SecurityCenter 4 800 53 Summary CCI to NIST Chapter ... Vulnerability Summary CCI to NIST 800 53...

SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013

RONLAB

Chapter VulnerabilitySummary CCI to NIST800 53April 18, 2013 at 7:50am EDT[cody]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.

http://www.tenablesecurity.com

Chapter Vulnerability Summary CCI to NIST 800 53 SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013

AC-1 - Access Control Policy and Procedures

Tenable Network Security 1

AC-1 - Access Control Policy andProcedures

CCI-001546 - The organization defines the frequency of access control procedures review/updates.

CCI-000005 - The organization disseminates a formal, documented, access control procedure to elements within the organization having associated access controlroles and responsibilities.

CCI-000002 - The organization disseminates a formal, documented, access control policy to elements within the organization having associated access control rolesand responsibilities.

CCI-001545 - The organization defines the frequency of access control policy revew/updates

CCI-000004 - The organization develops formal, documented procedures to facilitate the implementation of the access control policy.

CCI-000006 - The organization periodically reviews/updates the formal, documented, access control procedures in accordance with organization-defined frequency.

CCI-000003 - The organization periodically reviews/updates the formal, documented, access control policy in accordance with organization-defined frequency.

CCI-000001 - The organization develops a formal, documented, access control policy that addresses purpose, scope, roles and responsibilities, managementcommitment, coordination among organizational entities and compliance.

CCI Mapping Summary


AC-2-1 - Account Management



CCI-000007 - The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymousand temporary)

CCI-001404 - The information system automatically audits account disabling actions and notifies, as required, appropriate individuals.

CCI-001406 - The organization defines a time period of expected inactivity and/or description of when users are required to log out.

CCI-000008 - The organization manages information system accounts by establishing conditions for group membership.

CCI-001354 - The organization manages information system accounts by deactivating temporary accounts that are no longer required.

CCI-000011 - The organization manages information system accounts by establishing, activating, modifying, disabling, and removing accounts.

CCI-000014 - The organization manages information system accountsby granting access to the system based on a valid access authorization; intended systemusage; and other attributes as required by the organization or associated missions/business functions.

CCI-001358 - The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes information system and networkprivileges into roles.

CCI-000208 - The organization determines normal time-of-day and duration usage for information system accounts.

CCI-001361 - The organization defines a time period after which temporary accounts are automatically terminated.

CCI-000020 - The information system dynamically manages user privileges and associated access authorizations.

CCI-000217 - The organization defines a time period after which inactive accounts are automatically disabled.

CCI-001403 - The information system automatically audits account modification and notifies, as required, appropriate individuals.

CCI-001360 - The organization monitors privileged role assignments.

CCI-000009 - The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges

CCI-000016 - The information system automatically terminates temporary and emergency accounts after an organization-defined time period for each type of account.

CCI-001547 - The organization manages informaiton system accounts by defining the frequency of information system account reviews.

CCI-001359 - The organization tracks privileged role assignments.

CCI-000019 - The organization requires that users log out in accordance with the organization-defined-time-period of inactivity and/or description of when to log out.




CCI-000018 - The information system automatically audits account creation and notifies, as required, appropriate individuals.

CCI-000012 - The organization manages information system accounts by periodically reviewing information system accounts in accordance with organization-definedfrequency.

CCI-001407 - The organization administers privileged user accounts in accordance with a role-based access scheme that organizes information system and networkprivileges into roles.

CCI-001355 - The organization manages information system accounts by deactivating accounts of terminated or transferred users.

CCI-000015 - The organization employs automated mechanisms to support the information system account management functions.




CCI Mapping Summary

Plugin Total Severity Plugin Name

1002022 1 HighGEN000290-1 - The system must not havethe unnecessary 'games' account.

1002021 1 InfoGEN000290-2 - The system must not havethe unnecessary 'news' account.

1002020 1 HighGEN000290-3 - The system must not havethe unnecessary 'gopher' account.

1002019 1 HighGEN000290-4 - The system must not havethe unnecessary 'ftp' account.

1002018 1 HighGEN000290-5 - The system must not havethe unnecessary 'lp' account.

1001972 1 HighGEN000850 - The system must restrict theability to switch to the root user to membersof a defined group.

1001721 1 HighGEN002750 - The audit system mustbe configured to audit account creation.'useradd/groupadd'

1001720 1 HighGEN002750 - The audit system mustbe configured to audit account creation.'passwd/shadow'

1001718 1 HighGEN002751 - The audit system must beconfigured to audit account modification.'passwd/shadow'

1001717 1 HighGEN002752 - The audit system must beconfigured to audit account disabling.





CCI-000013 - The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and wheninformation system users are terminated; transferred, or information system usage or need-to-know/need-to-share changes.

CCI-000237 - The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporaryaccounts.

CCI-000010 - The organization manages information system accounts by requiring appropriate approvals for requests to establish accounts.

CCI-001405 - The information system automatically audits account termination and notifies, as required, appropriate individuals.

CCI-000017 - The information system automatically disables inactive accounts after an organization-defined time period.

CCI-001365 - The organization defines a time period after which emergency accounts are automatically terminated.

CCI-001356 - The organization monitors for atypical usage of information system accounts.

CCI-001357 - The organization reports atypical usage to designated organizational officials.

CCI Mapping Summary


1001716 1 HighGEN002753 - The audit system must beconfigured to audit account termination.


AC-3 - Access Enforcement



CCI-001413 - The organization encrypts or stores off-line in a secure location organization-defined system information.

CCI-001363 - The organization establishes a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals orgroups of individuals, or by both.

CCI-000215 - The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.

CCI-001411 - The organization defines security-relevant information to which the information system prevents access except during secure, nonoperable systemstates.

CCI-000214 - The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights.

CCI-001410 - The organization defines set of users and resources over which the information system is to enforce nondiscretionary access control policies.

CCI-000022 - The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of usersand resources.

CCI-001362 - The information system enforces an organization-defined Discretionary Access Control (DAC) policy that allows users to specify and control sharingby named individuals or groups of individuals, or by both, limits propagation of access rights and includes or excludes access to the granularity of a single user.

CCI-001367 - The organization defines system information to be encrypted or stored off-line in a secure location.

CCI-001412 - The organization encrypts or stores off-line in a secure location organization-defined user information.

CCI-000021 - The information system enforces dual authorization, based on organizational policies and procedures for organization-defined privileged commands.

CCI-001409 - The organization defines nondiscretionary access control policies to be enforced over organization-defined set of users and resources, where the ruleset for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationshipsamong the access control information to permit access.

CCI-001408 - The organization defines privileged commands for which dual authorization is to be enforced.

CCI-000024 - The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.

CCI-000213 - The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

CCI-001366 - The organization defines user information to be encrypted or stored off-line in a secure location.




CCI Mapping Summary


1002415 3 High3.1.1.1 (GEN000020) Single User ModePassword

1002036 1 HighGEN000020 - The system must requireauthentication upon booting into single-userand maintenance modes.

1001415 1 HighGEN008700 - The system boot loader mustrequire authentication.


AC-4-1 - Information Flow Enforcement



CCI-000034 - The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters.

CCI-001555 - The information system uniquely identifies destination domains for information transfer.

CCI-001554 - The organization defines the security policy filters that privileged administrators have the capability to configure.

CCI-000030 - The information system enforces information flow control on metadata.

CCI-001371 - The organization defines information security policy requirements for constraining data structure and content.

CCI-000223 - The information system binds security attributes to information to facilitate information flow policy enforcement

CCI-001550 - The organization defines approved authorizations for controlling the flow of information within the system.

CCI-001376 - The information system uniquely identifies source domains for information transfer.

CCI-001377 - The information system uniquely authenticates source domains for information transfer.

CCI-001552 - The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations.

CCI-000032 - The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions.

CCI-000218 - The information system, when transferring information between different security domains, identifies information flows by data type specification andusage.

CCI-000031 - The information system enforces organization-defined one-way flows using hardware mechanisms.

CCI-001557 - The information system tracks problems associated with the information transfer.

CCI-000027 - The information system enforces dynamic information flow control based on policy that allows or disallows information flows based upon changingconditions or operational considerations.

CCI-001417 - The organization defines security policy filters to be enforced by the information system and used as a basis for flow control decisions.

CCI-000221 - The information system enforces security policies regarding information on interconnected systems.

CCI-001372 - The information system, when transferring information between different security domains, implements policy filters that constrain data structure andcontent to organization-defined information security policy requirements.

CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system in accordance with applicable policy.




CCI-001553 - The organization defines the security policy filters that privileged administrators have the capability to enable/disable.

CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems in accordance withapplicable policy.

CCI-000025 - The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basisfor flow control decisions.

CCI-001415 - The organization defines limitations of the embedding of data types within other data types.

CCI-001551 - The organization defines approved authorizations for controlling the flow of information between interconnected systems.




CCI Mapping Summary


1002237 1 Info3.2.1.159 (GEN003600) Network SecuritySettings (ip_forward) (0)

1002236 1 High3.2.1.159 (GEN003600) Network SecuritySettings (tcp_max_syn_backlog) (1280)

1002235 1 Info3.2.1.159 (GEN003600) Network SecuritySettings (accept_source_route) (0)

1002234 1 Info3.2.1.159 (GEN003600) Network SecuritySettings (icmp_echo_ignore_broadcasts)(1)

1002057 1 HighGEN000000-LNX00360 - The X servermust have the correct options enabled. '-auth'

1002056 1 HighGEN000000-LNX00360 - The X servermust have the correct options enabled. '-audit = 4'

1002055 1 HighGEN000000-LNX00360 - The X servermust have the correct options enabled. '-s<= 15'

1002054 1 InfoGEN000000-LNX00360 - The X servermust have the correct options enabled. ':0 /usr/bin/X:0'

1002053 1 Info

GEN000000-LNX00380 - An X server musthave none of the following options enabled:-ac, -core (except for debugging purposes),or -nolock. '-ac'

1002052 1 Info

GEN000000-LNX00380 - An X server musthave none of the following options enabled:-ac, -core (except for debugging purposes),or -nolock. '-core'

1002051 1 Info

GEN000000-LNX00380 - An X server musthave none of the following options enabled:-ac, -core (except for debugging purposes),or -nolock. '-nolock'

1002042 1 HighGEN000000-LNX00720 - Auditing mustbe enabled at boot by setting a kernelparameter.





1002038 1 Info

GEN000000-LNX00800 - The systemmust use a Linux Security Module that isconfigured to limit the privileges of systemservices. '/etc/selinux/config'

1002037 1 Info

GEN000000-LNX00800 - The systemmust use a Linux Security Module that isconfigured to limit the privileges of systemservices. 'getenforce'

1001615 1 InfoGEN003600 - The system must not forwardIPv4 source-routed packets.

1001613 1 HighGEN003603 - The system must not respondto ICMPv4 echoes sent to a broadcastaddress.

1001612 1 HighGEN003604 - The system must not respondto ICMP timestamp requests sent to abroadcast address.

1001609 1 HighGEN003607 - The system must not acceptsource-routed IPv4 packets.

1001608 1 HighGEN003608 - Proxy ARP must not beenabled on the system.

1001607 1 HighGEN003609 - The system must ignore IPv4ICMP redirect messages.

1001606 1 HighGEN003610 - The system must not sendIPv4 ICMP redirects.

1001602 1 HighGEN003619 - The system must not beconfigured for network bridging.

1001446 1 HighGEN007660 - The Bluetooth protocolhandler must be disabled or not installed.

1001445 1 HighGEN007700 - The IPv6 protocol handlermust not be bound to the network stackunless needed.

1001444 1 HighGEN007720 - The IPv6 protocol handlermust be prevented from dynamic loadingunless needed.

1001441 1 InfoGEN007800 - The system must not haveTeredo enabled.





1001440 1 InfoGEN007820 - The system must not have IPtunnels configured. '/sbin/ip tun list'

1001439 1 InfoGEN007820 - The system must not have IPtunnels configured. '/sbin/ip -6 tun list'


1001434 1 HighGEN007920 - The system must not forwardIPv6 source-routed packets.





CCI-000224 - The information system tracks problems associated with the security attribute binding.

CCI-000028 - The information system prevents encrypted data from bypassing content-checking mechanisms.

CCI-001418 - The organization defines security policy filters that the information enforces the use of human review.

CCI-001548 - The organization defines applicable policy for controlling the flow of information within the system.

CCI-000219 - The information system, when transferring information between different security domains, decomposes information into policy-relevant subcomponentsfor submission to policy enforcement mechanisms.

CCI-001416 - The organization defines one-way information flows to be enforced by the information system.

CCI-000029 - The information system enforces organization-defined limitations on the embedding of data types within other data types.

CCI-001373 - The information system, when transferring information between different security domains, detects unsanctioned information.

CCI-000033 - The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of makingan information flow control decision.

CCI-000026 - The information system enforces information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flowcontrol decisions.

CCI-001374 - The information system, when transferring information between different security domains, prohibits the transfer of unsanctioned information inaccordance with the security policy.

CCI-000035 - The information system provides the capability for a privileged administrator to configure the [Assignment: organization-defined security policy filters]to support different security policies.

CCI-001549 - The organization defines applicable policy for controlling the flow of information between interconnected systems.

CCI-001556 - The information system uniquely authenticates destination domains for information transfer.

CCI Mapping Summary


AC-6 - Least Privilege



CCI-000042 - The organization documents the rationale for authorized network access toorganization-defined privileged commands in the security plan for theinformation system.

CCI-001420 - The organization defines the privileged commands to which network access is to be authorized only for compelling operational needs.

CCI-000039 - The organization requires that users of information system accounts or roles, with access to an organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions.

CCI-000041 - The organization authorizes network access to organization-defined privileged commands only for compelling operational needs.

CCI-001421 - The organization limits authorization to super user accounts on the information system to designated system administration personnel.

CCI-000226 - The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support differentsecurity policies.

CCI-001419 - The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access.

CCI-000040 - The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information,when accessing other system functions.

CCI-000225 - The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) whichare necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

CCI-001558 - The organization explicitly defines the security functions (deployed in hardware, software, and firmware) and security-relevant information for whichaccess must be explicitly authorized.

CCI-001422 - The organization prohibits privileged access to the information system by non-organizational users.

CCI-000038 - The organization explicitly authorizes access to organization-defined security functions and security-relevant information.




CCI Mapping Summary


1002388 3 High3.2.1.33 (GEN000920) Root's HomeDirectory Permissions

1002378 3 Info3.2.1.45 (GEN001180) Network ServicesDaemon Permissions (/usr/sbin)

1002377 3 Info3.2.1.45 (GEN001180) Network ServicesDaemon Permissions (/usr/sbin/*)

1002365 3 Info3.2.1.50 (GEN001280) Manual Page FilePermissions (/usr/share/info/*)

1002364 3 Info3.2.1.50 (GEN001280) Manual Page FilePermissions (/usr/share/infopage)

1002362 3 Info3.2.1.52 (GEN001320) NIS/NIS+/yp FileOwnership

1002361 3 Info3.2.1.55 (GEN001380) /etc/passwd FilePermissions

1002360 3 Info3.2.1.56 (GEN001400) /etc/passwd and/or /etc/shadow File Ownership (/etc/shadow)

1002359 3 High3.2.1.58 (GEN001440) Assign HomeDirectories

1002358 3 High3.2.1.60 (GEN001480) Home DirectoriesPermissions

1002357 3 Info3.2.1.65 (GEN001580) Run Control ScriptsPermissions (/etc/rc*)

1002356 3 High3.2.1.65 (GEN001580) Run Control ScriptsPermissions (/etc/rc*/*)

1002355 3 High3.2.1.65 (GEN001580) Run Control ScriptsPermissions (/etc/init.d/*)

1002351 3 High3.2.1.72 (GEN001720) Global InitializationFiles Permissions (/etc/.login)

1002350 3 Info3.2.1.72 (GEN001720) Global InitializationFiles Permissions (/etc/profile)

1002349 3 Info3.2.1.72 (GEN001720) Global InitializationFiles Permissions (/etc/bashrc)

1002348 3 Info3.2.1.72 (GEN001720) Global InitializationFiles Permissions (/etc/environment)





1002347 3 Info3.2.1.72 (GEN001720) Global InitializationFiles Permissions (/etc/security/environ)

1002341 3 Info3.2.1.76 (GEN001800) Default/Skeleton DotFiles Permissions

1002335 3 Info3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.login)

1002334 3 High3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.cshrc)

1002333 3 Info3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.logout)

1002332 3 High3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.profile)

1002331 3 High3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.bash_profile)

1002330 3 High3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.bashrc)

1002329 3 High3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.bash_logout)

1002328 3 Info3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.env)

1002327 3 Info3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.dtprofile)

1002326 3 Info3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.dispatch)

1002325 3 High3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.emacs)

1002324 3 Info3.2.1.80 (GEN001880) Local InitializationFiles Permissions (~/.exrc)

1002321 1 Info3.2.1.89 (GEN002060) Access Control FilesAccessibility (.rhosts)

1002320 1 Info3.2.1.89 (GEN002060) Access Control FilesAccessibility (.shosts)

1002319 1 Info3.2.1.89 (GEN002060) Access Control FilesAccessibility (hosts.equiv)





1002318 1 Info3.2.1.89 (GEN002060) Access Control FilesAccessibility (shosts.equiv)

1002312 3 Info3.2.1.100 (GEN002320) Audio DevicePermissions

1002267 3 High3.2.1.128 (GEN002960) Cron UtilityAccessibility (cron.deny)

1002266 3 High3.2.1.128 (GEN002960) Cron UtilityAccessibility (cron.allow)

1002265 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/var/spool/cron/*)

1002264 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/etc/cron.d/*)

1002263 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/etc/crontab)

1002262 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/etc/cron.daily/*)

1002261 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/etc/cron.hourly/*)

1002260 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/etc/cron.monthly/*)

1002259 3 High3.2.1.134 (GEN003080) Crontab filesPermissions (/etc/cron.weekly/*)

1002258 3 Info3.2.1.135 (GEN003100) Cron and CrontabDirectories Permissions (/var/spool/cron)

1002257 3 Info3.2.1.135 (GEN003100) Cron and CrontabDirectories Permissions (/etc/cron.d)

1002256 3 Info3.2.1.135 (GEN003100) Cron and CrontabDirectories Permissions (/etc/cron.daily)

1002255 3 Info3.2.1.135 (GEN003100) Cron and CrontabDirectories Permissions (/etc/cron.hourly)

1002254 3 Info3.2.1.135 (GEN003100) Cron and CrontabDirectories Permissions (/etc/cron.monthly)

1002253 3 Info3.2.1.135 (GEN003100) Cron and CrontabDirectories Permissions (/etc/cron.weekly)





1002251 3 High3.2.1.139 (GEN003180) CronlogPermissions

1002250 3 Info3.2.1.141 (GEN003220) Cron Programsumask (/var/spool/cron/*)

1002249 3 Info3.2.1.141 (GEN003220) Cron Programsumask (/etc/cron.d/*)

1002248 3 Info3.2.1.141 (GEN003220) Cron Programsumask (/etc/cron.daily/*)

1002247 3 Info3.2.1.141 (GEN003220) Cron Programsumask (/etc/cron.hourly/*)

1002246 3 Info3.2.1.141 (GEN003220) Cron Programsumask (/etc/cron.monthly/*)

1002245 3 Info3.2.1.141 (GEN003220) Cron Programsumask (/etc/cron.weekly/*)

1002244 2 High 3.2.1.145 (GEN003300) The at.deny File

1002243 3 High3.2.1.144 (GEN003280) At UtilityAccessibility

1002242 3 High3.2.1.150 (GEN003400) The at DirectoryPermissions

1002241 3 High3.2.1.151 (GEN003420) The at DirectoryOwnership

1002239 3 High3.2.1.156 (GEN003520) Core DumpDirectory Ownership and Permissions

1002231 3 High3.3.1.3 (GEN003720) inetd.conf Ownership(xinetd.conf)

1002230 3 Info3.3.1.3 (GEN003720) inetd.conf Ownership(xinetd.d)

1002229 3 Info3.3.1.5 (GEN003760) The Services FileOwnership

1002221 3 Info 3.3.1.14 (GEN003920) hosts.lpd Ownership

1002220 3 High3.3.1.16 (GEN003960) The tracerouteCommand Ownership

1002219 3 Info 3.3.1.33 (GEN004360) aliases Ownership

1002216 3 High3.3.1.39 (GEN004480) Critical SendmailLog File Ownership





1002204 3 High 3.3.1.56 (GEN004880) The ftpusers File

1002203 3 High3.3.1.57 (GEN004900) The ftpusers FileContents

1002202 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (avahi)

1002201 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (avahi-autoipd)

1002200 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (bin)

1002199 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (daemon)

1002198 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (dbus)

1002197 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (ftp)

1002196 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (games)

1002195 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (gopher)

1002194 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (haldaemon)

1002193 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (halt)

1002192 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (lp)

1002191 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (mail)

1002190 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (mailnull)

1002189 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (news)

1002188 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (nfsnobody)

1002187 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (nobody)





1002186 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (nscd)

1002185 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (operator)

1002184 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (pcap)

1002183 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (root)

1002182 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (rpc)

1002181 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (rpcuser)

1002180 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (rpm)

1002179 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (shutdown)

1002178 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (smmsp)

1002177 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (sshd)

1002176 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (sync)

1002175 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (uucp)

1002174 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (vcsa)

1002173 3 High3.3.1.57 (GEN004900) The ftpusers FileContents (xfs)

1002171 1 Info3.3.1.61 (GEN005000) Anonymous FTPAccount Shell

1002168 3 Info3.3.1.68 (GEN005140) TFTPDocumentation (process check)

1002165 3 High3.3.1.77 (GEN005320) snmpd.confPermissions





1002164 3 High3.3.1.78 (GEN005340) MIB FilePermissions

1002162 3 High3.3.1.81 (GEN005400) /etc/syslog.confAccessibility

1002154 3 Info3.3.1.97 (GEN005740) Export ConfigurationFile Ownership

1002152 1 Info3.3.1.104 (GEN005880) Root AccessOption Documentation

1002144 3 Info3.3.1.110 (GEN006100) smb.confOwnership

1002143 3 High3.3.1.113 (GEN006160) smbpasswdOwnership

1002142 2 High3.3.1.116 (GEN006220) smb.confConfiguration (hosts allow)

1002141 2 Info3.3.1.116 (GEN006220) smb.confConfiguration (security)

1002140 2 High3.3.1.116 (GEN006220) smb.confConfiguration (encrypt passwords)

1002139 2 High3.3.1.116 (GEN006220) smb.confConfiguration (smbpasswd)

1002137 3 Info3.3.1.118 (GEN006260) /etc/news/hosts.nntp Permissions

1002136 3 Info3.3.1.119 (GEN006280) /etc/news/hosts.nntp.nolimit Permissions

1002135 3 Info3.3.1.120 (GEN006300) /etc/news/nnrp.access Permissions

1002134 3 Info3.3.1.121 (GEN006320) /etc/news/passwd.nntp Permissions

1002133 3 Info3.3.1.122 (GEN006340) /etc/news FilesOwnership

1002122 3 High3.11.1.15 (LNX00320) Special PrivilegedAccounts (halt)

1002121 3 High3.11.1.15 (LNX00320) Special PrivilegedAccounts (shutdown)





1002120 3 Info3.11.1.15 (LNX00320) Special PrivilegedAccounts (reboot)

1002119 3 Info3.11.1.15 (LNX00320) Special PrivilegedAccounts (who)

1002114 3 High3.11.1.19 (LNX00400) Access FileOwnership (/etc/security/access.conf)

1002113 3 High3.11.1.22 (LNX00480) /etc/sysctl.confOwnership (/etc/sysctl.conf)

1002110 3 High 3.11.1.28 (LNX00600) PAM Configuration

1002109 3 Info3.11.1.29 (LNX00620) /etc/securetty GroupOwnership

1002066 1 InfoGEN000000-LNX001431 - The /etc/gshadow file must be owned by root.

1002065 1 InfoGEN000000-LNX001434 - The /etc/gshadow file must not have an extendedACL.

1002063 1 HighGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - 'shutdown'

1002062 1 High

GEN000000-LNX00320 - The systemmust not have special privilege accounts,such as shutdown and halt - '/etc/shadow -shutdown'

1002061 1 HighGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - 'halt'

1002060 1 HighGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - '/etc/shadow - halt'

1002059 1 InfoGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - 'reboot'

1002058 1 InfoGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - '/etc/shadow - reboot'

1002050 1 HighGEN000000-LNX00400 - The /etc/security/access.conf file must be owned by root.





1002049 1 InfoGEN000000-LNX00450 - The /etc/security/access.conf file must not have an extendedACL.

1002048 1 HighGEN000000-LNX00480 - The /etc/sysctl.conf file must be owned by root.

1002047 1 InfoGEN000000-LNX00530 - The /etc/sysctl.conf file must not have an extendedACL.

1002046 1 InfoGEN000000-LNX00560 - The Linux NFSServer must not have the insecure filelocking option.

1002044 1 High

GEN000000-LNX00600 - The Linux PAMsystem must not grant sole access to adminprivileges to the first user who logs into theconsole.

1002043 1 InfoGEN000000-LNX00620 - The /etc/securettyfile must be group-owned by root, sys, orbin.

1002025 1 HighGEN000250 - The time synchronizationconfiguration file (such as /etc/ntp.conf)must be owned by root.

1002024 1 InfoGEN000253 - The time synchronizationconfiguration file (such as /etc/ntp.conf)must not have an extended ACL.

1001969 1 HighGEN000920 - The root account's homedirectory (other than /) must have mode0700.

1001968 1 HighGEN000930 - The root account's homedirectory must not have an extended ACL.

1001956 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/etc/*'

1001955 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/bin/*'





1001954 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/usr/bin/*'

1001953 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/usr/lbin/*'

1001952 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/usr/usb/*'

1001951 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/sbin/*'

1001950 1 InfoGEN001140 - System files and directoriesmust not have uneven access permissions.'/usr/sbin/*'

1001947 1 InfoGEN001190 - All network services daemonfiles must not have extended ACLs.

1001928 1 InfoGEN001280 - Manual page files must havemode 0644 or less permissive. '/usr/share/man/*'

1001927 1 InfoGEN001280 - Manual page files must havemode 0644 or less permissive. '/usr/share/info/*'

1001926 1 InfoGEN001280 - Manual page files must havemode 0644 or less permissive. '/usr/share/infopage/*'

1001925 1 InfoGEN001290 - All manual page files mustnot have extended ACLs. '/usr/share/man'

1001924 1 InfoGEN001290 - All manual page files mustnot have extended ACLs. '/usr/share/info'

1001923 1 InfoGEN001290 - All manual page files mustnot have extended ACLs. '/usr/share/infopage'

1001918 1 InfoGEN001320 - NIS/NIS+/yp files must beowned by root, sys, or bin.

1001917 1 InfoGEN001361 - NIS/NIS+/yp command filesmust not have extended ACLs.





1001916 1 InfoGEN001362 - The /etc/resolv.conf file mustbe owned by root.

1001915 1 InfoGEN001365 - The /etc/resolv.conf file mustnot have an extended ACL.

1001914 1 InfoGEN001366 - The /etc/hosts file must beowned by root.

1001913 1 InfoGEN001369 - The /etc/hosts file must nothave an extended ACL.

1001912 1 InfoGEN001371 - The /etc/nsswitch.conf filemust be owned by root.

1001911 1 InfoGEN001374 - The /etc/nsswitch.conf filemust not have an extended ACL.

1001910 1 InfoGEN001375 - For systems using DNSresolution, at least two name servers mustbe configured.

1001909 1 InfoGEN001379 - The /etc/passwd file must begroup-owned by root, bin, sys, or system.

1001908 1 InfoGEN001390 - The /etc/passwd file must nothave an extended ACL.

1001907 1 InfoGEN001391 - The /etc/group file must beowned by root.

1001906 1 InfoGEN001394 - The /etc/group file must nothave an extended ACL.

1001905 1 HighGEN001400 - The /etc/shadow (orequivalent) file must be owned by root.

1001904 1 InfoGEN001430 - The /etc/shadow (orequivalent) file must not have an extendedACL.

1001903 1 HighGEN001440 - All interactive users mustbe assigned a home directory in the /etc/passwd file.

1001901 1 InfoGEN001475 - The /etc/group file must notcontain any group password hashes.

1001900 1 HighGEN001476 - The /etc/gshadow file mustnot contain any group password hashes.





1001899 1 HighGEN001480 - All user home directoriesmust have mode 0750 or less permissive.

1001898 1 InfoGEN001490 - User home directories mustnot have extended ACLs.

1001897 1 InfoGEN001520 - All interactive user homedirectories must be group-owned by thehome directory owner's primary group.

1001895 1 HighGEN001560 - All files and directoriescontained in user home directories musthave mode 0750 or less permissive.

1001893 1 InfoGEN001580 - All run control scripts musthave mode 0755 or less permissive. '/etc/init.d/*'

1001892 1 InfoGEN001580 - All run control scripts musthave mode 0755 or less permissive. '/etc/rc.d/*'

1001891 1 InfoGEN001580 - All run control scripts musthave mode 0755 or less permissive. '/etc/rc.d/rc0.d/*'











1001884 1 InfoGEN001590 - All run control scripts musthave no extended ACLs. '/etc/init.d'

1001883 1 InfoGEN001590 - All run control scripts musthave no extended ACLs. '/etc/rc.d/*'

1001853 1 HighGEN001720 - All global initialization filesmust have mode 0644 or less permissive. '/etc/.login'

1001852 1 InfoGEN001720 - All global initialization filesmust have mode 0644 or less permissive. '/etc/profile'

1001851 1 InfoGEN001720 - All global initialization filesmust have mode 0644 or less permissive. '/etc/bashrc'

1001850 1 InfoGEN001720 - All global initialization filesmust have mode 0644 or less permissive. '/etc/environment'

1001849 1 HighGEN001720 - All global initialization filesmust have mode 0644 or less permissive. '/etc/security'

1001848 1 InfoGEN001720 - All global initialization filesmust have mode 0644 or less permissive. '/etc/profile.d/*'

1001847 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/profile'

1001846 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/bashrc'

1001845 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/csh.login'

1001844 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/csh.cshrc'

1001843 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/environment'

1001842 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/.login'





1001841 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/security/environ'

1001840 1 InfoGEN001730 - All global initialization filesmust not have extended ACLs. '/etc/profile.d/*'

1001839 1 InfoGEN001740 - All global initialization filesmust be owned by root. '/etc/profile'

1001838 1 InfoGEN001740 - All global initialization filesmust be owned by root. '/etc/bashrc'

1001837 1 InfoGEN001740 - All global initialization filesmust be owned by root. '/etc/csh.login'

1001836 1 InfoGEN001740 - All global initialization filesmust be owned by root. '/etc/csh.cshrc'

1001835 1 InfoGEN001740 - All global initialization filesmust be owned by root. '/etc/environment'

1001834 1 HighGEN001740 - All global initialization filesmust be owned by root. '/etc/.login'

1001833 1 HighGEN001740 - All global initialization filesmust be owned by root. '/etc/security/environ'

1001832 1 Info

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/profile'

1001831 1 Info

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/bashrc'

1001830 1 Info

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/csh.login'

1001829 1 Info

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/csh.cshrc'





1001828 1 Info

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/environment'

1001827 1 High

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/.login'

1001826 1 High

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/security/environ'

1001825 1 Info

GEN001760 - All global initialization filesmust be group-owned by root, sys, bin,other, system, or the system default. '/etc/profile.d/*'

1001818 1 HighGEN001800 - All skeleton files (typicallythose in /etc/skel) must have mode 0644 orless permissive.

1001817 1 InfoGEN001810 - Skeleton files must not haveextended ACLs.

1001792 1 HighGEN001860 - All local initialization filesmust be owned by the user or root.

1001791 1 HighGEN001870 - Local initialization files mustbe group-owned by the user's primarygroup or root.

1001790 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.login'

1001789 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.cschrc'

1001788 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.logout'

1001787 1 HighGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.profile '





1001786 1 HighGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.bash_profile'

1001785 1 HighGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.bashrc'

1001784 1 HighGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.bash_logout'

1001783 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.env'

1001782 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.dtprofile'

1001781 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.dispatch'

1001780 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.emacs'

1001779 1 InfoGEN001880 - All local initialization filesmust have mode 0740 or less permissive.'.exrc'

1001770 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. '.rhosts'

1001769 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. '.shosts'

1001768 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. '.netrc'

1001767 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. 'hosts.equiv'





1001766 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. 'shosts.equiv'

1001765 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. 'user ownership'

1001764 1 InfoGEN002060 - All .rhosts, .shosts, .netrc, orhosts.equiv files must be accessible by onlyroot or the owner. 'group ownership'

1001760 1 InfoGEN002200 - All shell files must be ownedby root or bin.

1001758 1 InfoGEN002230 - All shell files must not haveextended ACLs.

1001756 1 InfoGEN002320 - Audio devices must havemode 0664 or less permissive. '/dev/audio*'

1001755 1 InfoGEN002320 - Audio devices must havemode 0664 or less permissive. '/dev/snd/*'

1001754 1 InfoGEN002330 - Audio devices must not haveextended ACLs.

1001751 1 High

GEN002420 - Removable media, remotefile systems, and any file system that doesnot contain approved setuid files must bemounted with the 'nosuid' option.

1001697 1 HighGEN002960 - Access to the cron utilitymust be controlled using the cron.allow and/or cron.deny file(s).

1001696 1 InfoGEN002990 - The cron.allow file must nothave an extended ACL.

1001693 1 HighGEN003040 - Crontabs must be owned byroot or the crontab creator. '/var/spool/cron/*'

1001692 1 HighGEN003040 - Crontabs must be owned byroot or the crontab creator. '/etc/cron.d/*'

1001691 1 HighGEN003040 - Crontabs must be owned byroot or the crontab creator. '/etc/crontab'





1001690 1 HighGEN003040 - Crontabs must be ownedby root or the crontab creator. '/etc/cron.daily/.*'

1001689 1 HighGEN003040 - Crontabs must be owned byroot or the crontab creator. '/etc/cron.hourly/*'

1001688 1 HighGEN003040 - Crontabs must be ownedby root or the crontab creator. '/etc/cron.monthly/*'

1001687 1 HighGEN003040 - Crontabs must be ownedby root or the crontab creator. '/etc/cron.weekly/*'

1001686 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'bin'

1001685 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'daemon'

1001684 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'adm'

1001683 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'lp'

1001682 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'shutdown'

1001681 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'halt'

1001680 1 HighGEN003060 - System accounts must notbe listed in the cron.allow file or must be




Plugin Total Severity Plugin Nameincluded in the cron.deny file, if cron.allowdoes not exist. 'mail'

1001679 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'news'

1001678 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'uucp'

1001677 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'games'

1001676 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'gopher'

1001675 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'ftp'

1001674 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'nobody'

1001673 1 High

GEN003060 - System accounts must notbe listed in the cron.allow file or must beincluded in the cron.deny file, if cron.allowdoes not exist. 'operator'

1001672 1 InfoGEN003090 - Crontab files must not haveextended ACLs.

1001671 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/var/spool/cron'

1001670 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/etc/cron.d'





1001669 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/etc/crontab'

1001668 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/etc/cron.daily'

1001667 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/etc/cron.hourly'

1001666 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/etc/cron.monthly'

1001665 1 InfoGEN003100 - Cron and crontab directoriesmust have mode 0755 or less permissive. '/etc/cron.weekly'

1001664 1 InfoGEN003110 - Cron and crontab directoriesmust not have extended ACLs.

1001662 1 InfoGEN003180 - The cronlog file must havemode 0600 or less permissive.

1001661 1 InfoGEN003190 - The cron log files must nothave extended ACLs.

1001660 1 HighGEN003200 - The cron.deny file must havemode 0600 or less permissive.

1001659 1 InfoGEN003210 - The cron.deny file must nothave an extended ACL.

1001658 1 InfoGEN003220 - Cron programs must not setthe umask to a value less restrictive than077. '/var/spool/cron/*'

1001657 1 InfoGEN003220 - Cron programs must not setthe umask to a value less restrictive than077. '/etc/cron.d/*'

1001656 1 InfoGEN003220 - Cron programs must not setthe umask to a value less restrictive than077. '/etc/cron.daily/*'

1001655 1 InfoGEN003220 - Cron programs must not setthe umask to a value less restrictive than077. '/etc/cron.hourly/*'





1001654 1 InfoGEN003220 - Cron programs must not setthe umask to a value less restrictive than077. '/etc/cron.monthly/*'

1001653 1 InfoGEN003220 - Cron programs must not setthe umask to a value less restrictive than077. '/etc/cron.weekly/*'

1001652 1 InfoGEN003245 - The at.allow file must nothave an extended ACL.

1001651 1 HighGEN003252 - The at.deny file must havemode 0600 or less permissive.

1001650 1 InfoGEN003255 - The at.deny file must nothave an extended ACL.

1001649 1 InfoGEN003280 - Access to the 'at' utility mustbe controlled via the at.allow and/or at.denyfile(s).

1001647 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'bin'

1001646 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'daemon'

1001645 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'adm'

1001644 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'lp'

1001643 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'shutdown'

1001642 1 HighGEN003320 - System accounts must not belisted in the at.allow file or must be included




Plugin Total Severity Plugin Namein the at.deny file, if at.allow does not exist.'halt'

1001641 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'mail'

1001640 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'news'

1001639 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'uucp'

1001638 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'games'

1001637 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'gopher'

1001636 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'ftp'

1001635 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'nobody'

1001634 1 High

GEN003320 - System accounts must not belisted in the at.allow file or must be includedin the at.deny file, if at.allow does not exist.'operator'

1001633 1 HighGEN003340 - The at.allow file must havemode 0600 or less permissive.

1001630 1 InfoGEN003400 - The 'at' directory must havemode 0755 or less permissive.





1001629 1 InfoGEN003410 - The 'at' directory must nothave an extended ACL.

1001628 1 InfoGEN003440 - 'At' jobs must not set theumask to a value less restrictive than 077. '/var/spool/cron/atjobs/*'

1001627 1 InfoGEN003440 - 'At' jobs must not set theumask to a value less restrictive than 077. '/var/spool/atjobs/*'

1001626 1 InfoGEN003440 - 'At' jobs must not set theumask to a value less restrictive than 077. '/var/spool/at/*'

1001619 1 HighGEN003520 - The kernel core dump datadirectory must be owned by root.

1001618 1 InfoGEN003523 - The kernel core dump datadirectory must not have an extended ACL.

1001616 1 InfoGEN003581 - Network interfaces must notbe configured to allow user control.

1001591 1 HighGEN003720 - The xinetd.conf file, and thexinetd.d directory must be owned by root orbin. '/etc/xinetd.conf'

1001590 1 HighGEN003720 - The xinetd.conf file, and thexinetd.d directory must be owned by root orbin. '/etc/xinetd.d/*'

1001589 1 InfoGEN003745 - The xinetd.conf files must nothave extended ACLs.

1001588 1 InfoGEN003750 - The xinetd.d directory musthave mode 0755 or less permissive.

1001587 1 InfoGEN003755 - The xinetd.d directory mustnot have an extended ACL.

1001586 1 InfoGEN003760 - The services file must beowned by root or bin.

1001585 1 InfoGEN003790 - The services file must nothave an extended ACL.

1001571 1 InfoGEN003920 - The printers.conf file must beowned by root.





1001570 1 InfoGEN003950 - The printers.conf file must nothave an extended ACL.

1001569 1 HighGEN003960 - The traceroute commandowner must be root.

1001568 1 InfoGEN004010 - The traceroute file must nothave an extended ACL.

1001566 1 InfoGEN004360 - The sendmail alias files mustbe owned by root. '/etc/aliases'

1001565 1 InfoGEN004360 - The sendmail alias files mustbe owned by root. '/etc/aliases.db'

1001564 1 InfoGEN004390 - The sendmail alias file mustnot have an extended ACL.

1001545 1 Info GEN004880 - The ftpusers file must exist.

1001544 1 HighGEN004900 - The ftpusers file must containaccount names not allowed to use FTP.

1001543 1 InfoGEN004950 - The ftpusers file must nothave an extended ACL.

1001542 1 InfoGEN005000 - Anonymous FTP accountsmust not have a functional shell.

1001537 1 InfoGEN005140 - Any active TFTP daemonmust be authorized and approved in thesystem accreditation package.

1001532 1 HighGEN005320 - The snmpd.conf file musthave mode 0600 or less permissive.

1001531 1 HighGEN005340 - Management InformationBase (MIB) files must have mode 0640 orless permissive.

1001530 1 InfoGEN005350 - Management InformationBase (MIB) files must not have extendedACLs.

1001529 1 InfoGEN005375 - The snmpd.conf file must nothave an extended ACL.

1001527 1 HighGEN005390 - The /etc/syslog.conf file musthave mode 0640 or less permissive.

1001526 1 InfoGEN005395 - The /etc/syslog.conf file mustnot have an extended ACL.





1001505 1 HighGEN005521 - The SSH daemon mustrestrict login ability to specific users and/orgroups.

1001504 1 InfoGEN005522 - The SSH public host key filesmust have mode 0644 or less permissive.

1001503 1 InfoGEN005523 - The SSH private hostkey files must have mode 0600 or lesspermissive.

1001492 1 HighGEN005536 - The SSH daemon mustperform strict mode checking of homedirectory configuration files.

1001491 1 HighGEN005537 - The SSH daemon must useprivilege separation.

1001471 1 InfoGEN005880 - The NFS server must notallow remote root access. 'no_root_squash'

1001470 1 HighGEN005880 - The NFS server must notallow remote root access. 'all_squash /root_squash'

1001469 1 InfoGEN005900 - The nosuid option must beenabled on all NFS client mounts.

1001466 1 InfoGEN006150 - The /etc/samba/smb.conf filemust not have an extended ACL.

1001413 1 InfoGEN008740 - The system's boot loaderconfiguration file(s) must not have extendedACLs.


AC-7 - Unsuccessful Logon Attempts



CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined timeperiod.

CCI-000043 - The organization defines the maximum number of consecutive invalid access attempts to the information system by a user.

CCI-001382 - The organziation defines the number of consecutive, unsuccessful login attempts to the mobile device.

CCI-000045 - The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period.

CCI-001383 - The information system provides additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.

CCI-001423 - The organization defines the time period in which consecutive invalid access attempts occur..

CCI-000046 - The organization selects either a lock out mode for the organization-defined time period or delays next login prompt for the organization-defined delayperiod for information system responses to consecutive invalid access attempts.

CCI-000047 - The information system, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an administrator IAW organizational policy.

CCI-001452 - The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.




CCI Mapping Summary


1002404 3 High3.2.11 (GEN000460) Three Failed LoginAttempts

1002403 3 High 3.2.1.12 (GEN000480) Login Delay

1002001 1 HighGEN000460 - The system must disableaccounts after three consecutiveunsuccessful login attempts.

1002000 1 HighGEN000480 - The delay between loginprompts following a failed login attemptmust be at least 4 seconds.


AC-8 - System Use Notification



CCI-001386 - The information system for publicly accessible systems displays references, if any, to recording that are consistent with privacy accommodations forsuch systems that generally prohibit those activities.

CCI-001385 - The information system for publicly accessible systems displays references, if any, to monitoring that are consistent with privacy accommodations forsuch systems that generally prohibit those activities.

CCI-000048 - The information system displays an approved system use notification message or banner before granting access to the system.

CCI-001388 - The information system for publicly accessible systems includes in the notice given to public users of the information system, a description of theauthorized uses of the system.

CCI-001387 - The information system for publicly accessible systems displays references, if any, to auditing that are consistent with privacy accommodations forsuch systems that generally prohibit those activities.

CCI-000049 - The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and securitynotices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessinga U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited andsubject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording.

CCI-000050 - The information system retains the notification message or banner on the screen until users take explicit actions to log on to or further access.

CCI-000051 - The organization approves the information system use notification message before its use.

CCI-001384 - The information system for publicly accessible systems displays the system use information when appropriate, before granting further access.




CCI Mapping Summary


1002012 1 High

GEN000400 - The Department of Defense(DoD) login banner must be displayedimmediately prior to, or as part of, consolelogin prompts.

1002010 1 HighGEN000410 - The FTPS/FTP service onthe system must be configured with theDepartment of Defense (DoD) login banner.

1001486 1 HighGEN005550 - The SSH daemon must beconfigured with the Department of Defense(DoD) login banner.


AU-2 - Audit Events


AU-2 - Audit Events

CCI-001571 - The organization defines the list of informatio nsystem auditable events.

CCI-001486 - The organization defines a frequency for reviewing and updating the list of organization-defined auditable events.

CCI-000129 - The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs.

CCI-001485 - The organization determines, based on current threat information and ongoing assessment of risk, that events are to be audited on the informationsystem on an organization-defined frequency of (or situation requiring) auditing for each identified event.

CCI-000124 - The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual supportand to help guide the selection of auditable events.

CCI-000123 - The organization determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing anorganization-defined list of auditable events.

CCI-000127 - The organization reviews and updates the list of organization-defined auditable events on an organization-defined frequency.

CCI-001484 - The organization defines frequency of (or situation requiring) auditing for each identified event.

CCI-000128 - The organization includes execution of privileged functions in the list of events to be audited by the information system.

CCI-000125 - The organization provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of securityincidents.

CCI-000126 - The organization determines, based on current threat information and ongoing assessment of risk, that the organization-defined subset of the auditableevents defined in AU-2 a are to be audited within the information system.


AU-2 - Audit Events


CCI Mapping Summary


1002406 1 Info3.2.1.10 (GEN000440) Logging LoginAttempts (last)

1002405 1 Info3.2.1.10 (GEN000440) Logging LoginAttempts (lastb)

1002382 3 High3.2.1.39 (GEN001060) Log Root AccessAttempts

1002277 3 High3.2.1.119 (GEN002720) Audit Failed Fileand Program Access Attempts

1002276 3 High3.16 (GEN002740) Audit File and ProgramDeletion

1002270 3 High3.2.1.122 (GEN002820) Audit DiscretionaryAccess Control Permission Modifications(1/2)

1002269 3 High3.2.1.122 (GEN002820) Audit DiscretionaryAccess Control Permission Modifications(2/2)

1002252 3 High 3.2.1.138 (GEN003160) Cron Logging

1002232 3 High3.2.1.162 (GEN003660) AuthenticationData Logging

1002217 3 High3.3.1.38 (GEN004460) Critical LevelSendmail Messages Logging

1002129 3 High3.5.1.5 (GEN006600) Access ControlProgram Logging (mail)

1002128 3 High3.5.1.5 (GEN006600) Access ControlProgram Logging (daemon).

1002127 3 High3.5.1.5 (GEN006600) Access ControlProgram Logging (auth.info).

1002009 1 InfoGEN000440 - Successful and unsuccessfullogins and logouts must be logged. '/var/log/wtmp'

1002008 1 InfoGEN000440 - Successful and unsuccessfullogins and logouts must be logged. '/var/log/btmp'


AU-2 - Audit Events



1001724 1 HighGEN002720 - The audit system must beconfigured to audit failed attempts to accessfiles and programs.

1001722 1 HighGEN002740 - The audit system must beconfigured to audit file deletions.

1001707 1 HighGEN002820 - The audit system must beconfigured to audit all discretionary accesscontrol permission modifications. 'chmod'

1001706 1 HighGEN002820 - The audit system must beconfigured to audit all discretionary accesscontrol permission modifications. 'fchownat'

1001705 1 High

GEN002820 - The audit system mustbe configured to audit all discretionaryaccess control permission modifications.'removexattr'

1001704 1 HighGEN002820 - The audit system must beconfigured to audit all discretionary accesscontrol permission modifications. 'chown32'

1001703 1 High

GEN002825 - The audit system mustbe configured to audit the loading andunloading of dynamic kernel modules.'init_module'

1001702 1 High

GEN002825 - The audit system mustbe configured to audit the loading andunloading of dynamic kernel modules. '/sbin/insmod'

1001701 1 High

GEN002825 - The audit system mustbe configured to audit the loading andunloading of dynamic kernel modules. '/sbin/modprobe'

1001700 1 High

GEN002825 - The audit system mustbe configured to audit the loading andunloading of dynamic kernel modules. '/sbin/rmmod'

1001663 1 HighGEN003160 - Cron logging must beimplemented.

1001605 1 HighGEN003611 - The system must log martianpackets.


AU-2 - Audit Events



1001594 1 HighGEN003660 - The system must logauthentication informational data.

1001458 1 HighGEN006600 - The system's access controlprogram must log each system accessattempt.


AU-4 - Audit Storage Capacity


AU-4 - Audit Storage Capacity

CCI-000137 - The organization allocates audit record storage capacity.

CCI-000138 - The organization configures auditing to reduce the likelihood of such storage capacity being exceeded.

CCI Mapping Summary


AU-5 - Response to Audit Processing Failures


AU-5 - Response to Audit ProcessingFailures

CCI-001573 - The organization defines if the network traffic above configurable traffic volume thresholds are rejected or delayed.

CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stopgenerating audit records).

CCI-001490 - The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest auditrecords, stop generating audit records).

CCI-000147 - The organization defines the audit failure events requiring real-time alerts.

CCI-000145 - The information system enforces configurable traffic volume thresholds representing auditing capacity for network traffic.

CCI-001572 - The organization defines designated organizational officials to be alerted in the event of audit processing failure.

CCI-000144 - The information system provides a real-time alert when organization-defined audit failure events occur.

CCI-000143 - The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximumaudit record storage capacity.

CCI-001574 - The information system rejects or delays, as defined by the organization, network traffic generated above configurable traffic volume thresholds.

CCI-000146 - The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided.

CCI-001343 - The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.

CCI-000139 - The information system alerts designated organizational officials in the event of an audit processing failure.


AU-5 - Response to Audit Processing Failures


CCI Mapping Summary


1001726 1 InfoGEN002719 - The audit system must alertthe SA in the event of an audit processingfailure. 'disk_full_action'

1001725 1 InfoGEN002719 - The audit system must alertthe SA in the event of an audit processingfailure. 'disk_error_action'

1001723 1 InfoGEN002730 - The audit system must alertthe SA when the audit storage volumeapproaches its capacity. 'space_left_action'


AU-8 - Time Stamps


AU-8 - Time Stamps

CCI-000160 - The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritativetime source.

CCI-001492 - The organization defines an authoritative time source for the synchronization of internal information system clocks.

CCI-000161 - The organization defines the frequency for the synchronization of internal information system clocks.

CCI-000159 - The information system uses internal system clocks to generate time stamps for audit records.

CCI Mapping Summary


1002412 2 Info3.1.1.10 (GEN000240) Network Time-Server

1002030 1 HighGEN000242 - The system must use at leasttwo time sources for clock synchronization.'cron jobs'

1002029 1 InfoGEN000242 - The system must use at leasttwo time sources for clock synchronization.'/etc/ntp.conf'


AU-9 - Protection of Audit Information



CCI-001352 - The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.

CCI-001495 - The information system protects audit tools from unauthorized deletion.

CCI-001348 - The information system backs up audit records on an organization-defined frequency onto a different system or media than the system being audited.

CCI-001350 - The information system uses cryptographic mechanisms to protect the integrity of audit information.

CCI-001493 - The information system protects audit tools from unauthorized access.

CCI-001349 - The organization defines a frequency for backing up system audit records onto a different system or media than the system being audited.

CCI-000162 - The information system protects audit information from unauthorized access.

CCI-001494 - The information system protects audit tools from unauthorized modification.

CCI-000165 - The information system produces audit records on hardware-enforced, write-once media.

CCI-001351 - The organization authorizes access to management of audit functionality to only a limited subset of privileged users.

CCI-000164 - The information system protects audit information from unauthorized deletion.

CCI-000163 - The information system protects audit information from unauthorized modification.

CCI-001496 - The information system uses cryptographic mechanisms to protect the integrity of audit tools.

CCI-001575 - The organization defines the system or media for storing audit records that is a different system or media other than the system being audited.




CCI Mapping Summary


1002279 3 Info3.2.1.117 (GEN002680) Audit LogsAccessiblity (/var/log/audit)

1002278 3 Info3.2.1.117 (GEN002680) Audit LogsAccessiblity (/var/log/audit/*)

1001735 1 InfoGEN002680 - System audit logs must beowned by root.

1001734 1 InfoGEN002710 - All system audit files must nothave extended ACLs.

1001733 1 InfoGEN002715 - System audit toolexecutables must be owned by root. '/sbin/auditctl'

1001732 1 InfoGEN002715 - System audit toolexecutables must be owned by root. '/sbin/auditd'

1001731 1 HighGEN002715 - System audit toolexecutables must be owned by root. '/sbin/ausearch'

1001730 1 HighGEN002715 - System audit toolexecutables must be owned by root. '/sbin/aureport'

1001729 1 InfoGEN002715 - System audit toolexecutables must be owned by root. '/sbin/autrace'

1001728 1 InfoGEN002715 - System audit toolexecutables must be owned by root. '/sbin/audispd'

1001727 1 InfoGEN002718 - System audit toolexecutables must not have extended ACLs.


CA-3 - System Interconnections


CA-3 - System Interconnections

CCI-000262 - The organization prohibits the direct connection of an unclassified, national security system to an external network.

CCI-000263 - The organization prohibits the direct connection of a classified, national security system to an external network.

CCI-000258 - The organization documents, for each connection, the interface characteristics.

CCI-000261 - The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.

CCI-000260 - The organization documents, for each connection the nature of the information communicated.

CCI-000259 - The organization documents, for each connection, the security requirements.

CCI-001580 - The organziation identifies connections to external information systems (i.e., information systems outside of the authorization boundary).

CCI-000257 - The organization authorizes connections from the information system to other information systems outside of the authorization boundary through theuse of Interconnection Security Agreements.

CCI Mapping Summary


CM-2 - Baseline Configuration



CCI-000302 - The organization employs automated mechanisms to maintain accurate baseline configuration of the information system.

CCI-000303 - The organization employs automated mechanisms to maintain readily available baseline configuration of the information system.

CCI-000292 - The organization reviews, on an organization-defined frequency, the formal, documented procedures to facilitate the implementation of the configurationmanagement policy and associated configuration management controls and updates if required.

CCI-001497 - The organization defines a frequency for the reviews and updates to the baseline configuration of the information system.

CCI-000295 - The organization maintains under configuration control, a current baseline configuration of the information system.

CCI-000293 - The organization develops a current baseline configuration of the information system.

CCI-000300 - The organization employs automated mechanisms to maintain complete baseline configuration of the information system.

CCI-000305 - The organization develops a list of software programs not authorized to execute on the information system.

CCI-000311 - The organization maintains a baseline configuration for development environments that is managed separately from the operational baselineconfiguration.

CCI-000306 - The organization maintains the list of software programs not authorized to execute on the information system.

CCI-000296 - The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency.

CCI-000310 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.

CCI-000294 - The organization documents a current baseline configuration of the information system.

CCI-000297 - The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances.

CCI-000309 - The organization maintains list of software programs authorized to execute on the information system.

CCI-000299 - The organization reviews and updates the baseline configuration of the information system as an integral part of information system componentupgrades.

CCI-000298 - The organization reviews and updates the baseline configuration of the information system as an integral part of information system componentinstallations.

CCI-001585 - The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system.




CCI-000304 - The organization retains older versions of baseline configurations as deemed necessary to support rollback.

CCI-000301 - The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system.

CCI-000307 - The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.

CCI-000308 - The organization develops list of software programs authorized to execute on the information system.

CCI-000312 - The organization maintains a baseline configuration for test environments that is managed separately from the operational baseline configuration.

CCI Mapping Summary


1001593 1 InfoGEN003700 - Xinetd must be disabled orremoved if no network services utilizingthem are enabled. 'process'

1001592 1 InfoGEN003700 - Xinetd must be disabled orremoved if no network services utilizingthem are enabled. 'chkconfig'

1001579 1 HighGEN003815 - The portmap or rpcbindservice must not be installed unlessneeded. 'rpcbind'

1001578 1 InfoGEN003815 - The portmap or rpcbindservice must not be installed unlessneeded. 'portmap'

1001577 1 InfoGEN003825 - The rshd service must not beinstalled.

1001431 1 HighGEN007960 - The 'ldd' command mustbe disabled unless it protects against theexecution of untrusted files.


CM-3 - Configuration Change Control



CCI-000314 - The organization approves configuration-controlled changes to the system with explicit consideration for security impact analyses

CCI-000321 - The organization defines configuration change conditions that prompt the configuration change control element to convene.

CCI-000324 - The organization employs automated mechanisms to highlight approvals that have not been received by organization-defined time period.

CCI-000317 - The organization reviews records of configuration-controlled changes to the system.

CCI-000330 - The organization employs automated mechanisms to implement changes to the current information system baseline.

CCI-000329 - The organization documents changes to the information system before implementing the changes on the operational system.

CCI-000315 - The organization documents approved configuration-controlled changes to the system.

CCI-000326 - The organization employs automated mechanisms to document completed changes to the information system.

CCI-000316 - The organization retains records of configuration-controlled changes to the system.

CCI-000331 - The organization deployes the updated information system baseline across the installed base.

CCI-001586 - The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight forconfiguration change control activities.

CCI-000323 - The organization employs automated mechanisms to notify designated approval authorities.

CCI-000319 - The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration changecontrol element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.

CCI-000322 - The organization employs automated mechanisms to document proposed changes to the information system.

CCI-000328 - The organization validates changes to the information system before implementing the changes on the operational system.

CCI-000313 - The organization determines the types of changes to the information system that are configuration controlled.

CCI-000325 - The organization employs automated mechanisms to inhibit change until designated approvals are received.

CCI-000320 - The organization defines frequency to convene configuration change control element.

CCI-001498 - The organization defines a time period after which approvals that have not been received for proposed changes to the information system are highlighted.




CCI-000327 - The organization tests changes to the information system before implementing the changes on the operational system.

CCI-000332 - The organization requires an information security representative to be a member of the organization-defined configuration change control element(e.g., committee, board).

CCI-000318 - The organization audits activities associated with configuration-controlled changes to the system.

CCI Mapping Summary


CM-5-1 - Access Restrictions for Change



CCI-000354 - The organization enforces a two-person rule for changes to organization-defined information system components and system-level information.

CCI-000360 - The organization defines frequency to reevaluate information system developer/integrator privileges.

CCI-000339 - The organization documents physical access restrictions associated with changes to the information system.

CCI-000355 - The organization limits information system developer/integrator privileges to change hardware components directly within a production environment.

CCI-000362 - The organization reevaluates information system developer/integrator privileges per organization-defined frequency.

CCI-001499 - The organization limits privileges to change software resident within software libraries (including privileged programs).

CCI-000343 - The organization documents logical access restrictions associated with changes to the information system.

CCI-000361 - The organization reviews information system developer/integrator privileges per organization-defined frequency.

CCI-000357 - The organization limits information system developer/integrator privileges to change firmware components directly within a production environment.

CCI-000344 - The organization approves logical access restrictions associated with changes to the information system.

CCI-000352 - The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognizedand approved by the organization.

CCI-000349 - The organization conducts audits of information system changes per organization-defined frequency to determine whether unauthorized changeshave occurred.

CCI-000342 - The organization defines logical access restrictions associated with changes to the information system.

CCI-000347 - The organization employs automated mechanisms to support auditing of the enforcement actions.

CCI-000346 - The organization employs automated mechanisms to enforce access restrictions.

CCI-000350 - The organization, when indications so warrant, conducts audits of information system changes to determine whether unauthorized changes haveoccurred.

CCI-000359 - The organization defines frequency to review information system developer/integrator privileges.

CCI-000340 - The organization approves physical access restrictions associated with changes to the information system.

CCI-000341 - The organization enforces physical access restrictions associated with changes to the information system.




CCI-000345 - The organization enforces logical access restrictions associated with changes to the information system.

CCI-000351 - The organization defines critical software programs that the information system will prevent from being installed if such software programs are notsigned with a recognized and approved certificate.

CCI-001501 - The organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changedinappropriately.

CCI-000356 - The organization limits information system developer/integrator privileges to change software components directly within a production environment.

CCI-000338 - The organization defines physical access restrictions associated with changes to the information system.




CCI Mapping Summary


1002376 3 Info3.2.1.46 (GEN001200) System CommandPermissions (/etc/*)

1002375 3 High3.2.1.46 (GEN001200) System CommandPermissions (/bin/*)

1002373 3 Info3.2.1.46 (GEN001200) System CommandPermissions (/usr/lbin/*)

1002372 3 Info3.2.1.46 (GEN001200) System CommandPermissions (/usr/usb/*)

1002371 3 Info3.2.1.46 (GEN001200) System CommandPermissions (/sbin/*)

1002370 3 High3.2.1.46 (GEN001200) System CommandPermissions (/usr/sbin/*)

1002275 3 High3.2.1.121 (GEN002760) AuditAdministrative, Privileged, and SecurityActions (1/5)





1001946 1 InfoGEN001200 - All system command filesmust have mode 0755 or less permissive. '/etc/*'

1001945 1 HighGEN001200 - All system command filesmust have mode 0755 or less permissive. '/bin/*'





1001944 1 HighGEN001200 - All system command filesmust have mode 0755 or less permissive. '/usr/bin/*'

1001943 1 InfoGEN001200 - All system command filesmust have mode 0755 or less permissive. '/usr/lbin/*'

1001942 1 InfoGEN001200 - All system command filesmust have mode 0755 or less permissive. '/usr/usb/*'

1001941 1 HighGEN001200 - All system command filesmust have mode 0755 or less permissive. '/sbin/*'

1001940 1 HighGEN001200 - All system command filesmust have mode 0755 or less permissive. '/usr/sbin/*'

1001939 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/etc'

1001938 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/bin'

1001937 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/usr/bin'

1001936 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/usr/lbin'

1001935 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/usr/usb'

1001934 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/sbin'

1001933 1 InfoGEN001210 - All system command filesmust not have extended ACLs. '/usr/sbin'

1001922 1 InfoGEN001300 - Library files must have mode0755 or less permissive. '/usr/lib/*'

1001921 1 InfoGEN001300 - Library files must have mode0755 or less permissive. '/lib/*'

1001920 1 InfoGEN001310 - All library files must not haveextended ACLs. '/usr/lib/*'





1001919 1 InfoGEN001310 - All library files must not haveextended ACLs. '/lib/*'

1001715 1 High

GEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions. '/etc/auditd.conf'

1001714 1 High

GEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions. '/etc/audit/auditd.conf'

1001713 1 High

GEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions. '/etc/audit.rules'

1001712 1 High

GEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions. '/etc/audit/audit.rules'

1001711 1 HighGEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions. 'adjtimex'

1001710 1 High

GEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions.'sethostname'

1001709 1 High

GEN002760 - The audit system mustbe configured to audit all administrative,privileged, and security actions.'clock_settime'

1001412 1 Info

GEN008800 - The system packagemanagement tool must cryptographicallyverify the authenticity of software packagesduring installation. '/usr/lib/rpm/rpmrc'

1001411 1 Info

GEN008800 - The system packagemanagement tool must cryptographicallyverify the authenticity of software packagesduring installation. '/etc/yum.conf'





1001410 1 Info

GEN008800 - The system packagemanagement tool must cryptographicallyverify the authenticity of software packagesduring installation. '/etc/yum.repos.d/*'





CCI-000358 - The organization limits information system developer/integrator privileges to change system information directly within a production environment.

CCI-000353 - The organization defines information system components and system-level information requiring enforcement of a two-person rule for informationsystem changes.

CCI-000348 - The organization defines a frequency to conduct audits of information system changes.

CCI-001500 - The information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) arechanged inappropriately.

CCI Mapping Summary


CM-6 - Configuration Settings



CCI-000373 - The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms.

CCI-000378 - The organization ensures that unauthorized, security-relevant configuration changes detected are available for historical purposes.

CCI-000369 - The organization approves exceptions from the mandatory configuration settings for individual components within the information system based onexplicit operational requirements.

CCI-000372 - The organization employs automated mechanisms to centrally verify configuration settings.

CCI-001502 - The organization monitors changes to the configuration settings in accordance with organizational policies and procedures.

CCI-000367 - The organization identifies exceptions from the mandatory configuration settings for individual components within the information system based onexplicit operational requirements.

CCI-000368 - The organization documents exceptions from the mandatory configuration settings for individual components within the information system based onexplicit operational requirements.

CCI-000375 - The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization?s incident response capability.

CCI-000379 - The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e.,security checklists), prior to being introduced into a production environment.

CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings.

CCI-000366 - The organization implements the security configuration settings.

CCI-000364 - The organization establishes mandatory configuration settings for information technology products employed within the information system usingorganization-defined security configuration checklists.

CCI-000363 - The organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the informationsystem technology products employed.

CCI-001503 - The organization controls changes to the configuration settings in accordance with organizational policies and procedures.

CCI-000376 - The organization ensures that unauthorized, security-relevant configuration changes detected are monitored.

CCI-000377 - The organization ensures that unauthorized, security-relevant configuration changes detected are corrected.

CCI-000374 - The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.




CCI-000371 - The organization employs automated mechanisms to centrally apply configuration settings.

CCI-001589 - The organization ensures that unauthorized, security-relevant configuration changes detected are tracked.

CCI-001588 - The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.

CCI-000365 - The organization documents mandatory configuration settings for information technology products employed within the information system usingorganization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements.




CCI Mapping Summary


1002408 3 High3.2.1.5 (GEN000340) Reserved SystemAccount UIDs

1002407 3 Info3.2.1.7 (GEN000380) Groups Referencedin /etc/passwd

1002401 3 High3.2.1.16 (GEN000560) Password ProtectEnabled Accounts (/etc/pam.d/system-auth)

1002400 3 Info3.2.1.16 (GEN000560) Password ProtectEnabled Accounts (/etc/shadow)

1002390 3 Info 3.2.1.31 (GEN000880) Root's UID

1002389 3 Info3.2.1.32 (GEN000900) Root's HomeDirectory

1002387 3 Info 3.2.1.34 (GEN000940) Root's Search Path

1002386 3 Info 3.2.1.35 (GEN000960) Root's Search Path

1002354 3 Info3.2.1.66 (GEN001600) Run Control ScriptsPATH Variable (/etc/*)

1002353 3 Info3.2.1.66 (GEN001600) Run Control ScriptsPATH Variable (/etc/init.d/*)

1002346 3 High3.2.1.75 (GEN001780) Global InitializationFiles do not Contain mesg -n (/etc/.login)

1002345 3 High3.2.1.75 (GEN001780) Global InitializationFiles do not Contain mesg -n (/etc/profile)

1002344 3 High3.2.1.75 (GEN001780) Global InitializationFiles do not Contain mesg -n (/etc/bashrc)

1002343 3 High3.2.1.75 (GEN001780) Global InitializationFiles do not Contain mesg -n (/etc/environment)

1002342 3 Info3.2.1.75 (GEN001780) Global InitializationFiles do not Contain mesg -n (/etc/security/environ)

1002340 3 High3.2.1.78 (GEN001840) Global InitializationFiles PATH Variable (/etc/.login)

1002339 3 Info3.2.1.78 (GEN001840) Global InitializationFiles PATH Variable (/etc/profile)





1002338 3 Info3.2.1.78 (GEN001840) Global InitializationFiles PATH Variable (/etc/bashrc)

1002337 3 Info3.2.1.78 (GEN001840) Global InitializationFiles PATH Variable (/etc/environment)

1002336 3 Info3.2.1.78 (GEN001840) Global InitializationFiles PATH Variable (/etc/security/environ)

1002317 3 High3.2.1.90 (GEN002100) The .rhostsSupported in PAM

1002316 3 Info3.2.1.91 (GEN002120) The /etc/shells FileDoes Not Exist

1002315 3 Info3.2.1.92 (GEN002140) The /etc/shellsContents

1002311 3 Info3.2.1.109 (GEN002500) Sticky Bit on PublicDirectories

1002310 3 Info3.2.1.112 (GEN002560) Default umask (/etc/login.defs)

1002309 3 High3.2.1.112 (GEN002560) Default umask (/etc/bashrc)

1002308 3 High3.2.1.112 (GEN002560) Default umask (/etc/csh.cshrc)

1002307 3 High3.2.1.112 (GEN002560) Default umask (/etc/xinetd.conf)

1002268 3 High3.2.1.124 (GEN002860) Audit LogsRotation

1002240 3 High3.2.1.155 (GEN003500) Disable CoreDumps (/etc/profile)

1002222 3 Info 3.3.1.13 (GEN003900) hosts.lpd Contents

1002218 3 High 3.3.1.37 (GEN004440) Sendmail Logging

1002215 3 High3.3.1.41 (GEN004540) Sendmail HelpCommand

1002214 3 High3.3.1.42 (GEN004560) Sendmail Greetingto Mask Version

1002213 1 Info 3.3.1.43 (GEN004580) .forward Files

1002210 3 High3.3.1.47 (GEN004660) Sendmail EXPNCommand





1002209 3 High3.3.1.48 (GEN004680) Sendmail VRFYCommand

1002208 3 High3.3.1.49 (GEN004700) Sendmail WIZCommand

1002206 3 Info3.3.1.53 (GEN004800) Unencrypted FTP orTelnet (ftp)

1002205 3 Info3.3.1.53 (GEN004800) Unencrypted FTP orTelnet (telnet)

1002169 3 High 3.3.1.65 (GEN005080) TFTP Secure Mode

1002161 3 High3.3.1.85 (GEN005480) Syslog AcceptsRemote Messages

1002159 3 High3.3.1.87 (GEN005540) EncryptedCommunications IP Filtering and Banners

1002158 1 Info 3.3.1.88 (GEN005560) Default Gateway

1002156 3 Info3.3.1.90 (GEN005600) Disable IPForwarding

1002130 3 High3.5.1.4 (GEN006580) Access ControlProgram

1002126 3 Info3.5.1.6 (GEN006620) Access ControlProgram Control System Access(hosts.allow)

1002114 3 High3.11.1.19 (LNX00400) Access FileOwnership (/etc/security/access.conf)

1002111 3 Info3.11.1.27 (LNX00580) Ctrl-Alt-DeleteSequence

1002110 3 High 3.11.1.28 (LNX00600) PAM Configuration

1002050 1 HighGEN000000-LNX00400 - The /etc/security/access.conf file must be owned by root.

1002049 1 InfoGEN000000-LNX00450 - The /etc/security/access.conf file must not have an extendedACL.

1002045 1 InfoGEN000000-LNX00580 - The x86 CTRL-ALT-DELETE key sequence must bedisabled.





1002044 1 High

GEN000000-LNX00600 - The Linux PAMsystem must not grant sole access to adminprivileges to the first user who logs into theconsole.

1002031 1 HighGEN000241 - The system clock must besynchronized continuously, or at least daily.

1002013 1 InfoGEN000380 - All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.

1001993 1 HighGEN000560 - The system must not haveaccounts configured with blank or nullpasswords.

1001980 1 HighGEN000680 - The system must requirethat passwords contain no more than threeconsecutive repeating characters.

1001971 1 InfoGEN000880 - The root account must be theonly account having a UID of 0.

1001970 1 InfoGEN000900 - The root user's homedirectory must not be the root directory (/).

1001967 1 Info

GEN000940 - The root account'sexecutable search path must be the vendordefault and must contain only absolutepaths.

1001964 1 InfoGEN000960 - The root account mustnot have world-writable directories in itsexecutable search path.

1001959 1 InfoGEN001080 - The root shell must belocated in the / file system.

1001949 1 HighGEN001160 - All files and directories musthave a valid owner.

1001882 1 InfoGEN001600 - Run control scripts'executable search paths must contain onlyabsolute paths. '/etc/init.d/*'

1001881 1 HighGEN001600 - Run control scripts'executable search paths must contain onlyabsolute paths. '/etc/rc.d/*'





1001880 1 InfoGEN001600 - Run control scripts'executable search paths must contain onlyabsolute paths. '/etc/rc.d/rc0.d/*'


1001878 1 HighGEN001600 - Run control scripts'executable search paths must contain onlyabsolute paths. '/etc/rc.d/rc2.d/*'





1001873 1 HighGEN001605 - Run control scripts' librarysearch paths must contain only absolutepaths. '/etc/init.d/*'

1001872 1 HighGEN001605 - Run control scripts' librarysearch paths must contain only absolutepaths. '/etc/rc.d/*'

1001871 1 HighGEN001605 - Run control scripts' librarysearch paths must contain only absolutepaths. '/etc/rc.d/rc0.d/*'











1001864 1 HighGEN001610 - Run control scripts' listsof preloaded libraries must contain onlyabsolute paths. '/etc/init.d/*'

1001863 1 InfoGEN001610 - Run control scripts' listsof preloaded libraries must contain onlyabsolute paths. '/etc/rc.d/*'

1001862 1 InfoGEN001610 - Run control scripts' listsof preloaded libraries must contain onlyabsolute paths. '/etc/rc.d/rc0.d/*'











1001824 1 HighGEN001780 - Global initialization filesmust contain the 'mesg -n' or 'mesg n'commands. '/etc/.login'

1001823 1 HighGEN001780 - Global initialization filesmust contain the 'mesg -n' or 'mesg n'commands. '/etc/profile'

1001822 1 HighGEN001780 - Global initialization filesmust contain the 'mesg -n' or 'mesg n'commands. '/etc/bashrc'

1001821 1 HighGEN001780 - Global initialization filesmust contain the 'mesg -n' or 'mesg n'commands. '/etc/environment'

1001820 1 HighGEN001780 - Global initialization filesmust contain the 'mesg -n' or 'mesg n'commands. '/etc/security/environ'

1001819 1 HighGEN001780 - Global initialization filesmust contain the 'mesg -n' or 'mesg n'commands. '/etc/profile.d/*'

1001816 1 InfoGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/profile'

1001815 1 InfoGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/bashrc'

1001814 1 InfoGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/csh.login'

1001813 1 InfoGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/csh.cshrc'

1001812 1 InfoGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/environment'





1001811 1 HighGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/.login'

1001810 1 HighGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/security/environ'

1001809 1 InfoGEN001840 - All global initialization files'executable search paths must contain onlyabsolute paths. '/etc/profile.d/*'

1001808 1 InfoGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/profile'

1001807 1 InfoGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/bashrc'

1001806 1 InfoGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/csh.login'

1001805 1 InfoGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/csh.cshrc'

1001804 1 InfoGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/environment'

1001803 1 HighGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/.login'

1001802 1 HighGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/security/environ'

1001801 1 InfoGEN001845 - Global initialization files'library search paths must contain onlyabsolute paths. '/etc/profile.d/*'

1001800 1 InfoGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/profile'





1001799 1 InfoGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/bashrc'

1001798 1 InfoGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/csh.login'

1001797 1 InfoGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/csh.cshrc'

1001796 1 InfoGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/environment'

1001795 1 HighGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/.login'

1001794 1 HighGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/security/environ'

1001793 1 InfoGEN001850 - Global initialization files' listsof preloaded libraries must contain onlyabsolute paths. '/etc/profile.d/*'

1001777 1 InfoGEN001900 - All local initialization files'executable search paths must contain onlyabsolute paths.

1001776 1 InfoGEN001901 - Local initialization files' librarysearch paths must contain only absolutepaths.

1001775 1 InfoGEN001902 - Local initialization files' listsof preloaded libraries must contain onlyabsolute paths.

1001772 1 High

GEN001980 - The .rhosts, .shosts,hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must notcontain a plus (+) without defining entriesfor NIS+ netgroups.

1001763 1 InfoGEN002100 - The .rhosts file must not besupported in PAM.





1001762 1 InfoGEN002120 - The /etc/shells (or equivalent)file must exist.

1001761 1 Info

GEN002140 - All shells referenced in /etc/passwd must be listed in the /etc/shells file,except any shells specified for the purposeof preventing logins.

1001753 1 High

GEN002380 - The owner, group-owner,mode, ACL, and location of files with thesetuid bit set must be documented usingsite-defined procedures.

1001750 1 High

GEN002430 - Removable media, remotefile systems, and any file system that doesnot contain approved device files must bemounted with the 'nodev' option.

1001748 1 InfoGEN002480 - Public directories must be theonly world-writable directories and must belocated only in public directories. 'files'

1001747 1 Info

GEN002480 - Public directories must bethe only world-writable directories andmust be located only in public directories.'directories'

1001746 1 HighGEN002560 - The system and user defaultumask must be 077. '/etc/*'

1001745 1 HighGEN002560 - The system and user defaultumask must be 077. '~/.*'

1001699 1 HighGEN002860 - Audit logs must be rotateddaily.

1001625 1 HighGEN003500 - Process core dumps must bedisabled unless needed.

1001621 1 InfoGEN003510 - Kernel core dumps must bedisabled unless needed. 'process'

1001620 1 InfoGEN003510 - Kernel core dumps must bedisabled unless needed. 'chkconfig'

1001617 1 HighGEN003540 - The system must implementnon-executable program stacks.

1001614 1 HighGEN003601 - TCP backlog queue sizesmust be set appropriately.






1001574 1 HighGEN003900 - The hosts.lpd file (orequivalent) must not contain a '+' character.'+'

1001573 1 HighGEN003900 - The hosts.lpd file (orequivalent) must not contain a '+' character.'Listen'

1001572 1 HighGEN003900 - The hosts.lpd file (orequivalent) must not contain a '+' character.'Allow from'

1001550 1 InfoGEN004800 - Unencrypted FTP must notbe used on the system. 'telnet'

1001549 1 InfoGEN004800 - Unencrypted FTP must notbe used on the system. 'gssftp'

1001548 1 InfoGEN004800 - Unencrypted FTP must notbe used on the system. 'vsftpd'

1001524 1 High

GEN005480 - The syslog daemon mustnot accept remote messages unless it isa syslog server documented using site-defined procedures.

1001516 1 InfoGEN005506 - The SSH daemon must beconfigured to not use CBC ciphers.

1001513 1 InfoGEN005511 - The SSH client must beconfigured to not use CBC-based ciphers.

1001502 1 HighGEN005524 - The SSH daemon mustnot permit GSSAPI authentication unlessneeded.

1001501 1 HighGEN005525 - The SSH client must notpermit GSSAPI authentication unlessneeded. 'GSSAPIAuthentication'

1001500 1 HighGEN005525 - The SSH client must notpermit GSSAPI authentication unlessneeded. 'KerberosAuthentication'

1001490 1 HighGEN005538 - The SSH daemon must notallow rhosts RSA authentication.





1001489 1 High

GEN005539 - The SSH daemon mustnot allow compression or must onlyallow compression after successfulauthentication.

1001488 1 HighGEN005540 - The SSH daemon must beconfigured for IP filtering. '/etc/hosts.deny'

1001485 1 Info

GEN005560 - The system must beconfigured with a default gateway for IPv4 ifthe system uses IPv4, unless the system isa router.

1001484 1 High

GEN005570 - The system must beconfigured with a default gateway for IPv6 ifthe system uses IPv6, unless the system isa router.

1001482 1 InfoGEN005590 - The system must not berunning any routing protocol daemons,unless the system is a router.

1001481 1 InfoGEN005600 - IP forwarding for IPv4 mustnot be enabled, unless the system is arouter.

1001480 1 HighGEN005610 - The system must not haveIP forwarding for IPv6 enabled, unless thesystem is an IPv6 router.

1001460 1 HighGEN006565 - The system packagemanagement tool must be used to verifysystem software periodically.

1001459 1 InfoGEN006580 - The system must use anaccess control program.

1001457 1 InfoGEN006620 - The system's access controlprogram must be configured to grant ordeny system access to specific hosts.

1001456 1 High

GEN006620 - The system's access controlprogram must be configured to grant ordeny system access to specific hosts. '/etc/hosts.deny ALL: ALL'

1001438 1 InfoGEN007840 - The DHCP client must bedisabled if not needed.





1001437 1 HighGEN007850 - The DHCP client must notsend dynamic DNS updates.

1001432 1 HighGEN007950 - The system must notrespond to ICMPv6 echo requests sent to abroadcast address.

1001429 1 HighGEN008420 - The system must useavailable memory address randomizationtechniques.

1001428 1 InfoGEN008440 - Automated file systemmounting tools must not be enabled unlessneeded. 'process'

1001427 1 HighGEN008440 - Automated file systemmounting tools must not be enabled unlessneeded. 'chkconfig'

1001426 1 HighGEN008460 - The system must have USBdisabled unless needed. 'kernel'

1001425 1 HighGEN008460 - The system must have USBdisabled unless needed. '/proc/bus/usb'

1001424 1 HighGEN008480 - The system must have USBMass Storage disabled unless needed.

1001423 1 HighGEN008500 - The system must have IEEE1394 (Firewire) disabled unless needed.

1001417 1 Info

GEN008660 - For systems capable of usingGRUB, the system must be configured withGRUB as the default boot loader unlessanother boot loader has been authorized,justified, and documented using site-definedprocedures.


CM-7 - Least Functionality



CCI-001592 - The organization develops rules authorizing the terms and conditions of software program usage on the information system.

CCI-000386 - The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization definedspecifications.

CCI-001591 - The organization develops a list of software programs not authorized to execute on the information system.

CCI-000384 - The organization reviews the information system per organization-defined frequency to identify unnecessary functions, ports, protocols, and/or services.

CCI-001594 - The organization maintains a list of software programs not authorized to execute on the information system.

CCI-001595 - The organization maintains rules authorizing the terms and conditions of software program usage on the information system.

CCI-000381 - The organization configures the information system to provide only essential capabilities.

CCI-000383 - The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services.

CCI-000382 - The organization configures the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

CCI-000388 - The organization ensures compliance with organization-defined registration requirements for ports, protocols, and services.

CCI-000387 - The organization defines registration requirements for ports, protocols, and services.

CCI-000380 - The organization defines for the information system prohibited or restricted functions, ports, protocols, and/or services.

CCI-000385 - The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/orservices.

CCI-001590 - The organization develops a list of software programs authorized to execute on the information system.

CCI-001593 - The organization maintains a list of software programs authorized to execute on the information system.




CCI Mapping Summary


1002138 3 Info3.3.1.117 (GEN006240) INNDocumentation

1001464 1 InfoGEN006240 - The system must not run anInternet Network News (INN) server.

1001454 1 HighGEN007020 - The Stream ControlTransmission Protocol (SCTP) must bedisabled unless required.

1001453 1 HighGEN007080 - The Datagram CongestionControl Protocol (DCCP) must be disabledunless required.

1001450 1 InfoGEN007260 - The AppleTalk protocol mustbe disabled or not installed.

1001448 1 HighGEN007480 - The Reliable DatagramSockets (RDS) protocol must be disabled ornot installed unless required.


CP-9 - Information System Backup



CCI-000547 - The organization defines time period and transferring information system backup information to the atlernate storage site to support recovery timeobjectives and recovery point objectives.

CCI-000544 - The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operationalsystem.

CCI-000545 - The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocatedwith the operational system.

CCI-000542 - The organization tests backup information per organization-defined frequency to verify media reliability and information integrity.

CCI-000535 - The organization conducts backups of user-level information contained in the information system per organization-defined frequency to conduct backupsthat is consistent with recovery time and recovery point objectives.

CCI-000537 - The organization conducts backups of system-level information contained in the information system per organization-defined frequency to conductbackups that is consistent with recovery time and recovery point objectives.

CCI-000546 - The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separatefacility or in a fire-rated container that is not colocated with the operational system.

CCI-000540 - The organization protects the confidentiality and integrity of backup information at the storage location.

CCI-000536 - The organization defines frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.

CCI-000538 - The organization defines the frequency of conducting information system documentation backups (including security-related information) to supportrecovery time objectives and recovery point objectives.

CCI-000541 - The organization defines frequency to tests backup information to verify media reliability and information integrity.

CCI-000548 - The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined frequencyand transfer rate.

CCI-000543 - The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

CCI-000539 - The organization conducts backups of information system documentation including security-related documentation per organization-defined frequencyto conduct backups that is consistent with recovery time and recovery point objectives.

CCI-000549 - The organization maintains a redundant, secondary backup system that is not colocated with the primary backup system for the information system.




CCI-001609 - The redundant secondary system, not colocated with the primary backup system for the information system can be activated to accomplish informationsystem backups without causing loss of information or disruption to the operation.

CCI-000534 - The organization defines frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.

CCI Mapping Summary


IA-2 - Identification and Authentication (Organizational Users)


IA-2 - Identification and Authentication(Organizational Users)

CCI-000769 - The organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator.

CCI-000776 - The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

CCI-000772 - The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a deviceseparate from the information system being accessed.

CCI-000770 - The organization requires individuals to be authenticated with an individual authenticator prior to using a group authenticator.

CCI-000768 - The information system uses multifactor authentication for local access to non-privileged accounts.

CCI-000767 - The information system uses multifactor authentication for local access to privileged accounts.

CCI-000771 - The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a deviceseparate from the information system being accessed.

CCI-000775 - The organization defines replay-resistant authentication mechanisms to be used for network access to non-privileged accounts.

CCI-000766 - The information system uses multifactor authentication for network access to non-privileged accounts.

CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

CCI-000774 - The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

CCI-000765 - The information system uses multifactor authentication for network access to privileged accounts.

CCI-000773 - The organization defines replay-resistant authentication mechanisms to be used for network access to privileged accounts.




CCI Mapping Summary


1002410 3 Info 3.1.1 (GEN000300) Unique Account Name

1002409 3 Info 3.1.1 (GEN000320) Unique UID

1002385 3 High3.2.1.36 (GEN000980) Root ConsoleAccess (/bin/login)

1002384 3 High3.2.1.36 (GEN000980) Root ConsoleAccess (sshd)

1002383 1 High 3.2.1.38 (GEN001020) Direct Root Login

1002122 3 High3.11.1.15 (LNX00320) Special PrivilegedAccounts (halt)

1002121 3 High3.11.1.15 (LNX00320) Special PrivilegedAccounts (shutdown)

1002120 3 Info3.11.1.15 (LNX00320) Special PrivilegedAccounts (reboot)

1002119 3 Info3.11.1.15 (LNX00320) Special PrivilegedAccounts (who)

1002063 1 HighGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - 'shutdown'

1002062 1 High

GEN000000-LNX00320 - The systemmust not have special privilege accounts,such as shutdown and halt - '/etc/shadow -shutdown'

1002061 1 HighGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - 'halt'

1002060 1 HighGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - '/etc/shadow - halt'

1002059 1 InfoGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - 'reboot'

1002058 1 InfoGEN000000-LNX00320 - The system mustnot have special privilege accounts, such asshutdown and halt - '/etc/shadow - reboot'





1002017 1 InfoGEN000300 - All accounts on the systemmust have unique user or account names.

1002016 1 InfoGEN000320 - All accounts must beassigned unique User IdentificationNumbers (UIDs).

1001963 1 HighGEN000980 - The system must prevent theroot account from directly logging in exceptfrom the system console.

1001961 1 HighGEN001020 - The root account must not beused for direct logins.

1001957 1 HighGEN001120 - The system must not permitroot logins using remote access programssuch as ssh.


IA-4 - Identifier Management



CCI-000797 - The organization requires that registration to receive a user ID and password include authorization by a supervisor.

CCI-000787 - The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies a device.

CCI-000802 - The information system dynamically manages identifiers, attributes, and associated access authorizations.

CCI-000799 - The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents andbiometrics be presented to the registration authority.

CCI-000796 - The organization prohibits the use of information system account identifiers as public identifiers for user electronic mail accounts (i.e., user identifierportion of the electronic mail address).

CCI-000792 - The organization manages information system identifiers for users and devices by preventing reuse of user identifiers for an organization-definedtime period.

CCI-000795 - The organization manages information system identifiers for users and devices by disabling the user identifier after an organization-defined time periodof inactivity.

CCI-000790 - The organization defines a time period for which the reuse of user identifiers is prohibited.

CCI-000791 - The organization defines a time period for which the reuse of device identifiers is prohibited.

CCI-000798 - The organization requires that registration to receive a user ID and password be done in person before a designated registration authority.

CCI-000800 - The organization defines characteristics for identifying user status.

CCI-000786 - The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies an individual.

CCI-000788 - The organization manages information system identifiers for users and devices by assigning the user identifier to the intended party.

CCI-000793 - The organization manages information system identifiers for users and devices by preventing reuse of device identifiers for an organization-definedtime period.

CCI-000784 - The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational officialto assign a user identifier.

CCI-000794 - The organization defines a time period of inactivity after which the user identifier is disabled.




CCI-000785 - The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational officialto assign a device identifier.

CCI-000801 - The organization manages user identifiers by uniquely identifying the user with the organization-defined characteristic identifying user status.

CCI-000789 - The organization manages information system identifiers for users and devices by assigning the device identifier to the intended device.

CCI Mapping Summary


IA-5-1 - Authenticator Management



CCI-000183 - The organization manages information system authenticators for users and devices by protecting authenticator content from unauthorized disclosureand modification.

CCI-000180 - The organization manages information system authenticators for users and devices by establishing maximum lifetime restrictions for authenticators(if appropriate).

CCI-000201 - The organization protects authenticators commensurate with the classification or sensitivity of the information accessed.

CCI-000192 - The organization enforces password complexity by the number of upper case characters used.

CCI-000188 - The organization requires that the registration process to receive an organizationally defined type of authenticator, to be carried out in person beforea designated registration authority with authorization by a designated organizational official (e.g., a supervisor).

CCI-000187 - The information system, for PKI-based authentication maps the authenticated identity to the user account.

CCI-001619 - The organization enforces password complexity by the number of special characters used.

CCI-000182 - The organization manages information system authenticators for users and devices by changing/refreshing authenticators in accordance with theorganization-defined time period by authenticator type.

CCI-000181 - The organization manages information system authenticators for users and devices by establishing reuse conditions for authenticators (if appropriate).

CCI-001612 - The organization defines the number of upper case characters used.

CCI-001616 - The organization defines minimum lifetime restrictions.

CCI-000189 - The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwisecompromise the authenticators.

CCI-000202 - The organization ensures unencrypted passwords are not embedded in access scripts.

CCI-000190 - The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticatorsprior to delivery.

CCI-000175 - The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, theidentity of the individual and/or device receiving the authenticator.

CCI-001614 - The organization defines the number of numeric characters used.




CCI-000197 - The organization enforces password encryption for transmission.

CCI-001615 - The organization defines the minimum number of characters that are changed when new passwords are created.

CCI-001621 - The organization takes organization-defined measures to manage the risk of compromise due to individuals having accounts on multiple informationsystems.

CCI-000194 - The organization enforces password complexity by the number of numeric characters used.

CCI-000184 - The organization manages information system authenticators for users and devices by requiring users to take, and having devices implement, specificmeasures to safeguard authenticators.

CCI-000179 - The organization manages information system authenticators for users and devices by establishing minimum lifetime restrictions for authenticators(if appropriate).

CCI-001611 - The organization defines the number of special characters used.

CCI-000199 - The organization enforces maximum lifetime restrictions.




CCI Mapping Summary


1002398 3 High3.2.1.18 (GEN000600) Password CharacterMix (lcredit)

1002397 3 High3.2.1.18 (GEN000600) Password CharacterMix (ucredit)

1002396 3 High3.2.1.19 (GEN000620) Password CharacterMix (dcredit)

1002395 3 High3.2.1.20 (GEN000640) Password CharacterMix (ocredit)

1002394 3 High3.2.1.23 (GEN000700) Password ChangeEvery 60 Days (/etc/login.defs)

1002393 3 High3.2.1.23 (GEN000700) Password ChangeEvery 60 Days (/etc/shadow)

1002380 3 High3.2.1.41 (GEN001100) Encrypting RootAccess

1001987 1 HighGEN000600-1 - The system must requirethat passwords contain at least oneuppercase alphabetic character.

1001986 1 High

GEN0000600-2 - Ensure that globalsettings defined in system-auth are appliedin the pam.d definition files. 'link != /etc/pam.d/system-auth'

1001985 1 High

GEN0000600-2 - Ensure that globalsettings defined in system-auth are appliedin the pam.d definition files. 'link = system-auth-local'

1001984 1 High

GEN0000600-2 - Ensure that globalsettings defined in system-auth are appliedin the pam.d definition files. '/etc/pam.d/system-auth'

1001982 1 HighGEN000620 - The system must require thatpasswords contain at least one numericcharacter.

1001981 1 HighGEN000640 - The system must requirethat passwords contain at least one specialcharacter.





1001979 1 HighGEN000700 - User passwords must bechanged at least every 60 days.

1001975 1 HighGEN000790 - The system must prevent theuse of dictionary words for passwords.

1001958 1 InfoGEN001100 - Root passwords must neverbe passed over a network in clear text form.

1001902 1 InfoGEN001470 - The /etc/passwd file must notcontain password hashes.

1001576 1 InfoGEN003850 - The telnet daemon must notbe running. 'chkconfig'

1001575 1 InfoGEN003850 - The telnet daemon must notbe running. 'xinetd'





CCI-000177 - The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures forinitial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.

CCI-000204 - The organization has defined measures to manage the risk of compromise due to individuals having accounts on multiple information systems.

CCI-000176 - The organization manages information system authenticators for users and devices by establishing initial authenticator content for authenticatorsdefined by the organization.

CCI-000193 - The organization enforces password complexity by the number of lower case characters used.

CCI-001620 - The organization defines the types of and/or specific authenticators in which the registration process must be carried out in person before a designatedregistration authority with authorization by a designated organizational official (e.g., a supervisor).

CCI-000185 - The information system, for PKI-based authentication validates certificates by constructing a certification path with status information to an acceptedtrust anchor.

CCI-001617 - The organization defines maximum lifetime restrictions.

CCI-001618 - The organization defines the number of generations for which password reuse is prohibited.

CCI-000178 - The organization manages information system authenticators for users and devices by changing default content of authenticators upon informationsystem installation.

CCI-000198 - The organization enforces minimum lifetime restrictions.

CCI-000196 - The organization enforces password encryption for storage.

CCI-001610 - The organization defines the time period (by authenticator type) for changing/refreshing authenticators.

CCI-000195 - The organization enforces the number of characters that are changed when passwords are changed.

CCI-000205 - The organization enforces minimum password length.

CCI-000191 - The organization enforces password complexity by the number of special characters used.

CCI-001613 - The organization defines the number of lower case characters used.

CCI-000200 - The organization prohibits password reuse for the organization-defined number of generations.




CCI-000186 - The information system, for PKI-based authentication enforces authorized access to the corresponding private key.

CCI-000203 - The organization ensures unencrypted passwords are not embedded in function keys.

CCI-001544 - The organization manages information system authenticators for users and devices by ensuring that authenticators have sufficient strength ofmechanism for their intended use.




CCI Mapping Summary


1002402 3 High3.2.1.15 (GEN000540) Password Change24 Hours

1002399 3 High 3.2.1.17 (GEN000580) Password Length

1002391 3 High3.2.1.27 (GEN000800) Password Reuse (/etc/pam.d/system-auth)

1002322 1 Info3.2.1.86 (GEN002000) The .netrc FileExists

1002306 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (adm)

1002305 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (avahi)

1002304 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (avahi-autoipd)

1002303 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (bin)

1002302 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (daemon)

1002301 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (dbus)

1002300 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (ftp)

1002299 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (games)

1002298 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (gopher)

1002297 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (haldaemon)

1002296 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (lp)

1002295 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (mail)

1002294 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (mailnull)





1002293 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (nfsnobody)

1002292 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (nscd)

1002291 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (nobody)

1002290 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (operator)

1002289 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (pcap)

1002288 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (rpc)

1002287 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (rpcuser)

1002286 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (rpm)

1002285 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (smmsp)

1002284 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (sshd)

1002283 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (uucp)

1002282 3 Info3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (vcsa)

1002281 3 High3.2.1.115 (GEN002640) Disabled DefaultSystem Accounts (xfs)

1002166 3 High3.3.1.76 (GEN005300) Changed SNMPCommunity Strings

1001994 1 InfoGEN000540 - Users must not be able tochange passwords more than once every24 hours.

1001992 1 HighGEN000580 - The system must requirethat passwords contain a minimum of 14characters.

1001988 1 HighGEN000595 - The password hashes storedon the system must have been generated




Plugin Total Severity Plugin Nameusing a FIPS 140-2 approved cryptographichashing algorithm.

1001983 1 HighGEN000610 - The system must require thatpasswords contain at least one lowercasealphabetic character.

1001977 1 High

GEN000750 - The system must requirethat at least four characters be changedbetween the old and new passwords duringa password change.

1001974 1 InfoGEN000800 - The system must prohibit thereuse of passwords within five iterations. '/etc/security/opasswd'

1001973 1 HighGEN000800 - The system must prohibit thereuse of passwords within five iterations. '/etc/pam.d/system-auth'

1001744 1 InfoGEN002640 - Default system accountsmust be disabled or removed. 'sys'

1001743 1 InfoGEN002640 - Default system accountsmust be disabled or removed. 'bin'

1001742 1 InfoGEN002640 - Default system accountsmust be disabled or removed. 'uucp'

1001741 1 InfoGEN002640 - Default system accountsmust be disabled or removed. 'nuucp'

1001740 1 InfoGEN002640 - Default system accountsmust be disabled or removed. 'daemon'

1001739 1 InfoGEN002640 - Default system accountsmust be disabled or removed. 'smtp'

1001535 1 HighGEN005300 - SNMP communities, users,and passphrases must be changed from thedefault.


MP-2 - Media Access


MP-2 - Media Access

CCI-001003 - The organization restricts access to organization-defined information system media to organization-defined authorized individuals using organization-defined security measures.

CCI-001005 - The organization defines a list of individuals authorized for access to restricted media.

CCI-001007 - The organization employs automated mechanisms to restrict access to media storage areas.

CCI-001008 - The organization employs automated mechanisms to audit access attempts and access granted to media storage areas.

CCI-001009 - The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.

CCI-001006 - The organization defines security measures for restricting access to media.

CCI-001004 - The organization defines types of digital and non-digital media for which access is to be restricted.

CCI Mapping Summary


PE-3 - Physical Access Control



CCI-000920 - The organization verifies individual access authorizations before granting access to the facility.

CCI-000935 - The organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent securitycontrols associated with physical access points to the facility.

CCI-000926 - The organization changes combinations and keys on an organization-defined frequency, and when keys are lost, combinations are compromised, orindividuals are transferred or terminated.

CCI-000930 - The organization guards, alarms, and monitors every physical access point to the facility where the information system resides 24 hours per day,7 days per week.

CCI-000925 - The organization defines the frequency for conducting invenotires of physical access devices.

CCI-000931 - The organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.

CCI-000923 - The organization secures keys, combinations, and other physical access devices.

CCI-000924 - The organization inventories physical access devices on an organization-defined frequency.

CCI-000927 - The organization defines a frequency for changing combinations and keys.

CCI-000934 - The organization employs a penetration testing process that includes unannounced attempts, in accordance with the organization-defined frequency,to bypass or circumvent security controls associated with physical access points to the facility.

CCI-000929 - The organization performs security checks at the physical boundary of the facility or information system for unauthorized exfiltration of informationor information system components.

CCI-000921 - The organization controls entry to the facility containing the information system using physical access devices(e.g., keys, locks, combinations, cardreaders) and/or guards.

CCI-000922 - The organization controls access to areas officially designated as publicly accessible in accordance with the organization?s assessment of risk.

CCI-000932 - The organization defines information system components to be protected from unauthorized physical access using lockable physical casings.

CCI-000928 - The organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.

CCI-000919 - The organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where theinformation system resides (excluding those areas within the facility officially designated as publicly accessible).




CCI-000933 - The information system detects/prevents physical tampering or alteration of hardware components within the system.

CCI Mapping Summary


SC-1 - System and Communications Protection Policy and Procedures


SC-1 - System and CommunicationsProtection Policy and Procedures

CCI-001079 - The organization disseminates formal, documented system and communications protection procedures to elements within the organization havingassociated system and communications protection roles and responsibilities.

CCI-001081 - The organization defines the frequency of system and communications protection procedure reviews/updates.

CCI-001078 - The organization develops formal, documented system and communications protection procedures to facilitate the implementation of the system andcommunications protection policy and communications protection controls.

CCI-001076 - The organization reviews/updates the formal, documented system and communications protection policy in accordance with organization-definedfrequency.

CCI-001075 - The organization disseminates a formal, documented system and communications protection policy to elements within the organizatin having associatedsystem and communications protection roles and responsibilities.

CCI-001074 - The organization develops a formal, documented system and communications protection policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, and compliance.

CCI-001077 - The organization defines a frequency of system and communications protection policy reviews/updates.

CCI-001080 - The organization reviews/updates system and communications protection procedures in accordance with organization-defined frequency.

CCI Mapping Summary


SC-2 - Application Partitioning


SC-2 - Application Partitioning

CCI-001082 - The information system separates user functionality (including user interface services) from information system management functionality.

CCI-001083 - The information system prevents the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.

CCI Mapping Summary


SC-5 - Denial of Service Protection


SC-5 - Denial of Service Protection

CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of serviceattacks.

CCI-001094 - The information system restricts the ability of users to launch denial of service attacks against other information systems or networks.

CCI-001092 - The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.

CCI-001093 - The organization defines a list of types of denial of service attacks (or provides references to sources of current denial of service attacks) that canbe addressed by the information system.

CCI Mapping Summary


1001604 1 InfoGEN003612 - The system must beconfigured to use TCP syncookies whenexperiencing a TCP SYN flood.

1001602 1 HighGEN003619 - The system must not beconfigured for network bridging.


SC-7-1 - Boundary Protection



CCI-001098 - The information system connects to external networks or information systems only through managed interfaces consisting of boundary protectiondevices arranged in accordance with an organizational security architecture.

CCI-001658 - The organization defines key internal boundaries of the information system.

CCI-001115 - The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external informationsystems.

CCI-001101 - The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outboundcommunications and network traffic.

CCI-001125 - The organization employs automated mechanisms to enforce strict adherence to protocol format.

CCI-001657 - The organization defines the external boundary of the information system.

CCI-001114 - The organization defines the external networks to which the organization-defined internal communications traffic should be routed.

CCI-001108 - The organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.

CCI-001099 - The organization physically allocates publicly accessible information system components to separate subnetworks with separate physical networkinterfaces.

CCI-001109 - The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit byexception).

CCI-001120 - The organization defines key information security tools, mechanisms, and support components to be isolated.

CCI-001122 - The organization defines a list of managed interfaces where boundary protections are to be implemented.

CCI-001103 - The organization establishes a traffic flow policy for each managed interface.

CCI-001106 - The organization reviews exceptions to the traffic flow policy on an organization-defined frequency.

CCI-001121 - The organization protects against unauthorized physical connections across the boundary protections implemented at an organization-defined list ofmanaged interfaces.

CCI-001111 - The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of thatcommunications path with resources in external networks.




CCI-001659 - The organization defines the mediation necessary for public access to the organization's internal networks.

CCI-001116 - The organization prevents the unauthorized exfiltration of information across managed interfaces.

CCI-001112 - The information system routes organization-defined internal communications traffic to organization-defined external networks through authenticatedproxy servers within the managed interfaces of boundary protection devices.

CCI-001107 - The organization defines a frequency for the review of exceptions to the traffic flow policy.

CCI-001110 - The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communicationthrough the information system boundary when there is an operational failure of the boundary protection mechanisms.

CCI-001105 - The organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need.

CCI-001126 - The information system fails securely in the event of an operational failure of a boundary protection device.

CCI-001123 - The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

CCI Mapping Summary





CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundarieswithin the system.

CCI-001118 - The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.

CCI-001104 - The organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted.

CCI-001113 - The organization defines the internal communications traffic to be routed to external networks.

CCI-001660 - The organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces.

CCI-001119 - The organization isolates organization-defined key information security tools, mechanisms, and support components from other internal informationsystem components via physically separate subnets with managed interfaces to other portions of the system.

CCI-001100 - The information system prevents public access into the organization?s internal networks except as appropriately mediated by managed interfacesemploying boundary protection devices.

CCI-001117 - The information system checks incoming communications to ensure that the communications are coming from an authorized source and routed toan authorized destination.

CCI-001102 - The organization implements a managed interface for each external telecommunication service.

CCI-001124 - The information system prevents discovery of specific system components (or devices) composing a managed interface.

CCI Mapping Summary


1001422 1 HighGEN008520 - The system must employ alocal firewall.


SC-8 - Transmission Confidentiality and Integrity


SC-8 - Transmission Confidentiality andIntegrity

CCI-001128 - The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternativephysical measures.

CCI-001127 - The information system protects the integrity of transmitted information.

CCI-001129 - The information system maintains the integrity of information during aggregation, packaging, and transformation in preparation for transmission.

CCI Mapping Summary


SC-9 - Withdrawn


SC-9 - Withdrawn

CCI-001131 - The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protectedby alternative physical measures.

CCI-001130 - The information system protects the confidentiality of transmitted information.

CCI-001132 - The information system maintains the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.

CCI Mapping Summary


SI-1 - System and Information Integrity Policy and Procedures


SI-1 - System and Information Integrity Policyand Procedures

CCI-001218 - The organization disseminates a formal, documented system and information integrity policy to elements within the organization having associatedsystem and information integrity roles and responsibilities.

CCI-001219 - The organization reviews/updates system and information integrity policy in accordance with origanization-defined frequency.

CCI-001224 - The organization defines the frequency of system and information integrity procedure reviews/updates.

CCI-001223 - The organization defines the frequency of system and information integrity policy reviews/updates.

CCI-001222 - The organization reviews/updates formal, documented system and information integrity procedures in accordance with organization-defined frequency.

CCI-001220 - The organization develops formal, documented system and information integrity procedures to facilitate the implementation of the system andinformation integrity policy and associated system and information integrity controls.

CCI-001221 - The organization disseminates formal, documented system and information integrity procedures to elements within the organization having associatedsystem and information integrity roles and responsibilities.

CCI-001217 - The organization develops a formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, and compliance.

CCI Mapping Summary


SI-2 - Flaw Remediation



CCI-001238 - The organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation.

CCI-001226 - The organization reports information system flaws.

CCI-001229 - The organization tests software updates related to flaw remediation for potential side effects on organizational information systems before installation.

CCI-001231 - The organization centrally manages the flaw remediation process.

CCI-001237 - The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.

CCI-001232 - The organization installs software updates automatically.

CCI-001235 - The organization measures the time between flaw identification and flaw remediation.

CCI-001230 - The organization incorporates flaw remediation into the organizational configuration management process.

CCI-001225 - The organization identifies information system flaws.

CCI-001234 - The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regardto flaw remediation.

CCI-001236 - The organization defines benchmarks to which the organization's measurement of time elapsed between flaw identification and flaw remediation shouldbe compared..

CCI-001227 - The organization corrects information system flaws.

CCI-001233 - The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system componentswith regard to flaw remediation.

CCI-001667 - The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.

CCI-001228 - The organization tests software updates related to flaw remediation for effectiveness on organizational information systems before installation.




CCI Mapping Summary


1002414 3 High 3.1.1.5 (GEN000100) Supported Release

1002212 3 Info 3.3.1.44 (GEN004600) Sendmail Version

1002211 3 High3.3.1.46 (GEN004640) Sendmail DECODECommand

1002035 1 HighGEN000100 - The operating system mustbe a supported release.

1001409 1 InfoGEN008820 - The system packagemanagement tool must not automaticallyobtain updates.


SI-3 - Malicious Code Protection



CCI-001239 - The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate maliciouscode transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted trhough the exploitation ofinformation system vulnerabilities.

CCI-001244 - The organization defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantiningmalicious code, or sending alert to administrator.

CCI-001241 - The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-definedfrequency.

CCI-001669 - The organization defines the frequency of testing malicious code protection mechanisms.

CCI-001243 - The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.

CCI-001242 - The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded,opened, or executed in accordance with organizational security policy.

CCI-001249 - The information system updates malicious code protection mechanisms only when directed by a privileged user.

CCI-001246 - The organization centrally manages malicious code protection mechanisms.

CCI-001248 - The information system prevents non-privileged users from circumventing malicious code protection capabilities.

CCI-001240 - The organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordancewith organizational configuration management policy and procedures.

CCI-001247 - The information system automatically updates malicious code protection mechanisms, including signature definitions.

CCI-001251 - The organization tests malicious code protection mechanisms on an organization-defined frequency by introducing a known benign, non-spreadingtest case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.

CCI-001668 - The organization employs malicious code protection mechanicsms at workstations, servers, or mobile computing devices on the network to detect anderadicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted throughthe exploitation of information system vulnerabilities.

CCI-001245 - The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on theavailability of the information system.




CCI-001250 - The organization does not allow users to introduce removable media into the information system.

CCI Mapping Summary


1001455 1 HighGEN006640 - The system must useand update a DoD-approved virus scanprogram.


SI-4-1 - Information System Monitoring



CCI-001265 - The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

CCI-001670 - The information system takes organization-defined list of least-disruptive actions to terminate suspicious events.

CCI-001673 - The organization employs a wireless intrusion detection system to detect potential compromises/breaches to the information system.

CCI-001277 - The organization develops profiles representing common traffic patterns and/or events.

CCI-001259 - The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.

CCI-001262 - The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

CCI-001252 - The organization monitors events on the information system in accordance with organization-defined monitoring objectives and detects informationsystem attacks.

CCI-001272 - The organization makes provisions so that encrypted traffic is visible to information system monitoring tools.

CCI-001672 - The organization employs a wireless intrusion detection system to detect attack attempts to the information system.

CCI-001254 - The organization identifies unauthorized use of the information system.

CCI-001255 - The organization deploys monitoring devices strategically within the information system to collect organization-determined essential information.

CCI-001268 - The organization defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events

CCI-001278 - The organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives to an organization-definedmeasure of false positives and the number of false negatives to an organization-defined measure of false negatives.

CCI-001263 - The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicatorsoccurs.

CCI-001282 - The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wirelinenetworks.

CCI-001284 - The organization correlates results from monitoring physical, cyber, and supply chain activities to achieve integrated situational awareness.

CCI-001266 - The information system notifies an organization-defined list of incident response personnel (identified by name and/or by role) of suspicious events.

CCI-001253 - The organization defines objectives for monitoring events on the information system.




CCI-001267 - The organization defines a list of incident response personnel (identified by name and/or by role) to be notified of suspicious events..

CCI-001671 - The organization analyses outbound communciations traffic at selected interior points within the system (e.g., subnets, subsystems), as deemednecessary, to discover anomalies.

CCI-001280 - The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of falsenegatives.

CCI-001271 - The organization defines a time-period for tests/exercises of the intrusion-monitoring tools.

CCI-001260 - The organization employs automated tools to support near real-time analysis of events.

CCI-001273 - The organization analyzes outbound communications traffic at the external boundary of the system (i.e., system perimeter).

CCI Mapping Summary





CCI-001258 - The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, ExecutiveOrders, directives, policies, or regulations.

CCI-001264 - The organization defines indicators of of compromise or potential compromise to the security of the information system.

CCI-001274 - The organization employs automated mechanisms to alert security personnel of an organization-defined list of inappropriate or unusual activities withsecurity implications.

CCI-001261 - The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid responseto attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

CCI-001279 - The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of falsepositives.

CCI-001276 - The organization analyzes communications traffic/event patterns for the information system.

CCI-001283 - The organization correlates information from monitoring tools employed throughout the information system to achieve organization-wide situationalawareness.

CCI-001281 - The organization employs a wireless intrusion detection system to identify rogue wireless devices to the information system.

CCI-001256 - The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.

CCI-001275 - The organization defines a list of inappropriate or unusual activities with security implications that should trigger alters to security personnel.

CCI-001270 - The organization tests/exercises intrusion-monitoring tools on an organization-defined time-period.

CCI-001269 - The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.

CCI-001257 - The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizationaloperations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources ofinformation.

CCI Mapping Summary

SecurityCenter 4 800 53 Summary CCI to NIST Chapter ... Vulnerability Summary CCI to NIST 800 53...

Documents

Transcript of SecurityCenter 4 800 53 Summary CCI to NIST Chapter ... Vulnerability Summary CCI to NIST 800 53...