GEN000000-LNX00600 - The Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.
GEN000240 - The system clock must be synchronized to an authoritative DoD time source.
GEN000241 - The system clock must be synchronized continuously.
GEN000242 - The system must use at least two time sources for clock synchronization - 'cron jobs'
GEN000450 - The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
GEN000452 - The system must display the date and time of the last successful account login upon login.
GEN000560 - The system must not have accounts configured with blank or null passwords.
GEN001060 - The system must log successful and unsuccessful access to the root account - rsyslog 'authpriv.*'
GEN001060 - The system must log successful and unsuccessful access to the root account - syslog 'authpriv.*'
GEN001100 - Root passwords must never be passed over a network in clear text form.
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name server
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name server
GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EACCES'
GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EPERM'
GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F success=0'
GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F exit=-EACCES'
GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F exit=-EPERM'
GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F success=0'
GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F exit=-EACCES'
GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F exit=-EPERM'
GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F success=0'
GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F exit=-EACCES'
GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F exit=-EPERM'
GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F success=0'
GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F exit=-EACCES'
GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F exit=-EPERM'
GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F success=0'
GEN002730 - The audit system must alert the SA when the audit storage volume approaches its capacity - 'action_mail_account'
GEN002860 - Audit logs must be rotated daily.
GEN002870 - The system must be configured to send audit/system records to a remote audit server - 'contains *.* @<server>'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'adm'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'bin'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'daemon'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'ftp'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'games'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'gopher'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'halt'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'lp'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'mail'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'news'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'nobody'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'operator'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'shutdown'
GEN003060 - Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - 'uucp'
GEN003160 - Cron logging must be implemented.
GEN003280 - Access to the at utility must be controlled via the at.allow and/or at.deny file(s) - at utility must be controlled via the at.allow and/or at.deny file(s).
GEN003300 - The at.deny file must not be empty if it exists.
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'adm'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'bin'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'daemon'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'ftp'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'games'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'gopher'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'halt'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'lp'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'mail'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'news'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'nobody'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'operator'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'shutdown'
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist - 'uucp'
GEN003660 - The system must log informational authentication data - authpriv.*
GEN003660 - The system must log informational authentication data - authpriv.debug
GEN003660 - The system must log informational authentication data - authpriv.info
GEN003800 - Inetd or xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_on_failure'
GEN003800 - Inetd or xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_on_success'
GEN003800 - Inetd or xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_type'
GEN003800 - Inetd or xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_on_failure'
GEN003800 - Inetd or xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_on_success'
GEN003800 - Inetd or xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_type'
GEN003820 - The rsh daemon must not be running.
GEN003830 - The rlogind service must not be running.
GEN003840 - The rexec daemon must not be running.
GEN003860 - The system must not have the finger service active.
GEN004440 - Sendmail logging must not be set to less than nine in the sendmail.cf file.
GEN004540 - The SMTP service HELP command must not be enabled.
GEN004560 - The SMTP services SMTP greeting must not provide version information.
GEN004580 - The system must not use .forward files - '/etc/mail/sendmail.cf'
GEN004580 - The system must not use .forward files - 'find .forward'
GEN004660 - The SMTP service must not have the EXPN feature active.
GEN004680 - The SMTP service must not have the Verify (VRFY) feature active.
GEN004700 - The sendmail service must not have the wizard backdoor active.
GEN004710 - Mail relaying must be restricted - postfix
GEN004710 - Mail relaying must be restricted - sendmail
GEN004820 - Anonymous FTP must not be active on the system unless authorized.
GEN004840 - If the system is an anonymous FTP server, it must be isolated to the DMZ network.
GEN004880 - The ftpusers file must exist.
GEN004900 - The ftpusers file must contain account names not allowed to use FTP.
GEN004980 - The FTP daemon must be configured for logging or verbose mode.
GEN005000 - Anonymous FTP accounts must not have a functional shell.
GEN005040 - All FTP users must have a default umask of 077 - '/etc/vsftpd/vsftpd.conf anon_umask'
GEN005040 - All FTP users must have a default umask of 077 - '/etc/vsftpd/vsftpd.conf local_umask'
GEN005040 - All FTP users must have a default umask of 077 - '/etc/xinetd.d/gssftp'
GEN005080 - The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system - secure mode which provides access only to a single directory on the host file system.
GEN005100 - The TFTP daemon must have mode 0755 or less permissive.
GEN005120 - The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell such as /bin/false, and a home directory owned by the TFTP user.
GEN005160 - Any X Windows host must write .Xauthority files.
GEN005180 - All .Xauthority files must have mode 0600 or less permissive.
GEN005190 - The .Xauthority files must not have extended ACLs.
GEN005200 - X displays must not be exported to the world.
GEN005220 - .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
GEN005240 - The .Xauthority utility must only permit access to authorized hosts.
GEN005260 - X Window System connections not required must be disabled.
GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive. - /etc/rsyslog.conf
GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive. - /etc/syslog.conf
GEN005395 - The /etc/syslog.conf file must not have an extended ACL. - /etc/rsyslog.conf
GEN005395 - The /etc/syslog.conf file must not have an extended ACL. - /etc/syslog.conf
GEN005450 - The system must use a remote syslog server (loghost) - rsyslog.conf
GEN005450 - The system must use a remote syslog server (loghost) - syslog.conf
GEN005460 - The system must only use remote syslog servers (log hosts) that is justified and documented using site-defined procedures.
GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups.
GEN005740 - The Network File System (NFS) export configuration file must be owned by root.
GEN005750 - The Network File System (NFS) export configuration file must be group-owned by root, bin, sys, or system.
GEN005760 - The Network File System (NFS) export configuration file must have mode 0644 or less permissive.
GEN005770 - The Network File System (NFS) exports configuration file must not have an extended ACL.
GEN005800 - All Network File System (NFS) exported system files and system directories must be owned by root.
GEN005810 - All Network File System (NFS) exported system files and system directories must be group-owned by root, bin, sys, or system.
GEN005820 - The Network File System (NFS) anonymous UID and GID must be configured to values without permissions - 'anongid'
GEN005820 - The Network File System (NFS) anonymous UID and GID must be configured to values without permissions - 'anonuid'
GEN005840 - The Network File System (NFS) server must be configured to restrict file system access to local hosts.
GEN005880 - The Network File System (NFS) server must not allow remote root access - 'all_squash / root_squash'
GEN005880 - The Network File System (NFS) server must not allow remote root access - 'no_root_squash'
GEN006060 - The system must not run Samba unless needed.
GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - '/etc/xinetd.d/swat'
GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - 'samba-swat'
GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - 'samba3x-swat'
GEN006100 - The /etc/smb.conf file must be owned by root.
GEN006120 - The /etc/smb.conf file must be group-owned by root, bin, sys, or system.
GEN006140 - The /etc/smb.conf file must have mode 0644 or less permissive.
GEN006150 - The /etc/smb.conf file must not have an extended ACL.
GEN006160 - The /etc/smbpasswd file must be owned by root - '/etc/samba.secrets.tdb'
GEN006160 - The /etc/smbpasswd file must be owned by root - '/etc/samba/passdb.tdb'
GEN006180 - The smbpasswd file must be group-owned by root - '/etc/samba/passdb.tdb'
GEN006180 - The smbpasswd file must be group-owned by root - '/etc/samba/secrets.tdb'
GEN006200 - The smbpasswd file must have mode 0600 or less permissive - '/etc/samba/passdb.tdb'
GEN006200 - The smbpasswd file must have mode 0600 or less permissive - '/etc/samba/secrets.tdb'
GEN006210 - The /etc/smbpasswd file must not have an extended ACL - '/etc/samba/passdb.tdb'
GEN006210 - The /etc/smbpasswd file must not have an extended ACL - '/etc/samba/secrets.tdb'
GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba - hosts option to restrict access to Samba.
GEN006225 - Samba must be configured to use an authentication mechanism other than share - share.
GEN006230 - Samba must be configured to use encrypted passwords.
GEN006235 - Samba must be configured to not allow guest access to shares.
GEN006240 - The system must not run an Internet Network News (INN) server.
GEN006260 - The /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive - or equivalent must have mode 0600 or less permissive
GEN006270 - The /etc/news/incoming.conf file must not have an extended ACL.
GEN006280 - The /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.
GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
GEN006300 - The /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive - or equivalent must have mode 0600 or less permissive
GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
GEN006320 - The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
GEN006340 - Files in /etc/news must be owned by root or news.
GEN006360 - The files in /etc/news must be group-owned by root or news.
GEN006380 - The system must not use UDP for NIS/NIS+.
GEN006420 - NIS maps must be protected through hard-to-guess domain names.
GEN006565 - The system package management tool must be used to verify system software periodically.
GEN006570 - The file integrity tool must be configured to verify ACLs.
GEN006571 - The file integrity tool must be configured to verify extended attributes.
GEN006575 - The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
GEN006600 - The systems access control program must log each system access attempt - *.debug
GEN006600 - The systems access control program must log each system access attempt - *.info
GEN006600 - The systems access control program must log each system access attempt - authpriv.*
GEN006600 - The systems access control program must log each system access attempt - authpriv.debug
GEN006600 - The systems access control program must log each system access attempt - authpriv.info
GEN006620 - The systems access control program must be configured to grant or deny system access to specific hosts.
GEN007020 - The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp /bin/true'
GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp_ipv4 /bin/true'
GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp_ipv6 /bin/true'
GEN007260 - The AppleTalk protocol must be disabled or not installed - 'install appletalk'
GEN007480 - The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required - 'install rds /bin/true'
GEN007540 - The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled - 'install tipc /bin/true'
GEN007660 - The Bluetooth protocol handler must be disabled or not installed - 'install bluetooth /bin/true'
GEN007850 - The DHCP client must not send dynamic DNS updates.
GEN007980 - If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms - '/etc/ldap.conf'
GEN007980 - If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms - 'ssl start_tls'
GEN007980 - If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms - 'tls_ciphers'
GEN008000 - If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI - 'manual cert check'
GEN008000 - If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI - 'tls_cert'
GEN008020 - If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA.
GEN008040 - If the system is using LDAP for authentication or account information, the system must verify the LDAP servers certificate has not been revoked.
GEN008050 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords - or equivalent must not contain passwords.
GEN008060 - If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
GEN008080 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root - or equivalent file must be owned by root.
GEN008100 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.
GEN008120 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL - or equivalent file must not have an extended ACL.
GEN008140 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root - '/etc/ssl/'
GEN008140 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root - '/etc/ssl/ca.cert'
GEN008140 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root - '/etc/ssl/certs'
GEN008160 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system - '/etc/ssl/'
GEN008160 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system - '/etc/ssl/certs'
GEN008160 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system - /etc/ssl/ca.cert
GEN008180 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive - '/etc/ssl/'
GEN008180 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive - '/etc/ssl/ca.cert'
GEN008180 - If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive - '/etc/ssl/certs'
GEN008200 - If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL - as appropriate must not have an extended ACL.
GEN008220 - For systems using NSS LDAP, the TLS certificate file must be owned by root - ''/etc/openldap/cacerts/cert.pem
GEN008240 - If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system - '/etc/openldap/cacerts/cert.pem'
GEN008260 - If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive - '/etc/openldap/cacerts/cert.pem'
GEN008280 - If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL - '/etc/openldap/cacerts/cert.pem'
GEN008300 - If the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root - '/etc/openldap/cacerts/key.pem'
GEN008320 - If the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, or sys - '/etc/openldap/cacerts/key.pem'
GEN008340 - If the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive - '/etc/openldap/cacerts/key.pem'
GEN008360 - If the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL - '/etc/openldap/cacerts/key.pem'
GEN008480 - The system must have USB Mass Storage disabled unless needed.
GEN008500 - The system must have IEEE 1394 (Firewire) disabled unless needed.
