing the idsUpdate script
with the --harden and --force options. For example:
mkdir -p /media/cdrom
mount /dev/cdrom /media/cdrom
/media/cdrom/iDirect/install/idsUpdate --harden --force
eject
• You can upgrade a server with STIG already installed by the executing the idsUpdate script with the --harden option. The --force option is not required.
Note: When using the --force option, the --harden option is also required.
Note: In order to remain STIG compliant you should pass the --harden option toidsUpdate whenever you upgrade to a new iDirect release.
Note: For more information, see the Network Upgrade Procedure or SoftwareInstallation Guide for your iDX Release.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
9/18
STIG User Guide 3
Executing the iDirect STIG Scripts
3. Executing the iDirect STIG ScriptsThe procedure in this section executes the iDirect STIG scripts. You can run the iDirect scripts
at any time. For example, you may want to re-run the scripts after making changes to your
system.
Follow these steps to execute the iDirect STIG scripts:
1. Log on to the root account of the server on which you want to execute the STIG scripts.
2. On an NMS server, ensure that all NMS and mysql services are stopped by entering thecommands:
service idirect_nms stop
service mysql stop
3. From the command line of the root account, change to the STIG directory by entering thecommand:
cd /opt/stig
4. Enter the following command to run the STIG scripts:
./idirect_stig
The results are displayed to the user.
When you run the iDirect scripts, the operating environment is updated to meet the STIG
recommendations.
Note: Once you have run the STIG scripts or performed the manual updatesdocumented on page page 4, you must reboot the server.
4. Logs DirectoryResults of the iDirect STIG scripts are written to the following directory:
/opt/stig/logs/
Each time you run the iDirect STIG scripts, the results are logged in a new file in that
directory with the name:
.log
where is the date and time that the STIG scripts were executed.
The STIG log files contain detailed output for each PDI fixed by the iDirect STIG scripts,
including all changes made to the system.
5. Backups of Files Replaced by the Patch ScriptsWhenever a file is replaced by the iDirect patch scripts, the original file is copied to the
following directory:
/opt/stig/bak
Each file is backed up to a subdirectory of /opt/stig/bak that includes the full path of the
original file and a timestamp indicating when the file was backed up.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
10/18
4 STIG User Guide
Performing Manual Updates
For example, if a script modifies the file /etc/ssh/sshd_config, the backup of that file is
written to the following directory:
/opt/stig/bak/etc/ssh/sshd_config.
where represents the date and time that the file was backed up.
6. Performing Manual UpdatesThis section describes manual configuration changes that you can make on your iDirect Linux
servers to comply with a number of PDIs not addressed by the iDirect scripts. These
procedures correct a number of open findings that remain outstanding after the iDirect scripts
have been executed.
Note: There are some open findings that cannot be addressed on iDirect servers. See“STIG Exceptions” on page 6 for a list of PDIs associated with these findings.
Follow the procedures in this section to make your server compliant with the specified PDIs.
Each procedure consists of one or more PDIs and the steps required to modify the server
configuration to comply with those PDIs.
Note: After you have made these changes, be sure to reboot your server.
Procedure 1: GEN000400, GEN000420
(GEN000400: CAT II) (Previously – G010) The SA will ensure a logon-warning banner isdisplayed on all devices and sessions at the initial logon.
(GEN000420: CAT II) (Previously – G011) The IAO will ensure the Legal Notice LogonWarning Banner includes the five points outlined in the CJCSM 6510.01. All DOD AISs willdisplay, as a minimum, an electronic logon notice and consent banner that advises usersof the following principles:
- The system is a DOD system.
- The system is subject to monitoring.
- Monitoring is authorized in accordance with applicable laws and regulations andconducted for purposes of systems management and protection, protection againstimproper or unauthorized use or access, and verification of applicable security featuresor procedures.
- Use of the system constitutes consent to monitoring.
- This system is for authorized US government use only.
Follow the below steps to modify the login banner:
1. Edit the file /etc/motd.
2. Enter the content to comply with the PDI requirements.
3. Save the changes to /etc/motd.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
11/18
STIG User Guide 5
Performing Manual Updates
Procedure 2: LNX00140
(LNX00140: CAT I) The GRUB boot-loader does not use an MD5 encrypted password.
Follow these steps to comply with the above PDI:
1. From the command line, enter the following command:grub-md5-crypt
2. When prompted, enter the password to obtain the password hash. Sample output is shownhere:
Password:
Retype password:
$1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31
3. Add the password hash to the grub configuration file /boot/grub/grub.conf as shown inthe example below:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenu
password --md5 $1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31title Red Hat Enterprise Linux Server (2.6.18-164.6.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-164.6.1.el5 ro root=LABEL=/
initrd /initrd-2.6.18-164.6.1.el5.img
Procedure 3: GEN001260
(GEN001260: CAT II) System log file permissions are more permissive than 640.
Follow the steps below to comply with the above PDI:
1. Find all files with permissions greater than 640 in the directory /var/log:
find /var/log -perm /137 -ls
2. For every log file found in Step 1 (after determining that the log file's permissions can besafely changed) modify the file permissions using the following command:
chmod 640
Where is the name of the log file.
Note: Due to the fact that log files can be created from many different processes thatare not under iDirect’s control, iDirect cannot ensure 100% automatedcompliance with GEN001260. Upon execution, to the extent possible, theiDirect STIG hardening scripts set the permissions on existing log files properlyand change the configuration options for future log files to comply with thisPDI. However, there is no guarantee that new log files, rotated log files, or logconfiguration options will have or maintain the proper permissions. See theUNIX Security Checklist for more details.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
12/18
6 STIG User Guide
STIG Exceptions
7. STIG ExceptionsiDirect servers are not compliant with the PDIs listed in this section. Complying with the PDIs
in this list will interfere with the normal operations of iDirect networks. For complete
definitions of these PDIs, see the UNIX Security Technical Implementation Guide.
Note: iDirect does not support customer updates of any Operating System installedsoftware. For example, customer upgrades to openssl or any other software package are not supported.
*GEN001560 is an exception only on the NMS server, not on the protocol processorblades.
8. PDIs Not Enforced by iDirectNot all PDIs are directly enforced on iDirect systems as part of the STIG feature. Some
unenforced PDIs are not applicable to iDirect servers. Others describe policies, periodic
procedures, or utilities (such as auditing tools) that are the responsibility of the SecurityAdministrator (SA) and are therefore outside of the scope of the iDirect STIG feature. You are
free to enforce these PDIs as required by your policies. For definitions of PDIs that are the
responsibility of the SA, see the UNIX Security Technical Implementation Guide.
The PDIs discussed here differ from the PDI exceptions listed in “STIG Exceptions” on page
6,
since compliance with the exceptions would interfere with normal operations of iDirect
systems.
9. Explanation of Specific Open FindingsThis section provides an explanation of a number of open findings not fixed by the iDirect
scripts. These open findings may appear after running the STIG scripts. Only CAT I and CAT II
open findings are documented.
9.1 CAT I Open Findings
2001-A-0013: Ssh is vulnerable to a remote integer overflow.
Resolution: False Positive
Table 1. List of UNIX STIG PDIs Not Supported on iDirect Servers
PDI Exceptions Description
GEN000120 Vendor Recommended and Security Patches are not installed or are out-of-
date.
GEN000760 An account is not locked after 35 days of inactivity.
GEN001560* User directories contain undocumented non-startup files with access
permissions greater than 750.
GEN006640 An approved DoD virus scan program is not used and/or updated.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
13/18
STIG User Guide 7
Explanation of Specific Open Findings
Vulnerable Systems:
• OpenSSH 1.2, 1.2.1 - 1.2.3
• OpenSSH 2.1, 2.1.1, 2.2.0
The version of openssh we provide is greater than or equal to 4.3p2-41.el5.
2002-T-0011: There are vulnerabilities in the OpenSSH Challenge ResponseHandling routine.
Resolution: False Positive
Vulnerable Systems:
• OpenSSH: Versions 2.3.1p1 through version 3.3 are vulnerable.
The version of openssh we provide is greater than or equal to 4.3p2-41.el5.
2003-A-0015: There are multiple vulnerabilities in OpenSSL.
Resolution: False Positive
Vulnerable Systems:• OpenSSL Project OpenSSL 0.9.6
• OpenSSL Project OpenSSL 0.9.6 a
• OpenSSL Project OpenSSL 0.9.6 b
• OpenSSL Project OpenSSL 0.9.6 c
• OpenSSL Project OpenSSL 0.9.6 d
• OpenSSL Project OpenSSL 0.9.6 e
• OpenSSL Project OpenSSL 0.9.6 g
• OpenSSL Project OpenSSL 0.9.6 h
• OpenSSL Project OpenSSL 0.9.6 i
• OpenSSL Project OpenSSL 0.9.6 j• OpenSSL Project OpenSSL 0.9.7
• OpenSSL Project OpenSSL 0.9.7 a
• OpenSSL Project OpenSSL 0.9.7 b
• OpenSSL Project OpenSSL 0.9.7 beta1
• OpenSSL Project OpenSSL 0.9.7 beta2
• OpenSSL Project OpenSSL 0.9.7 beta3
The version of openssl we provide is greater than or equal to
0.9.8e-12.el5_4.6.
2009-T-0024: Multiple Vulnerabilities in Linux Kernel.
Resolution: False Positive
The Unix Checklist states:
Compliance Checking:
Red Hat Enterprise Linux 3 is vulnerable to CVE-2009-1265. RHEL4 and RHEL5 are not.
However, this IAVA does cover more than one CVE. A response from the Red Hat
Knowledge base indicates RHEL3 will not be patched and it will always be a finding on
http://-/?-http://-/?-
8/20/2019 STIG User Guide
14/18
8 STIG User Guide
Explanation of Specific Open Findings
the system. RHEL4 does not appear to have any fixes, so this will be a finding. Execute
uname -a to determine the kernel version. RHEL5 does have a kernel update for the CIFS
vulnerability. If the kernel version is less than 2.6.18-128.1.14.el5, this is a finding.
The kernel version we provide is greater than 2.6.18-128.1.14.el5.
2010-A-0041: Multiple Apache HTTP Server Vulnerabilities
Resolution: False Positive
CVE-2010-0408
Fixed by Red Hat in version 2.2.3-31.el5_4.4 or later. We provide a later release.
Source: https://rhn.redhat.com/errata/RHSA-2010-0168.html
2010-A-0050: OpenSSL Remote Denial of Service Vulnerability.
Resolution: False Positive
CVE-2010-0740Official Statement from Red Hat (03/24/2010):
Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat
Enterprise Linux 3, 4, or 5.
Source: https://www.redhat.com/security/data/cve/CVE-2010-0740.html
2010-A-0099: Multiple Vulnerabilities in Apache httpd
Resolution: False Positive
iDirect servers currently run version 2.2.3-53 of the Apache httpd daemon. Based on the
problem description from the Apache Web site this issue was not introduced until version
2.2.9 and only affects Windows, Netware and OS operating systems. Therefore this finding is
not applicable to servers supplied by iDirect.
Source: http://httpd.apache.org/security/vulnerabilities_22.html
9.2 CAT II Open Findings
2001-T-0017: The OpenSSH UseLogin feature has Multiple Vulnerabilities.
Resolution: False Positive
Vulnerable Systems:
• OpenSSH versions prior to 2.1.1
The version of openssh we provide is greater than or equal to 4.3p2-41.el5.
2003-T-0020: OpenSSH buffer mismanagement and multiple portable OpenSSHPAM vulnerabilities
Resolution: False Positive
Vulnerable Systems:
• OpenSSH versions prior to 3.7.1
http://-/?-http://-/?-
8/20/2019 STIG User Guide
15/18
STIG User Guide 9
Explanation of Specific Open Findings
The version of openssh we provide is greater than or equal to 4.3p2-41.el5.
GEN001020: The root account is logged onto directly.
Resolution: false positive
This may show up as an open finding if the root account was logged onto directly before theidirect_stig package was installed. The government-provided SRR script checks for
unauthorized log ons using the last command. This views historical data and doesn't reflect
the machines current state.
To eliminate the false positive finding, you can empty the file /var/log/wtmp file as
follows:
cp /var/log/wtmp /var/log/wtmp.bakcat /dev/null > /var/log/wtmp
WARNING! This will reset the output of the last command.
GEN001060: Successful and unsuccessful accesses to the root account are notlogged.
Resolution: False Positive
This may show up as an open finding if no user ever executed the su - command.
To eliminate the false positive finding, you can do the following:
1. Log on as a user other than the root user.
2. Execute the following command to log on to the root account:
su -
2008-A-0011: SQL Injection in Cisco Unified Communications Manager
Resolution: False Positive
The Cisco Unified Communications Manager is not installed on iDirect server platforms. The
SRR script that generates this finding merely checks that the Operating System being run is
Linux. If so, it generates this open finding and marks it for manual review.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
16/18
10 STIG User Guide
Open Findings Fixed by the STIG Scripts
10. Open Findings Fixed by the STIG ScriptsTable 2 contains a list of the UNIX STIG recommendations addressed by the iDirect scripts.
When the scripts are executed on an iDirect server, the server is modified to comply with the
recommendations described in these tables.
Table 2. Open Findings Fixed by iDirect Scripts
PDI Description
GEN000020 The UNIX host is bootable in single user mode without a password.
GEN000040 The UNIX host is not configured to require a password when booted to single-user
mode and is not documented.
GEN000060 The UNIX host cannot be configured to require a password when booted to single-
user mode and is not located in a controlled access area.
GEN000460 After three consecutive unsuccessful login attempts the account is not disabled.
GEN000480 The login delay between login prompts after a failed login is set to less than four
seconds.
GEN000540 Passwords can be changed more than once every 24 hours.
GEN000580 A password does not contain a minimum of 14 characters.
GEN000600 A password does not contain at least one upper case and one lower case character.
GEN000620 A password does not contain at least one numeric character.
GEN000640 A password does not contain at least one special character.
GEN000700 Passwords are not changed at least every 60 days.
GEN000800 Passwords are reused within the last five changes.
GEN000820 Global password configuration files are not configured per guidelines.
GEN000980 The root account can be directly logged into from other than the system console.
GEN001260 System log file permissions are more permissive than 640.
GEN001280 Manual page file permissions are more permissive than 644.
GEN001880 Local initialization files are more permissive than 740.
GEN002560 The system and user default umask is not 077.
GEN002680 System audit logs are readable by unauthorized users.
GEN002700 System audit logs are more permissive than 640.
GEN002720 The audit system is not configured to audit failed attempts to access files and
programs.
GEN002740 The audit system is not configured to audit files and programs deleted by the user.
GEN002760 The audit system is not configured to audit all administrative, privileged, and
security actions.
GEN002960 Access to the cron utility is not controlled via the cron.allow and/or cron.deny files.
GEN003080 Crontab files are more permissive than 600 (700 on some linux systems).
GEN003320 Default accounts are listed in the at.allow file.
http://-/?-http://-/?-
8/20/2019 STIG User Guide
17/18
STIG User Guide 11
Open Findings Fixed by the STIG Scripts
GEN003600 Network parameters are not securely set.
GEN004000 The traceroute command is more permissive than 700.
GEN004540 The sendmail help command is not disabled.
GEN004560 The O Smtp greeting in sendmail.cf, or equivalent, has not been changed to mask
the version.
GEN004640 The sendmail decode command is not disabled.
GEN005320 The snmpd.conf file is more permissive than 700.
GEN005360 The snmpd.conf file is not owned by root and group owned by sys or the application.
GEN005400 The /etc/syslog.conf is not owned by root or is more permissive than 640.
GEN005540 Encrypted communications are not configured for IP filtering and logon warning
banners.
GEN006620 The access control program is not configured to grant and deny system access to
specific hosts.
LNX00320 Special privilege accounts, such as shutdown and halt have not been deleted.
LNX00440 The /etc/login.access or /etc/security/access.conf file is more permissive than 640.
LNX00520 The /etc/sysctl.conf file is more permissive than 600.
Table 2. Open Findings Fixed by iDirect Scripts (continued)
PDI Description
http://-/?-http://-/?-
8/20/2019 STIG User Guide
18/18