Sep 19, 2023 Functional Update- GEN001160/GEN001170 - All files and directories must have a valid owner and group owner.
- GEN001890 - Local initialization files must not have extended ACLs - '.bash_logout'
- GEN001890 - Local initialization files must not have extended ACLs - '.bash_profile'
- GEN001890 - Local initialization files must not have extended ACLs - '.bashrc'
- GEN001890 - Local initialization files must not have extended ACLs - '.cshrc'
- GEN001890 - Local initialization files must not have extended ACLs - '.dispatch'
- GEN001890 - Local initialization files must not have extended ACLs - '.dtprofile'
- GEN001890 - Local initialization files must not have extended ACLs - '.emacs'
- GEN001890 - Local initialization files must not have extended ACLs - '.env'
- GEN001890 - Local initialization files must not have extended ACLs - '.exrc'
- GEN001890 - Local initialization files must not have extended ACLs - '.login'
- GEN001890 - Local initialization files must not have extended ACLs - '.logout'
- GEN001890 - Local initialization files must not have extended ACLs - '.profile'
- GEN002000 - There must be no .netrc files on the system.
- GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.rhosts'
- GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.shosts'
- GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'hosts.equiv'
- GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'shosts.equiv'
- GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/cd*'
- GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/rmt*'
- GEN002330 - Audio devices must not have extended ACLs.
- GEN002380 - The owner, group, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures
- GEN002440 - The owner, group, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures
- GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public dirs
- GEN002500 - The sticky bit must be set on all public directories.
- GEN002520 - All public directories must be owned by root or an application account.
- GEN002540 - All public directories must be group-owned by system or an application group.
- GEN003865 - Network analysis tools must not be installed - 'ethereal'
- GEN003865 - Network analysis tools must not be installed - 'netcat'
- GEN003865 - Network analysis tools must not be installed - 'snoop'
- GEN003865 - Network analysis tools must not be installed - 'tcpdump'
- GEN003865 - Network analysis tools must not be installed - 'tshark'
- GEN003865 - Network analysis tools must not be installed - 'wireshark'
- GEN004580 - The system must not use .forward files.
- GEN005190 - The .Xauthority files must not have extended ACLs.
- GEN005340 - Management Information Base (MIB) files must have mode 0640 or less permissive.
- GEN005350 - Management Information Base (MIB) files must not have extended ACLs.
Miscellaneous- References updated.
- Variables updated.
|
May 31, 2023 |
Apr 12, 2023 Miscellaneous- Metadata updated.
- Platform check updated.
- Variables updated.
|
Mar 7, 2023 Miscellaneous- Metadata updated.
- References updated.
|
Dec 7, 2022 Functional Update- GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon uses approved sources'
|
Apr 25, 2022 Miscellaneous- Metadata updated.
- References updated.
|
Jul 30, 2021 Miscellaneous- Metadata updated.
- References updated.
|
Jun 17, 2021 |
Feb 1, 2021 Miscellaneous- Metadata updated.
- References updated.
|
Oct 5, 2020 Functional Update- GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogin*greeting.labelString'
- GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogin*greeting'
- GEN000920 - The root account's home directory (other than /) must have mode 0700.
- GEN001100 - Root passwords must never be passed over a network in clear text form - 'root has logged in over a network'
- GEN001100 - Root passwords must never be passed over a network in clear text form - 'ssh is running'
- GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/nis'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/.login'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/bashrc'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.cshrc'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.login'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/environment'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/profile'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/.profile'
- GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/environ'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect'
- GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream'
- GEN002990 - The cron.allow file must not have an extended ACL.
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'adm'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'bin'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'daemon'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'esaadmin'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'guest'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'invscout'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'ipsec'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'lp'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'lpd'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'nobody'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'nuucp'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'pconsole'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'snapp'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'sshd'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'sys'
- GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'uucp'
- GEN003245 - The at.allow file must not have an extended ACL.
- GEN003300 - The at.deny file must not be empty if it exists
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys'
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp'
- GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency
- GEN003660 - The system must log authentication informational data - 'auth.*'
- GEN003660 - The system must log authentication informational data - 'auth.info'
- GEN003660 - The system must log authentication informational data - 'auth.notice'
- GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled
- GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'inetd.conf'
- GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'xinetd.conf'
- GEN004950 - The ftpusers file must not have an extended ACL.
- GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
- GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists'
- GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell'
- GEN006150 - The /usr/lib/smb.conf file must not have an extended ACL.
- GEN006210 - The /var/private/smbpasswd file must not have an extended ACL.
- GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba.
- GEN006230 - Samba must be configured to use encrypted passwords.
- GEN006270 - The /etc/news/hosts.nntp file must not have an extended ACL.
- GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
- GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
- GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
- GEN006640 - The system must use a virus scan program.
- GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'
- GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'
- GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'
- GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'
- GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists'
- GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes'
|