Download
| Alert*
oval:org.secpod.oval:def:25892
System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume. oval:org.secpod.oval:def:26068 The direct gnome login warning banner should be set correctly. oval:org.secpod.oval:def:25893 Idle activation of the screen lock should be enabled. oval:org.secpod.oval:def:26069 The TFTP daemon should use secure mode. oval:org.secpod.oval:def:25895 The password hashing algorithm should be set correctly in /etc/pam.d/common-password. oval:org.secpod.oval:def:26063 The DPKG package 'vsftpd' should be installed. oval:org.secpod.oval:def:26065 Enable the GUI warning banner. oval:org.secpod.oval:def:26066 The DPKG package 'xserver-common' should be removed. oval:org.secpod.oval:def:26052 The SELinux in /boot/grub/grub.cfg should be enabled or disabled as appropriate. oval:org.secpod.oval:def:26054 The rsh service should be disabled if possible. oval:org.secpod.oval:def:25987 The file /etc/pam.d/common-auth should not contain the nullok option oval:org.secpod.oval:def:26045 The rlogin service should be disabled if possible. oval:org.secpod.oval:def:26048 The bind9 service should be disabled if possible. oval:org.secpod.oval:def:26042 The telnet service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:26043 The DPKG package 'slapd' should be removed. oval:org.secpod.oval:def:25979 DHCP configuration should be static for all interfaces. oval:org.secpod.oval:def:26034 File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly. oval:org.secpod.oval:def:26036 The sshd service should be disabled if possible. oval:org.secpod.oval:def:26039 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:25986 The kernel runtime parameter "net.ipv4.conf.all.accept_source_route" should be set to "0". oval:org.secpod.oval:def:26033 The Avahi daemon should be configured to serve via Ipv6 or not as appropriate. oval:org.secpod.oval:def:26070 The apache2 Proxy Module Support should be enabled or disabled as appropriate. oval:org.secpod.oval:def:26074 The DPKG package 'strongswan' should be installed. oval:org.secpod.oval:def:25927 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. oval:org.secpod.oval:def:25910 Idle activation of the screen saver should be enabled. oval:org.secpod.oval:def:25915 The screen saver should be blank. oval:org.secpod.oval:def:25916 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options, which is used as temporary storage by many program, particularly system services such as daemons. It is not uncommon for the /var directory to contain world-writable directories, installed by ot ... oval:org.secpod.oval:def:25908 If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. oval:org.secpod.oval:def:25909 The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. oval:org.secpod.oval:def:25903 Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. oval:org.secpod.oval:def:25968 The 'grub.cfg' file should be owned by appropriate user. By default, this file is located at /boot/grub/grub.cfg or, for EFI systems, at /boot/grub/grub.cfg. oval:org.secpod.oval:def:26023 Configure the system to notify users of last logon/access using pam_lastlog. oval:org.secpod.oval:def:26024 The /etc/apache2/conf-available/* files should have the appropriate permissions. oval:org.secpod.oval:def:26028 Directory permissions for /etc/apache2/conf-enabled/ should be set as appropriate. oval:org.secpod.oval:def:26022 The accounts should be configured to expire automatically following Inactivity accounts. oval:org.secpod.oval:def:26013 The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME. oval:org.secpod.oval:def:26011 The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The noexec option prevents code from being executed directly from the media itself, ... oval:org.secpod.oval:def:26003 The PATH variable should be set correctly for user root oval:org.secpod.oval:def:25951 File permissions for '/boot/grub/grub.cfg' should be set appropriate. oval:org.secpod.oval:def:26006 Directory permissions for /var/log/apache2 should be set appropriately. oval:org.secpod.oval:def:26008 Global IPv6 initialization should be disabled. oval:org.secpod.oval:def:25933 The allowed period of inactivity before the screensaver is activated. oval:org.secpod.oval:def:26014 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. oval:org.secpod.oval:def:26016 The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:25911 The password ucredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:25896 The kernel module cramfs should be disabled. oval:org.secpod.oval:def:25917 The kernel module jffs2 should be disabled. oval:org.secpod.oval:def:25925 Postfix network listening should be disabled oval:org.secpod.oval:def:25983 All files should be owned by a user oval:org.secpod.oval:def:25918 The kernel module udf should be enabled or disabled as appropriate. oval:org.secpod.oval:def:25973 The kernel runtime parameter "kernel.exec-shield" should be set to "1". oval:org.secpod.oval:def:26044 The DPKG package 'rsh-server' should be removed. oval:org.secpod.oval:def:25998 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers ... oval:org.secpod.oval:def:25929 Syslog logs should be sent to a remote loghost oval:org.secpod.oval:def:25899 The password dcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:25920 It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /tmp. The noexec mount option prevents binaries from being executed out of /tmp. oval:org.secpod.oval:def:25981 The /etc/gshadow file should be owned by the appropriate user. oval:org.secpod.oval:def:26055 The DPKG package 'xinetd' should be removed. oval:org.secpod.oval:def:25958 Only the root account should be assigned a user id of 0. oval:org.secpod.oval:def:26051 The DPKG package 'tftpd' should be removed. oval:org.secpod.oval:def:25969 The kernel runtime parameter "kernel.randomize_va_space" should be set to "2". oval:org.secpod.oval:def:26000 The Set Lockout Time For Failed Password Attempts should be set correctly. oval:org.secpod.oval:def:25982 The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0". oval:org.secpod.oval:def:26021 The '.rhosts' or 'hosts.equiv' files should exists or doesn't exists on the system. oval:org.secpod.oval:def:26072 The DPKG package 'sendmail' should be removed. oval:org.secpod.oval:def:25921 The passwords to remember should be set correctly. oval:org.secpod.oval:def:25994 The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1". oval:org.secpod.oval:def:25954 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:26018 space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:26004 Logging of vsftpd transactions should be enabled or disabled as appropriate oval:org.secpod.oval:def:25942 All files should be owned by a group oval:org.secpod.oval:def:25939 The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devic ... oval:org.secpod.oval:def:25900 The squashfs Kernel Module should be enabled or disabled as appropriate. oval:org.secpod.oval:def:25944 The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1". oval:org.secpod.oval:def:26060 The DPKG package 'isc-dhcp-server' should be removed. oval:org.secpod.oval:def:25948 Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives oval:org.secpod.oval:def:25999 The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing ca ... oval:org.secpod.oval:def:26053 The DPKG package 'squid' should be removed. oval:org.secpod.oval:def:25935 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:25947 The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1". oval:org.secpod.oval:def:25959 The nosuid option should be enabled for all NFS mounts in /etc/fstab. oval:org.secpod.oval:def:25980 Verify which group owns the /boot/grub/grub.cfg file. oval:org.secpod.oval:def:25941 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:26067 The password hashing algorithm should be set correctly in /etc/libuser.conf. oval:org.secpod.oval:def:25924 Legitimate character and block devices should not exist within temporary directories like /run/shm. The nodev mount option should be specified for /run/shm. oval:org.secpod.oval:def:26049 The DPKG package 'dovecot' should be removed. oval:org.secpod.oval:def:25943 The SELinux policy should be set appropriately. oval:org.secpod.oval:def:26001 File uploads via vsftpd should be enabled or disabled as appropriate oval:org.secpod.oval:def:25934 The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0". oval:org.secpod.oval:def:25989 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:26073 SSL capabilities should be enabled for the mail server. oval:org.secpod.oval:def:25932 The environment variable PATH should be set correctly for the root user. oval:org.secpod.oval:def:25907 The kernel module freevxfs should be disabled. oval:org.secpod.oval:def:25953 The /etc/passwd file should be owned by the appropriate user. oval:org.secpod.oval:def:26031 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:25922 The nosuid mount option should be set for temporary storage partitions such as /tmp. The suid/sgid permissions should not be required in these world-writable directories. oval:org.secpod.oval:def:25898 The default umask for all users specified in /etc/login.defs oval:org.secpod.oval:def:26020 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account oval:org.secpod.oval:def:25930 rsyslogd should reject remote messages oval:org.secpod.oval:def:25966 This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:25897 The kernel module hfsplus should be disabled. oval:org.secpod.oval:def:26064 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:25946 The grub boot loader should have password protection enabled. oval:org.secpod.oval:def:25928 The kernel module hfs should be disabled. oval:org.secpod.oval:def:26002 The password retry should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:25962 The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1". oval:org.secpod.oval:def:25949 The /etc/group file should be owned by the appropriate group. oval:org.secpod.oval:def:25978 The kernel module usb-storage should be disabled. oval:org.secpod.oval:def:26038 The DPKG package 'vsftpd' should be removed. oval:org.secpod.oval:def:25904 The kernel module dccp should be disabled. oval:org.secpod.oval:def:25894 The kernel module rds should be disabled. oval:org.secpod.oval:def:25990 The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1". oval:org.secpod.oval:def:26025 The kernel runtime parameter "kernel.dmesg_restrict" should be set to "1". oval:org.secpod.oval:def:26007 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. oval:org.secpod.oval:def:25992 All wireless interfaces should be enabled or disabled as appropriate. oval:org.secpod.oval:def:25974 Look for argument "nousb" in the kernel line in /etc/grub.conf oval:org.secpod.oval:def:25967 The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1". oval:org.secpod.oval:def:25963 The Kernel Parameter for Accepting Source-Routed Packets By Default should be enabled or disabled as appropriate. The kernel runtime parameter "net.ipv4.conf.default.accept_source_route" should be set to "0". oval:org.secpod.oval:def:26040 The DPKG package 'rsyslog' should be installed. oval:org.secpod.oval:def:25970 The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0". oval:org.secpod.oval:def:26037 The DPKG package 'snmpd' should be removed. oval:org.secpod.oval:def:25952 This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:25901 The password ocredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:25914 The password lcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:26046 The DPKG package 'bind' should be removed. oval:org.secpod.oval:def:25997 A remote NTP Server for time synchronization should be specified (and dependencies are met) oval:org.secpod.oval:def:25950 The /etc/shadow file should be owned by the appropriate user. oval:org.secpod.oval:def:25996 The nodev option should be enabled for all NFS mounts in /etc/fstab. oval:org.secpod.oval:def:25993 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). oval:org.secpod.oval:def:25906 The nosuid mount option should be set for temporary storage partitions such as /run/shm. The suid/sgid permissions should not be required in these world-writable directories. oval:org.secpod.oval:def:25995 Check if SplitHosts line in logwatch.conf is set appropriately. oval:org.secpod.oval:def:26041 The DPKG package 'telnetd' should be removed. oval:org.secpod.oval:def:26047 Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met). oval:org.secpod.oval:def:26005 A warning banner for all FTP users should be enabled or disabled as appropriate oval:org.secpod.oval:def:26026 The maximum number of concurrent login sessions per user should meet minimum requirements. oval:org.secpod.oval:def:25961 The /etc/gshadow file should be owned by the appropriate group. oval:org.secpod.oval:def:25902 The kernel module sctp should be disabled. oval:org.secpod.oval:def:26058 The DPKG package 'apache2' should be removed. oval:org.secpod.oval:def:25926 Look for argument audit=1 in the kernel line in /etc/grub.conf. oval:org.secpod.oval:def:25960 The system login banner text should be set correctly. oval:org.secpod.oval:def:26050 The DPKG package 'screen' should be installed. oval:org.secpod.oval:def:25956 The '/etc/shadow' file should be owned by the appropriate group. oval:org.secpod.oval:def:26035 The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:25919 The kernel module tipc should be disabled. oval:org.secpod.oval:def:25988 The kernel runtime parameter "fs.suid_dumpable" should be set to "0". oval:org.secpod.oval:def:25972 The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0". oval:org.secpod.oval:def:26019 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:26017 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:25931 The /etc/group file should be owned by the appropriate user. oval:org.secpod.oval:def:25984 Core dumps for all users should be disabled oval:org.secpod.oval:def:25936 The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0". oval:org.secpod.oval:def:26009 The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0". oval:org.secpod.oval:def:25977 The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:26015 The password hashing algorithm should be set correctly in /etc/login.defs. oval:org.secpod.oval:def:25955 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:25985 The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME. oval:org.secpod.oval:def:26062 Plaintext authentication of mail clients should be enabled or disabled as appropriate. oval:org.secpod.oval:def:25912 The password difok should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:26027 In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. oval:org.secpod.oval:def:26030 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:26057 Only SSH protocol version 2 connections should be permitted. oval:org.secpod.oval:def:25891 Root login via SSH should be disabled (and dependencies are met) oval:org.secpod.oval:def:25938 The /etc/passwd file should be owned by the appropriate group. oval:org.secpod.oval:def:26059 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:25957 The SELinux state should be enforcing the local policy. oval:org.secpod.oval:def:25923 The kernel module bluetooth should be disabled. oval:org.secpod.oval:def:25991 The nosuid mount option prevents set-user-identifier (suid) and set-group-identifier (sgid) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce suid and g ... oval:org.secpod.oval:def:26010 The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:26071 Dovecot plaintext authentication of clients should be enabled or disabled as necessary oval:org.secpod.oval:def:26061 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:25971 The password minimum length should be set appropriately. oval:org.secpod.oval:def:25913 It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /run/shm. The noexec mount option prevents binaries from being executed out of /run/shm. oval:org.secpod.oval:def:25945 Logins through the Direct root Logins Not Allowed should be enabled or disabled as appropriate. oval:org.secpod.oval:def:26029 Protect against unnecessary release of information. oval:org.secpod.oval:def:26012 Test if HostLimit line in logwatch.conf is set appropriately. On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is runni ... oval:org.secpod.oval:def:25940 The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0". oval:org.secpod.oval:def:26056 The DPKG package 'aide' should be installed. oval:org.secpod.oval:def:25937 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:25976 The logrotate (syslog rotater) service should be enabled. oval:org.secpod.oval:def:25964 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:25975 The minimum password age policy should be set appropriately. oval:org.secpod.oval:def:26032 Ctrl-Alt-Del Reboot Activation should be set as appropriate. oval:org.secpod.oval:def:25965 The Set Password Warning Age should be set appropriately. oval:org.secpod.oval:def:25905 All password hashes should be shadowed. |