aix5.3Last modified: 2009-04-30Version: 5.20090506CCE IDCCE DescriptionCCE ParametersCCE Technical MechanismsInternal Revenue Service Basic UNIX Security Requirements (IRS BUSR) http://www.irs.gov/irm/part10/ch03s08.htmlCCE-5847-9/export/home should be configured on an appropriate filesystem logical volumelogical volumevia fstab10.8.10.4.2.1 (5)CCE-5424-7/var should be configured on an appropriate filesystem logical volumelogical volumevia fstab10.8.10.4.2.1 (5)CCE-5710-9/opt should be configured on an appropriate filesystem logical volumelogical volumevia fstab10.8.10.4.2.1 (5)CCE-5662-2The shell for the root account should be located on the appropriate filesystemfilesystemvia /etc/passwd10.8.10.4.2.1 (6)CCE-5317-3Core dump size limits should be set appropriatelySize (0 to disable core dumps)via /etc/security/limitsvia ulimit10.8.10.4.4 (3)CCE-5384-3The read-only SNMP community string should be set appropriately.stringvia /etc/snmp.conf10.8.10.5.1 (1) c)CCE-5723-2The read/write SNMP community string should be set appropriately.stringvia /etc/snmp.conf10.8.10.5.1 (1) c)CCE-5634-1Password policy should ban or allow usernames or UIDs in passwords as appropriateban/allowvia /etc/security/user10.8.10.5.1 (2) a)CCE-5352-0Password policy should ban or allow words found in a dictionary as appropriate.ban/allowvia /etc/security/user10.8.10.5.1 (2) a)CCE-5848-7Password policy should enforce the correct amount of special charactersnumber of special charactersvia /etc/security/user10.8.10.5.1 (2) a)CCE-5443-7Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate.enforce/not enforcevia /etc/security/user10.8.10.5.1 (2) a)CCE-5664-8The minimum password age should be set as appropriatenumber of daysvia /etc/security/user10.8.10.5.1 (2) b)CCE-5804-0The minimum required password length should be set as appropriatenumber of charactersvia /etc/security/user10.8.10.5.1 (2) c)CCE-4858-7Password history should be saved for an appropriate number of password changesnumber of password changesvia /etc/security/user10.8.10.5.1 (2) d)CCE-5775-2The number of consecutive failed login attempts required to trigger a lockout should be set as appropriatenumber of consecutive failed login attemptsvia /etc/security/user10.8.10.5.1 (2) e)CCE-5761-2Login access to accounts without passwords should be enabled or disabled as appropriateenabled/disabledvia passwdvia /etc/shadow10.8.10.5.1 (2) f)CCE-5841-2New users should be required or not required to change their password on first login as appropriaterequired/not requiredvia /etc/security/passwd10.8.10.5.1 (2) g)CCE-5858-6Access to single-user mode (maintainence mode) should require the root password or not as appropriaterequired/not required10.8.10.5.1 (3)CCE-5078-1The delay between failed logins should be set as appropriatenumber of secondsvia /etc/security/user10.8.10.5.1 (5)CCE-5715-8All files should be owned by an existing account or not as appropriate.existing account required / existing account not requiredvia chown10.8.10.5.2 (3)CCE-5684-6All files should be owned by an existing group or not as appropriate.existing group required / existing group not requiredvia chgrpvia chown10.8.10.5.2 (3)CCE-5244-9The console login banner should be set appropriately.banner text or nullvia /etc/security/login.cfgvia /etc/motd10.8.10.5.2 (5) a)CCE-5402-3The SSH login banner should be set appropriately.banner text or nullvia sshd.conf10.8.10.5.2 (5) b)CCE-5622-6The telnet login banner should be set appropriately.banner text or null10.8.10.5.2 (5) c)CCE-5843-8The ftp login banner should be set appropriately.banner text or null10.8.10.5.2 (5) d)CCE-5842-0The graphical login banner should be set appropriately.banner text or null10.8.10.5.2 (5) e)CCE-5560-8Accounts other than root should be allowed to have the UID 0 or not as appropriateallowed/not allowedvia passwdvia /etc/passwd10.8.10.5.2.1 (2) a)CCE-4873-6Accounts other than root and locked system accounts should be allowed to have a GID of 0 or not as appropriateallowed/not allowedvia passwdvia /etc/passwd10.8.10.5.2.1 (2) b)CCE-5187-0Each account should be assigned a unique UID or not as appropriateunique/not uniquevia /etc/passwd10.8.10.5.2.4 (3)CCE-5765-3The ftp account should exist or not as appropriateexist/not existvia /etc/passwd10.8.10.5.2.4 (9)CCE-4884-3Login accounts should include an appropriate GECOS identifier or no GECOS identifierGECOS value, nullvia /etc/passwd10.8.10.5.2.4.1 (1)CCE-5381-9The screen lock should activate after an appropriate period of inactivitynumber of minutesvia Xscreensavervia dtsession10.8.10.5.2.5 (1)CCE-5645-7File permissions should be set appropriately for all shell executables.permissionsvia chmod10.8.10.5.2.6 (1)CCE-5597-0Remote (serial) consoles should be enabled or disabled as appropriate.enabled/disabledvia BIOS10.8.10.5.2.6 (3)CCE-5676-2Root logins should be restricted to the console or not as appropriate.restricted/not restricted/etc/default/login10.8.10.5.2.6 (4)CCE-5733-1.netrc files should exist or not as appropriate for all users.exist/not existfilesystem10.8.10.5.2.6 (6)CCE-5702-6.rhosts files should exist or not as appropriate for all users.exist/not existfilesystem10.8.10.5.2.6 (6)CCE-5076-5.shosts files should exist or not as appropriate for all users.exist/not existfilesystem10.8.10.5.2.6 (6)CCE-5442-9The /etc/hosts.equiv file should exist or not as appropriate.exist/not existfilesystem10.8.10.5.2.6 (6)CCE-5640-8The use of NIS special characters (+ or -) in the first field of the /etc/passwd file should be allowed or disallowed as appropriate.allowed/not allowedText editor10.8.10.5.2.6 (7)CCE-4893-4The use of NIS special characters (+ or -) in the first field of the /etc/shadow file should be allowed or disallowed as appropriate.allowed/not allowedText editor10.8.10.5.2.6 (7)CCE-5024-5The use of NIS special characters (+ or -) in the first field of the /etc/group file should be allowed or disallowed as appropriate.allowed/not allowedText editor10.8.10.5.2.6 (10)CCE-5742-2The /etc/shells file should exist or not as appropriateexist/not existText editor10.8.10.5.2.6 (11)CCE-5777-8Shells referenced in /etc/passwd should be included in /etc/shells or not as appropriateincluded/not included/etc/shells10.8.10.5.2.6 (12)CCE-5605-1Groups referenced in /etc/passwd should be included in /etc/group or not as appropriate.included/not included/etc/group10.8.10.5.2.6 (15)CCE-5750-5The home directory for the root account should be set appropriately.path/etc/passwd10.8.10.5.2.6 (16)CCE-5199-5The home directory for each user account should be set appropriately.path/etc/passwd10.8.10.5.2.6 (17)CCE-5310-8Home directories referenced in /etc/passwd should exist or not as appropriateexist/not existfilesystem10.8.10.5.2.6 (18)CCE-5327-2All device files should be located inside an appropriate directorypathfilesystem10.8.10.5.2.6 (24)CCE-4900-7The ntpd service should be enabled or disabled as appropriate.enabled/disabledvia RC scripts10.8.10.5.3 (3)CCE-5675-4The Network Time Protocol (ntp) synchronization server should be set appropriately.timeserverntpd.confCCE-5147-4All logon attempts should be logged or not logged as appropriatelogged/not loggedAudit subsystem10.8.10.5.3 (4)CCE-5724-0All su (switch user) activity should be logged or not as appropriatelogged/not loggedAudit subsystem10.8.10.5.3 (5)CCE-5614-3Filesystem logging/journaling should be performed or not as appropriateperformed/not performedAudit subsystem10.8.10.5.3 (6)CCE-5834-7Automount should be enabled or disabled as appropriateenabled/disabled10.8.10.5.4.1 (12)CCE-5745-5Source-routed packets should be accepted or rejected as appropriate.accepted/rejected10.8.10.5.4.1 (2) a)CCE-5587-1Response to ICMP timestamp requests should be enabled or disabled as appropriateenabled/disabled10.8.10.5.4.1 (2) c)CCE-5525-1Response to ICMP timestamp broadcast requests should be enabled or disabled as appropriateenabled/disabled10.8.10.5.4.1 (2) d)CCE-4930-4Response to ICMP echo (ping) requests should be enabled or disabled as appropriateenabled/disabled10.8.10.5.4.1 (2) e)CCE-4901-5Executable stack should be enabled or disabled as appropriateenabled/disabled10.8.10.5.4.1 (3)CCE-5017-9The default gateway should be set appropriately.IP address/disabledvia /etc/default/route.conf10.8.10.5.4.1 (4)CCE-5347-0The inetd service should be enabled or disabled as appropriate.enabled/disabledvia RC scripts10.8.10.5.4.1 (5)CCE-5193-8echo service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #1CCE-5725-7netstat service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #2CCE-5801-6rcp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #3CCE-5506-1chargen service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #4CCE-5791-9finger service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #5CCE-5743-0tftpd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #6CCE-5773-7walld service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #7CCE-5461-9rstatd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #8CCE-4905-6sprayd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #9CCE-5463-5rusersd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #10CCE-5542-6rlogin service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #11CCE-5431-2rsh service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #12CCE-5780-2ftp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #13CCE-5872-7telnet service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #14CCE-4909-8DEPRECATED.CCE-5343-9inn service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #16CCE-5611-9uucp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #17CCE-5598-8rexec service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #18CCE-5550-9inetd logging should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #19CCE-4911-4font-service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #20CCE-4926-2imap2 service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #21CCE-4913-0pop3 service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #22CCE-5681-2ident service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #23CCE-5368-6rexd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #24CCE-5549-1daytime service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #26CCE-5144-1dtspc (cde-spc) service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #27CCE-5223-3rquotad service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #28CCE-5738-0cmsd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #29CCE-5456-9tooltalk service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #30CCE-4918-9xdmcp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #31CCE-5798-4discard service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #32CCE-4923-9DEPRECATED.CCE-5917-0vino-server service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #34CCE-4934-6The bind service should be enabled or disabled as appropriate.enabled/disabledvia RC scripts10.8.10.5.4.1.1 (2)CCE-5535-0The version string reported by the bind service should be configured appropriately.stringvia /etc/named.conf10.8.10.5.4.1.1 (5)CCE-5117-7SSH Protocol v1 should be enabled or disabled as appropriateenabled/disabled/etc/ssh/ssh_config10.8.10.5.4.1.2 (2)CCE-5690-3TCP_WRAPPERS should be enabled or disabled as appropriateenabled/disabledvia inetd.conf10.8.10.5.4.1.3 (1)CCE-5852-9SNMP version 1 should be enabled or disabled as appropriateenabled/disabled10.8.10.5.4.1.4 (1)CCE-5068-2The nfsd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-5569-9The mountd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-5806-5The statd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-5882-6The lockd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-5414-8NFS should be configured to respond or not as appropriate to client requests that do not include a user id .respond/not respond10.8.10.5.4.1.5 (1) a)CCE-5348-8NFS should be configured to respond or not as appropriate to client requests that do not originate from a privileged port.respond/not respond10.8.10.5.4.1.5 (1) a)CCE-5511-1NFS server support for the AUTH_NONE authentication mechanism should be enabled or disabled as appropriate.enabled/disabled10.8.10.5.4.1.5 (1) f)CCE-5480-9NFS server support for the AUTH_UNIX authentication mechanism should be enabled or disabled as appropriate.enabled/disabled10.8.10.5.4.1.5 (1) f)CCE-4957-7NFS server support for the AUTH_DES authentication mechanism should be enabled or disabled as appropriate.enabled/disabled10.8.10.5.4.1.5 (1) f)CCE-4958-5NFS server support for the AUTH_KERB authentication mechanism should be enabled or disabled as appropriate.enabled/disabled10.8.10.5.4.1.5 (1) f)CCE-5922-0The read-only (ro) option should be enabled or disabled as appropriate for all NFS exports.enabled/disabledvia /etc/exports10.8.10.5.4.1.5 (1) g)CCE-5790-1The nosuid option should be enabled or disabled for all NFS mounts as appropriateenabled/disabledvia /etc/fstab10.8.10.5.4.1.5 (1) i)CCE-5189-6The nosgid option should be enabled or disabled for all NFS mounts as appropriateenabled/disabledvia /etc/fstab10.8.10.5.4.1.5 (1) i)CCE-5876-8Sendmail should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.2.2 (1)CCE-4959-3The sendmail banner should be set appropriately.stringvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (3)CCE-5115-1The decode sendmail alias should be enabled or disabled as appropriate.enabled/disabledvia /etc/aliasesvia /usr/lib/aliases10.8.10.5.4.2.2 (4) c)CCE-5445-2.forward files should be allowed or disallowed as appropriate for all usersallow/disallowvia rm10.8.10.5.4.2.2 (4) e)CCE-4960-1Programs executed through the aliases file should be owned by an appropriate useruservia chown10.8.10.5.4.2.2 (4) f)CCE-5802-4Programs executed through the aliases file should reside a directory with an appropriate user owneruservia chown10.8.10.5.4.2.2 (4) f)CCE-5212-6Sendmail vrfy command should be allowed or not as appropriateallow/disallowvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) g)CCE-5291-0Sendmail expn command should be allowed or not as appropriateallow/disallowvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) h)CCE-5741-4Sendmail should be configured with an appropriate logging levellogging levelvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) i)CCE-4967-6The sendmail help command should be allowed or not as appropriateallow/disallowvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) k)CCE-5783-6NIS should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.2.3 (1)CCE-4975-9NIS+ server should operate at an appropriate security levelsecurity levelvia NIS+via RC scripts10.8.10.5.4.2.3 (1) b)CCE-5138-3X-Windows should be enabled or disabled as appropriateenabled/disabledvia Xwindowsvia /etc/inittab vi RC scripts10.8.10.5.4.2.4 (1)CCE-5711-7Authorized X-clients should be listed or not in the X*.hosts file as appropriatelisted/not listedvia /etc/X*.hosts10.8.10.5.4.2.4 (2) b)CCE-4984-1X-Windows should write .Xauthority files to users' home directories or not as appropriatewrite/not writevia xdmvia gdmvia kdm10.8.10.5.4.2.4 (2) d)CCE-5975-8X11 forwarding via SSH should be enabled or disabled as appropriate.enabled/disabledvia sshd_config10.8.10.5.4.2.4 (2) f)CCE-5931-1Samba should be enabled or disabled as appropriateenabled/disabledvia smbdvia RC scripts10.8.10.5.4.2.6 (1)CCE-4994-0Samba 'hosts allow' option should be configured with an appropriate set of networkslist of networksvia smbdvia smb.conf10.8.10.5.4.2.6 (3) a)CCE-5923-8Samba 'security option' option should be set as appropriatevia smbdvia smb.conf10.8.10.5.4.2.6 (3) b)CCE-5939-4Samba 'encrypt' passwords option should be set as appropriateyes/novia smbdvia smb.conf10.8.10.5.4.2.6 (3) c)CCE-5891-7Samba 'smb passwd file' option should be set to an appropriate password file or no password filefile/nothingvia smbdvia smb.conf10.8.10.5.4.2.6 (3) d)CCE-5234-0IPv6 should be enabled or disabled as appropriateenabled/disabledvia SMIT10.8.10.5.4.3 (1)CCE-5767-9The "at" utility directory permissions should be set as appropriatepermissionsvia chmod10.8.10-1 A.1 1) #1CCE-5846-1at.allow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #2CCE-5991-5at.deny file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #2CCE-5705-9Cron directory permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #5CCE-5678-8Crontab directory permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #5CCE-5942-8Cron log file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #6CCE-5770-3cron.allow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #7CCE-5280-3cron.deny file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #7CCE-5896-6Crontab file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #8CCE-5474-2/dev/kmem file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #9CCE-5363-7/dev/mem file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #10CCE-5566-5/dev/null file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #11CCE-5851-1resolv.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #13CCE-5821-4/etc/named.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #14CCE-5755-4File permissions should be set appropriately for all user home directories.permissionsvia chmod10.8.10-1 A.1 1) #21CCE-5807-3/etc/exports file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #23CCE-5759-6/usr/bin/at file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #25CCE-5979-0/usr/bin/rdist file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #26CCE-5228-2/usr/sbin/sync file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #27CCE-5951-9Superuser account home directories' permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #29CCE-5981-6/etc/samba/smb.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #31CCE-5668-9smbpassword executable permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #32CCE-5010-4Aliases file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #34CCE-5666-3File permissions should be set as appropriate for the log file configured to capture critical sendmail messages.permissionsvia chmod10.8.10-1 A.1 1) #35CCE-5012-0All files executed through /etc/aliases file entries should have file permissions set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #36CCE-5796-8/bin/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #37CCE-5747-1/bin/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #38CCE-5849-5/bin/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #39CCE-5893-3The /bin/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #40CCE-5734-9/bin/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #41CCE-5862-8/bin/bash file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #42CCE-5954-3/sbin/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #43CCE-5027-8/sbin/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #44CCE-5206-8/sbin/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #45CCE-5907-1The /sbin/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #46CCE-5040-1/sbin/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #47CCE-5049-2/sbin/bash file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #48CCE-5056-7/usr/bin/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #49CCE-6031-9/usr/bin/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #50CCE-6004-6/usr/bin/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #51CCE-5974-1The /usr/bin/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #52CCE-5863-6/usr/bin/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #53CCE-5815-6/usr/bin/bash file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #54CCE-5955-0snmpd.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #56CCE-6052-5/tmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #57CCE-6021-0/usr/tmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #58CCE-5272-0traceroute executable file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #59CCE-5884-2.Xauthority file permissions should be set appropriately for all users.permissionsvia chmod10.8.10-1 A.1 1) #60CCE-6023-6/etc/aliases file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #61CCE-5349-6/etc/cron.d/at.allow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #62CCE-6050-9/etc/cron.d/cron.allow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #63CCE-5833-9/etc/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #64CCE-5803-2/etc/default/* file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #65CCE-5820-6/etc/default/login file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #66CCE-5397-5The /etc/ftpusers file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #69CCE-5226-6/etc/host.lpd file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #70CCE-5903-0/etc/hostname* file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #71CCE-5970-9/etc/hosts file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #72CCE-5930-3/etc/inetd.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #73CCE-5698-6/etc/issue file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #75CCE-5641-6/etc/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #76CCE-5909-7/etc/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #77CCE-5985-7/etc/mail/aliases file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #78CCE-5350-4/etc/motd file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #79CCE-5988-1/etc/netconfig file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #80CCE-5817-2/etc/notrouter file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #81CCE-5231-6/etc/pam.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #82CCE-5323-1/etc/passwd file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #83CCE-5526-9The /etc/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #84CCE-5631-7/etc/security file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #85CCE-5728-1/etc/services file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #86CCE-5512-9/etc/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #87CCE-5074-0/etc/shadow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #88CCE-5808-1/etc/syslog.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #89CCE-5075-7DEPRECATED.CCE-5932-9/etc/fstab file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #91CCE-5825-5DEPRECATED.CCE-5279-5/var/adm/loginlog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #93CCE-5984-0/var/adm/messages file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #94CCE-5656-4/var/adm/sulog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #95CCE-5736-4/var/adm/utmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #96CCE-6062-4/var/adm/wtmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #97CCE-5453-6/var/adm/authlog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #98CCE-6048-3/var/adm/syslog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #99CCE-5832-1/var/mail file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #100CCE-6017-8/var/tmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #101CCE-5986-5/usr/lib/pt_chmod file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #103CCE-5875-0/usr/lib/embedded_us file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #104CCE-5977-4/usr/lib/sendmail file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #105CCE-5627-5/usr/kerberos/bin/rsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #107CCE-5455-1/var/spool/mail file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #108CCE-5077-3smbpassword file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #109CCE-5695-2At directory should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #1CCE-5646-5At directory should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #1CCE-5161-5at.allow file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #2CCE-5254-8at.allow file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #2CCE-5853-7at.deny file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #2CCE-5632-5at.deny file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #2CCE-5319-9Cron directories should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #4CCE-5412-2Cron directories should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #4CCE-5082-3Crontab directories should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #4CCE-5754-7Crontab directories should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #4CCE-6022-8cron.allow file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #5CCE-5868-5cron.allow file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #5CCE-5961-8cron.deny should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #5CCE-5837-0cron.deny data should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #5CCE-5929-5crontab files should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #6CCE-5085-6crontab files should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #6CCE-5919-6/etc/resolv.conf file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #7CCE-5888-3/etc/resolv.conf file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #7CCE-5941-0/etc/named.boot file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #7CCE-5910-5/etc/named.boot file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #7CCE-5822-2/etc/named.conf file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #7CCE-5663-0/etc/named.conf file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #7CCE-5086-4Each user home directory should be owned by an appropriate user.uservia chown10.8.10-1 A.1 2) #11CCE-6007-9Each user home directory should be owned by an appropriate group.groupvia chgrpvia chown10.8.10-1 A.1 2) #11CCE-5088-0inetd.conf file should be owned by an appropriate useruservia chown10.8.10-1 A.1 2) #12CCE-5732-3inetd.conf file should be owned by an appropriate groupgroupvia chgrpvia chown10.8.10-1 A.1 2) #12CCE-5326-4/etc/exports should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #13CCE-5296-9/etc/exports should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #13CCE-5283-7Exported files and directories should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #14CCE-5428-8Exported files and directories should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #14CCE-5626-7/etc/services file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #16CCE-5957-6/etc/services file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #16CCE-5740-6/etc/notrouter file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #18CCE-5090-6/etc/notrouter file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #18CCE-6086-3/etc/samba/smb.conf file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #21CCE-6055-8/etc/samba/smb.conf file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #21CCE-6024-4smbpasswd executable should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #22CCE-5839-6smbpasswd executable should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #22CCE-5091-4aliases file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #24CCE-5497-3aliases file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #24CCE-6029-3The log file configured to capture critical sendmail messages should be owned by the appropriate user.list of usersvia chown10.8.10-1 A.1 2) #25CCE-5116-9The log file configured to capture critical sendmail messages should be owned by the appropriate group.list of groupsvia chgrpvia chown10.8.10-1 A.1 2) #25CCE-5154-0Programs executed through aliases file entries should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #26CCE-6013-7Programs executed through aliases file entries should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #26CCE-5999-8Shell files should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #27CCE-6003-8Shell files should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #27CCE-6096-2snmpd.conf file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #29CCE-6107-7snmpd.conf file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #29CCE-5171-4/etc/syslog.conf file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #30CCE-5688-7/etc/syslog.conf file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #30CCE-5185-4traceroute executable should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #31CCE-5671-3traceroute executable should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #31CCE-5706-7/usr/lib/sendmail file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #32CCE-6177-0/usr/lib/sendmail file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #32CCE-5860-2/etc/passwd file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #35CCE-6146-5/etc/passwd file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #35CCE-5992-3/etc/shadow file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #36CCE-5615-0/etc/shadow file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #36CCE-5580-6smbpasswd file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #37CCE-5191-2smbpasswd file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #37CCE-6088-9Environmental variable PATH for superuser accounts should or should not contain world-writable files as appropriateshould/should notvia chmodvia profile10.8.10-1 A.2 1) #1CCE-6044-2Environmental variable PATH for superuser accounts should not contain the current directory as the first or last entryshould/should notvia local init files10.8.10-1 A.2 1) #2CCE-5195-3The current working directory should or should not be added to the environmental variable PATH by global initialization files as appropriateshould/should notvia local init files10.8.10-1 A.2 1) #3CCE-6012-9The current working directory should or should not be added to the environmental variable PATH by local initialization files as appropriateshould/should notvia local init files10.8.10-1 A.2 1) #4CCE-5361-1DEPRECATED.CCE-5204-3The current working directory should or should not be added to the environmental variable PATH by run control scripts as appropriateshould/should not10.8.10-1 A.2 1) #7CCE-6087-1The system umask should be set appropriatelyumaskvia global init files10.8.10-1 A.2 1) #8CCE-6056-6The user umask should be set appropriatelyumaskvia local init files10.8.10-1 A.2 1) #8CCE-5816-4The cron.allow file should be configured with the set of users permitted to use the cron facility as appropriate.list of usersText editorCCE-5785-1The cron.deny file should be configured with the set of users not permitted to use the cron facility as appropriate.list of usersText editorCCE-5661-4Cron logging should be enabled or disabled as appropriateenabled/disabled10.8.10-1 A.3 4)CCE-5877-6The at.allow file should be configured with the set of users permitted to use the at facility as appropriate.list of usersText editorCCE-5600-2The at.deny file should be configured with the set of users not permitted to use the at facility as appropriate.list of usersText editorCCE-5489-0/etc/security/audit/config file permissions should be set appropriatelypermissionsvia chmod10.8.10-5 E.1 1) #1CCE-6066-5/etc/security/audit/events file permissions should be set appropriatelypermissionsvia chmod10.8.10-5 E.1 1) #2CCE-6084-8/etc/security/audit/objects file permissions should be set appropriatelypermissionsvia chmod10.8.10-5 E.1 1) #3CCE-5819-8/usr/lib/trcload file permissions should be set appropriatelypermissionsvia chmod10.8.10-5 E.1 1) #5CCE-5648-1/usr/lib/semutil file permissions should be set appropriatelypermissionsvia chmod10.8.10-5 E.1 1) #6CCE-5205-0/etc/security/audit/config file should be owned by an appropriate userlist of usersvia chown10.8.10-5 E.1 1) #1CCE-5548-3/etc/security/audit/events file should be owned by an appropriate userlist of usersvia chgrpvia chown10.8.10-5 E.1 1) #2CCE-6085-5/etc/security/audit/objects file should be owned by an appropriate userlist of usersvia chown10.8.10-5 E.1 1) #3CCE-5926-1/usr/lib/trcload file should be owned by an appropriate userlist of usersvia chown10.8.10-5 E.1 1) #5CCE-5224-1/usr/lib/semutil file should be owned by an appropriate userlist of usersvia chown10.8.10-5 E.1 1) #6CCE-6037-6/etc/security/audit/config file should be owned by an appropriate grouplist of groupsvia chown10.8.10-5 E.1 1) #1CCE-6011-1/etc/security/audit/events file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-5 E.1 1) #2CCE-5980-8/etc/security/audit/objects file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-5 E.1 1) #3CCE-6103-6/usr/lib/trcload file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-5 E.1 1) #5CCE-5945-1/usr/lib/semutil file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-5 E.1 1) #6CCE-6079-8The authentication mechanism (SYSTEM attribute) should be set appropriately for each userauthentication systemvia /etc/security/user10.8.10-5 E.1 2)CCE-6158-0Trusted Computing Base should be installed or not as appropriateinstalled/not installedvia /etc/security/user10.8.10-5 E.2 1)CCE-5484-1Auditing should be enabled or disabled as appropriate in runcontrol scriptsenabled/disabledvia /etc/inittabvia RC scripts10.8.10-5 E.3 1)CCE-5378-5BIN mode auditing should be enabled or disabled as appropriateenabled/disabledvia /etc/security/audit/config10.8.10-5 E.3 2)CCE-5235-7Accounts should be present or absent from the audit config file as appropriatepresent/absentvia /etc/security/audit/config10.8.10-5 E.3 3)CCE-5913-9System logons should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #1CCE-5993-1System logoffs should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #2CCE-5693-7Password changes should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #3CCE-6230-7su usage should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #4CCE-5697-8Creation/modification of superuser groups should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #5CCE-6197-8Startup/shutdown of audit functions should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #9CCE-5889-1Certificate revocation should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #10CCE-6109-3Remote access from outside the corporate network should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #11CCE-5242-3Use of chown command should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #13CCE-6213-3File permissions of the rcp binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-5680-4File permissions of the rlogin binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-5591-3File permissions of the rlogind binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-5543-4File permissions of the rsh binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-5934-5File permissions of the rshd binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-6009-5File permissions of the tftp binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-5996-4File permissions of the tftpd binary should be set correctlypermissionsvia chmod10.8.10-5 E.4 1)CCE-6135-8Global initialization files should allow or deny write access to the terminal as appropriateallow/denyvia global init files10.8.10-5 E.5 1) #1CCE-5963-4Netrc should be configured with an appropriate set of serviceslist of servicesvia /etc/security/sysck.cfg10.8.10-5 E.4 1)CCE-6104-4Change of file ownership should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #13CCE-5324-9Use of chmod command should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #13CCE-6170-5Certificate creation should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #10CCE-5243-1Certificate deletion should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #10CCE-6016-0Certificate retrieval should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #10CCE-6174-7Startup or shutdown of the audit process should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #9CCE-5245-6Use of chgrp should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #5CCE-5253-0Use of mkgroup should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #5CCE-6189-5Use of rmgroup should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #5CCE-6035-0Use of change user functions should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #4CCE-6100-2Terminal logoffs should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #2CCE-6157-2Exit function usage should be audited or not as appropriateaudited/not auditedvia /etc/security/audit/config10.8.10-5 E.3 4) #2CCE-6156-4Hard core dump size limits should be set appropriatelySize (0 to disable core dumps)via /etc/security/limits ulimit10.8.10.4.4 (3)CCE-5751-3Remote root logins via SSH should be allowed or not as appropriate.allowed/not allowedvia /etc/ssh/sshd_config10.8.10.5.2.6 (4)

hpux11.23Last modified: 2009-04-30fVersion: 5.20090506CCE IDCCE DescriptionCCE ParametersCCE Technical MechanismsInternal Revenue Service Basic UNIX Security Requirements (IRS BUSR) http://www.irs.gov/irm/part10/ch03s08.htmlCCE-5435-3/export/home should be configured on an appropriate filesystem logical volumelogical volumevia fstab10.8.10.4.2.1 (5)CCE-6030-1/var should be configured on an appropriate filesystem logical volumelogical volumevia fstab10.8.10.4.2.1 (5)CCE-5936-0/opt should be configured on an appropriate filesystem logical volumelogical volumevia fstab10.8.10.4.2.1 (5)CCE-6122-6The shell for the root account should be located on the appropriate filesystemfilesystemvia /etc/passwd10.8.10.4.2.1 (6)CCE-6091-3Core dump size limits should be set appropriatelySize (0 to disable core dumps)via /etc/security/limitsvia ulimit10.8.10.4.4 (3)CCE-6249-7The read-only SNMP community string should be set appropriately.stringvia /etc/snmp.conf10.8.10.5.1 (1) c)CCE-6095-4The read/write SNMP community string should be set appropriately.stringvia /etc/snmp.conf10.8.10.5.1 (1) c)CCE-6108-5Password policy should ban or allow usernames or UIDs in passwords as appropriateban/allow10.8.10.5.1 a)CCE-5812-3Password policy should ban or allow words found in a dictionary as appropriate.ban/allowvia /etc/security/user10.8.10.5.1 (2) a)CCE-6161-4Password policy should enforce the correct amount of special charactersnumber of special charactersvia /etc/security/user10.8.10.5.1 (2) a)CCE-6172-1Password policy should enforce or not enforce the requirement to have mixed case passwords as appropriate.enforce/not enforcevia /etc/security/user10.8.10.5.1 (2) a)CCE-5639-0The minimum password age should be set as appropriatenumber of daysvia /etc/security/user10.8.10.5.1 (2) b)CCE-6163-0The minimum required password length should be set as appropriatenumber of charactersvia /etc/security/user10.8.10.5.1 (2) c)CCE-5982-4Password history should be saved for an appropriate number of password changesnumber of password changesvia /etc/security/user10.8.10.5.1 (2) d)CCE-5956-8The number of consecutive failed login attempts required to trigger a lockout should be set as appropriatenumber of consecutive failed login attemptsvia /etc/security/user10.8.10.5.1 (2) e)CCE-6219-0Login access to accounts without passwords should be enabled or disabled as appropriateenabled/disabledvia passwdvia /etc/shadow10.8.10.5.1 (2) f)CCE-5925-3New users should be required or not required to change their password on first login as appropriaterequired/not requiredvia /etc/security/passwd10.8.10.5.1 (2) g)CCE-6140-8Access to single-user mode (maintainence mode) should require the root password or not as appropriaterequired/not required10.8.10.5.1 (3)CCE-6180-4The delay between failed logins should be set as appropriatenumber of seconds10.8.10.5.1 (5)CCE-6114-3All files should be owned by an existing account or not as appropriate.existing account required / existing account not requiredvia chown10.8.10.5.2 (3)CCE-6120-0All files should be owned by an existing group or not as appropriate.existing group required / existing group not requiredvia chgrpvia chown10.8.10.5.2 (3)CCE-6094-7The console login banner should be set appropriately.banner text or nullvia /etc/security/login.cfgvia /etc/motd10.8.10.5.2 (5) a)CCE-5561-6The SSH login banner should be set appropriately.banner text or nullvia sshd.conf10.8.10.5.2 (5) b)CCE-5583-0The telnet login banner should be set appropriately.banner text or nullvia telnetd10.8.10.5.2 (5) c)CCE-5552-5The ftp login banner should be set appropriately.banner text or null10.8.10.5.2 (5) d)CCE-5255-5The graphical login banner should be set appropriately.banner text or nullvia Xwindows10.8.10.5.2 (5) e)CCE-6043-4Accounts other than root should be allowed to have the UID 0 or not as appropriateallowed/not allowedvia passwdvia /etc/passwd10.8.10.5.2.1 (2) a)CCE-6117-6Accounts other than root and locked system accounts should be allowed to have a GID of 0 or not as appropriateallowed/not allowedvia passwdvia /etc/passwd10.8.10.5.2.1 (2) b)CCE-5883-4Each account should be assigned a unique UID or not as appropriateunique/not uniquevia /etc/passwd10.8.10.5.2.4 (3)CCE-5261-3The ftp account should exist or not as appropriateexist/not existvia /etc/passwd10.8.10.5.2.4 (9)CCE-5495-7Login accounts should include an appropriate GECOS identifier or no GECOS identifierGECOS value, nullvia /etc/passwd10.8.10.5.2.4.1 (1)CCE-5949-3The screen lock should activate after an appropriate period of inactivitynumber of minutesvia Xscreensavervia dtsession10.8.10.5.2.5 (1)CCE-6147-3File permissions should be set appropriately for all shell executables.permissionsvia chmod10.8.10.5.2.6 (1)CCE-6182-0Remote (serial) consoles should be enabled or disabled as appropriate.enabled/disabledvia inittab10.8.10.5.2.6 (3)CCE-5764-6Root logins should be restricted to the console or not as appropriate.restricted/not restricted10.8.10.5.2.6 (4)CCE-6151-5.netrc files should exist or not as appropriate for all users.exist/not existvia filesystem10.8.10.5.2.6 (6)CCE-5516-0.rhosts files should exist or not as appropriate for all users.exist/not existvia filesystem10.8.10.5.2.6 (6)CCE-6089-7.shosts files should exist or not as appropriate for all users.exist/not existvia filesystem10.8.10.5.2.6 (6)CCE-5873-5The /etc/hosts.equiv file should exist or not as appropriate.exist/not existvia filesystem10.8.10.5.2.6 (6)CCE-6186-1The /etc/shells file should exist or not as appropriateexist/not existvia /etc/shells10.8.10.5.2.6 (11)CCE-6191-1Shells referenced in /etc/passwd should be included in /etc/shells or not as appropriateincluded/not includedvia /etc/shells10.8.10.5.2.6 (12)CCE-8640-5The use of NIS special characters (+ or -) in the first field of the /etc/passwd file should be allowed or disallowed as appropriate.allowed/not allowedvia Text editor10.8.10.5.2.6 (7)CCE-8240-4The use of NIS special characters (+ or -) in the first field of the /etc/shadow file should be allowed or disallowed as appropriate.allowed/not allowedvia Text editor10.8.10.5.2.6 (7)CCE-8631-4The use of NIS special characters (+ or -) in the first field of the /etc/group file should be allowed or disallowed as appropriate.allowed/not allowedvia Text editor10.8.10.5.2.6 (7)CCE-6208-3Groups referenced in /etc/passwd should be included in /etc/group or not as appropriate.included/not includedvia /etc/group10.8.10.5.2.6 (15)CCE-5265-4The home directory for the root account should be set appropriately.pathvia /etc/passwd10.8.10.5.2.6 (16)CCE-6133-3The home directory for each user account should be set appropriately.pathvia /etc/passwdvia /usr/sbin/useraddvia /etc/default/useradd10.8.10.5.2.6 (17)CCE-5797-6Home directories referenced in /etc/passwd should exist or not as appropriateexist/not existvia filesystem10.8.10.5.2.6 (18)CCE-5886-7All device files should be located inside an appropriate pathpathvia filesystem10.8.10.5.2.6 (24)CCE-5762-0The ntpd service should be enabled or disabled as appropriate.enabled/disabledvia RC scripts10.8.10.5.3 (3)CCE-5987-3The Network Time Protocol (ntp) synchronization server should be set appropriately.timeservervia ntpd.confCCE-5828-9The default gateway should be set appropriately.IP address/disabledvia /etc/default/route.confvia /etc/gated.conf10.8.10.5.4.1 (4)CCE-5927-9The inetd service should be enabled or disabled as appropriate.enabled/disabledvia RC scripts10.8.10.5.4.1 (5)CCE-6143-2echo service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #1CCE-6054-1netstat service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #2CCE-6010-3rcp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #3CCE-5460-1chargen service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #4CCE-5618-4finger service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #5CCE-5838-8tftpd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #6CCE-5878-4walld service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #7CCE-5266-2rstatd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #8CCE-6138-2sprayd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #9CCE-6057-4rusersd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #10CCE-5885-9rlogin service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #11CCE-5978-2rsh service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #12CCE-5607-7ftp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #13CCE-6075-6telnet service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #14CCE-6232-3DEPRECATED.CCE-6171-3inn service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #16CCE-5638-2uucp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #17CCE-6175-4rexec service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #18CCE-6144-0font-service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #20CCE-5763-8imap2 service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #21CCE-5856-0pop3 service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #22CCE-6081-4ident service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #23CCE-6093-9rexd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #24CCE-6173-9daytime service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #26CCE-5287-8dtspc (cde-spc) service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #27CCE-6070-7rquotad service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #28CCE-6026-9cmsd service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #29CCE-6166-3tooltalk service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #30CCE-5867-7xdmcp service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #31CCE-5810-7discard service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #32CCE-5898-2DEPRECATED.CCE-5713-3vino-server service should be enabled or disabled as appropriateenabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1 (11) #34CCE-5994-9The bind service should be enabled or disabled as appropriate.enabled/disabledvia inetdvia inetd.conf10.8.10.5.4.1.1 (2)CCE-6215-8The version string reported by the bind service should be configured appropriately.stringvia /etc/named.conf10.8.10.5.4.1.1 (5)CCE-5937-8The nfsd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-5303-3The mountd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-6223-2The statd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-6069-9The lockd service should be enabled or disabled as appropriateenabled/disabledvia RC scripts10.8.10.5.4.1.5 (1)CCE-5320-7NFS should be configured with appropriate authentication methodslist of auth methodsvia NFSviavia /etc/exports10.8.10.5.4.1.5 (1) f)CCE-5593-9The read-only (ro) option should be enabled or disabled as appropriate for all NFS exports.enabled/disabledvia /etc/exports10.8.10.5.4.1.5 (1) g)CCE-6256-2The nosuid option should be enabled or disabled for all NFS mounts as appropriateenabled/disabledvia /etc/fstab10.8.10.5.4.1.5 (1) i)CCE-5596-2The nosgid option should be enabled or disabled for all NFS mounts as appropriateenabled/disabledvia /etc/fstab10.8.10.5.4.1.5 (1) i)CCE-6234-9Sendmail should be enabled or disabled as appropriateenabled/disabledvia inetdvia RC scripts10.8.10.5.4.2.2 (1)CCE-6185-3The sendmail banner should be set appropriately.stringvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (3)CCE-6000-4The decode sendmail alias should be enabled or disabled as appropriate.enabled/disabledvia /etc/aliasesvia /usr/lib/aliases10.8.10.5.4.2.2 (4) c)CCE-5551-7.forward files should be allowed or disallowed as appropriate for all usersallow/disallowvia rm10.8.10.5.4.2.2 (4) e)CCE-6018-6Programs executed through the aliases file should be owned by an appropriate useruservia chown10.8.10.5.4.2.2 (4) f)CCE-6141-6Programs executed through the aliases file should reside a directory with an appropriate user owneruservia chown10.8.10.5.4.2.2 (4) f)CCE-6233-1Sendmail vrfy command should be allowed or not as appropriateallow/disallowvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) g)CCE-5288-6Sendmail expn command should be allowed or not as appropriateallow/disallowvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) h)CCE-6113-5Sendmail should be configured with an appropriate logging levellogging levelvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) i)CCE-6047-5Sendmail help command should be allowed or not as appropriateallow/disallowvia sendmailvia /etc/mail/sendmail.cf10.8.10.5.4.2.2 (4) k)CCE-6214-1NIS+ server should operate at an appropriate security levelsecurity levelvia NIS+10.8.10.5.4.2.3 (1) b)CCE-6051-7X-Windows should be enabled or disabled as appropriateenabled/disabledvia Xwindows10.8.10.5.4.2.4 (1)CCE-5756-2Authorized X-clients should be listed or not in the X*.hosts file as appropriatelisted/not listedvia /etc/X*.hosts10.8.10.5.4.2.4 (2) b)CCE-5769-5X-Windows should write .Xauthority files to users' home directories or not as appropriatewrite/not writevia xdmvia gdmvia kdm10.8.10.5.4.2.4 (2) d)CCE-5976-6X11 forwarding via SSH should be enabled or disabled as appropriate.enabled/disabledvia sshd_config10.8.10.5.4.2.4 (2) f)CCE-5438-7Samba should be enabled or disabled as appropriateenabled/disabledvia smbdvia RC scripts10.8.10.5.4.2.6 (1)CCE-6227-3Samba 'hosts allow' option should be configured with an appropriate set of networkslist of networksvia smbdvia smb.conf10.8.10.5.4.2.6 (3) a)CCE-5290-2Samba 'security option' option should be set as appropriatevia smbdvia smb.conf10.8.10.5.4.2.6 (3) b)CCE-6192-9Samba 'encrypt' passwords option should be set as appropriateyes/novia smbdvia smb.conf10.8.10.5.4.2.6 (3) c)CCE-6165-5Samba 'smb passwd file' option should be set to an appropriate password file or no password filefile/nothingvia smbdvia smb.conf10.8.10.5.4.2.6 (3) d)CCE-6262-0IPv6 should be enabled or disabled as appropriateenabled/disabledvia ifconfig10.8.10.5.4.3 (1)CCE-6134-1/dev/kmem file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #9CCE-5315-7/dev/mem file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #10CCE-5912-1/dev/null file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #11CCE-6128-3resolv.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #13CCE-5322-3/etc/named.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #14CCE-6231-5/usr/bin/at file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #25CCE-6082-2/usr/bin/rdist file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #26CCE-6121-8/usr/sbin/sync file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #27CCE-5452-8Superuser account home directories' permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #29CCE-6280-2/etc/samba/smb.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #31CCE-5332-2smbpassword executable permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #32CCE-5782-8Aliases file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #34CCE-5861-0File permissions should be set as appropriate for the log file configured to capture critical sendmail messages.permissionsvia chmod10.8.10-1 A.1 1) #35CCE-6248-9All files executed through /etc/aliases file entries should have file permissions set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #36CCE-5592-1/bin/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #37CCE-5336-3/bin/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #38CCE-6205-9/bin/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #39CCE-6298-4The /bin/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #40CCE-6331-3/bin/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #41CCE-6300-8/bin/bash file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #42CCE-5938-6/sbin/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #43CCE-6027-7/sbin/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #44CCE-5864-4/sbin/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #45CCE-5757-0The /sbin/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #46CCE-6207-5/sbin/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #47CCE-5973-3/sbin/bash file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #48CCE-5341-3/usr/bin/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #49CCE-6291-9/usr/bin/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #50CCE-6306-5/usr/bin/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #51CCE-5358-7The /usr/bin/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #52CCE-6310-7/usr/bin/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #53CCE-5904-8snmpd.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #56CCE-6217-4/tmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #57CCE-5494-0/usr/tmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #58CCE-6221-6.Xauthority file permissions should be set appropriately for all users.permissionsvia chmod10.8.10-1 A.1 1) #60CCE-6314-9/etc/aliases file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #61CCE-6327-1/etc/cron.d/at.allow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #62CCE-6032-7/etc/cron.d/cron.allow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #63CCE-5915-4/etc/csh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #64CCE-5990-7/etc/default/* file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #65CCE-6320-6/etc/default/login file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #66CCE-6236-4The /etc/ftpusers file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #69CCE-5950-1/etc/host.lpd file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #70CCE-5362-9/etc/hostname* file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #71CCE-6068-1/etc/hosts file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #72CCE-6271-1/etc/inetd.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #73CCE-6301-6/etc/issue file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #75CCE-6275-2/etc/jsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #76CCE-6319-8/etc/ksh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #77CCE-5649-9/etc/mail/aliases file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #78CCE-5870-1/etc/motd file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #79CCE-6274-5/etc/netconfig file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #80CCE-5372-8/etc/notrouter file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #81CCE-5439-5/etc/pam.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #82CCE-5601-0/etc/passwd file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #83CCE-6302-4The /etc/rsh file should exist or not as appropriateexist/not existvia filesystem10.8.10-1 A.1 1) #84CCE-5570-7/etc/security file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #85CCE-6020-2/etc/services file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #86CCE-5760-4/etc/sh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #87CCE-5899-0/etc/shadow file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #88CCE-6225-7/etc/syslog.conf file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #89CCE-6242-2DEPRECATED.CCE-6083-0/etc/fstab file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #91CCE-5683-8DEPRECATED.CCE-5933-7/var/adm/loginlog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #93CCE-6149-9/var/adm/messages file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #94CCE-6039-2/var/adm/sulog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #95CCE-5655-6/var/adm/utmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #96CCE-5854-5/var/adm/wtmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #97CCE-6349-5/var/adm/authlog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #98CCE-6067-3/var/adm/syslog file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #99CCE-5388-4/var/mail file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #100CCE-5691-1/var/tmp file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #101CCE-5502-0/usr/lib/pt_chmod file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #103CCE-5682-0/usr/lib/embedded_us file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #104CCE-6259-6/usr/lib/sendmail file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #105CCE-6210-9/usr/kerberos/bin/rsh file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #107CCE-5871-9/var/spool/mail file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #108CCE-5840-4smbpassword file permissions should be set appropriatelypermissionsvia chmod10.8.10-1 A.1 1) #109CCE-6353-7System files should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #8CCE-5393-4System files should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #8CCE-5399-1Default/skeleton dot files should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #9CCE-6179-6Default/skeleton dot files should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #9CCE-6272-9Global initialization files should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #10CCE-5403-1Global initialization files should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #10CCE-5746-3Home directories should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #11CCE-5465-0Home directories should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #11CCE-5729-9inetd.conf file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #12CCE-5433-8inetd.conf file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #12CCE-5879-2/etc/services file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #16CCE-5447-8/etc/services file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #16CCE-6046-7/etc/notrouter file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #18CCE-5473-4/etc/notrouter file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #18CCE-5404-9DEPRECATED.CCE-6254-7DEPRECATED.CCE-5425-4/etc/passwd file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #35CCE-6372-7/etc/passwd file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #35CCE-6283-6/etc/shadow file should be owned by an appropriate userlist of usersvia chown10.8.10-1 A.1 2) #36CCE-6001-2/etc/shadow file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-1 A.1 2) #36CCE-5451-0Environmental variable PATH for superuser accounts should or should not contain world-writable files as appropriateshould/should notvia chmodvia profile10.8.10-1 A.2 1) #1CCE-5467-6Environmental variable PATH for superuser accounts should not contain the current directory as the first or last entryshould/should notvia local init files10.8.10-1 A.2 1) #2CCE-6455-0The current directory should or should not be added to the environmental variable PATH by global initialization files as appropriateshould/should notvia local init files10.8.10-1 A.2 1) #3CCE-5486-6The current directory should or should not be added to the environmental variable PATH by local initialization files as appropriateshould/should notvia local init files10.8.10-1 A.2 1) #4CCE-6337-0DEPRECATED.CCE-6289-3The system umask should be set appropriatelyumaskvia global init files10.8.10-1 A.2 1) #8CCE-6451-9The user umask should be set appropriatelyumaskvia local init files10.8.10-1 A.2 1) #8CCE-6042-6DEPRECATED.CCE-5556-6/etc/rc.config.d/auditing file should be owned by an appropriate userlist of usersvia chown10.8.10-4 D.1 1) #2CCE-5887-5DEPRECATED.CCE-5962-6/etc/init.d file should be owned by an appropriate userlist of usersvia chown10.8.10-4 D.1 1) #5CCE-6365-1/etc/hosts.lpd file should be owned by an appropriate userlist of usersvia chown10.8.10-4 D.1 1) #6CCE-6211-7DEPRECATED.CCE-5491-6/etc/rc.config.d/auditing file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-4 D.1 1) #2CCE-6313-1DEPRECATED.CCE-6159-8/etc/init.d file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-4 D.1 1) #5CCE-6065-7/etc/hosts.lpd file should be owned by an appropriate grouplist of groupsvia chgrpvia chown10.8.10-4 D.1 1) #6CCE-6251-3DEPRECATED.CCE-6290-1/etc/rc.config.d/auditing file permissions should be set appropriatelypermissionsvia chmod10.8.10-4 D.1 1) #2CCE-6360-2DEPRECATED in favor of CCE-8638-9, CCE-8647-0, and CCE-8187-7.CCE-8638-9/etc/auto.master file should be owned by an appropriate userlist of usersvia chown10.8.10-3 C.1 1) #9CCE-8647-0/etc/auto.misc file should be owned by an appropriate userlist of usersvia chown10.8.10-3 C.1 1) #9CCE-8187-7/etc/auto.net file should be owned by an appropriate userlist of usersvia chown10.8.10-3 C.1 1) #9CCE-5504-6/etc/init.d file permissions should be set appropriatelypermissionsvia chmod10.8.10-4 D.1 1) #5CCE-5517-8/etc/hosts.lpd file permissions should be set appropriatelypermissionsvia chmod10.8.10-4 D.1 1) #6CCE-6076-4DEPRECATED.CCE-6292-7Auditing should be enabled or disabled for user accounts as appropriateenabled/disabledvia /tcb/files/auth/*10.8.10-4 D.3 1)CCE-6203-4Auditing should be enabled or disabled at boot time as appropriateenabled/disabledvia /etc/rc.config.d/auditing10.8.10-4 D.3 2)CCE-5794-3System logons should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #1CCE-6168-9System logoffs should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #2CCE-6014-5Password changes should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #3CCE-5983-2su usage should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #4CCE-5859-4Creation/modification of superuser groups should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #5CCE-6326-3Clearing of the audit log file should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #8CCE-5894-1Startup/shutdown of audit functions should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #9CCE-6110-1Use of identification/authorization mechanisms should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #10CCE-6423-8Remote access from outside the corporate network should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #11CCE-6454-3Change of permissions/privileges should be audited or not as appropriateaudited/not auditedvia /etc/rc.config.d/auditing10.8.10-4 D.3 3) #13CCE-6282-8Global initialization files should allow or deny write access to the terminal as appropriateallow/denyvia global init files10.8.10-4 D.4 1) #1CCE-6317-2PRI audit file should be specified appropriatelyfile and pathvia /etc/rc.config.d/auditing10.8.10-4 D.3 2)CCE-5660-6SEC audit file should be specified appropriatelyfile and pathvia /etc/rc.config.d/auditing10.8.10-4 D.3 2)CCE-6348-7FileSpaceSwitch should be set to an appropriate valuepercentage of free spacevia /etc/rc.config.d/auditing10.8.10-4 D.3 2)CCE-5774-5Wakeup switchpoint frequency should be set to an appropriate time intervalnumber of minutesvia /etc/rc.config.d/auditing10.8.10-4 D.3 2)CCE-5731-5Warning messages switchpoint distance should be set to an appropriate valueswitchpoint distance integervia /etc/rc.config.d/auditing10.8.10-4 D.3 2)CCE-6444-4Hard core dump size limits should be set appropriatelySize (0 to disable core dumps)via /etc/security/limitsvia ulimit10.8.10.4.4 (3)CCE-5940-2Root logins should be allowed or not as appropriate from SSH consolesallowed/not allowed10.8.10.5.2.6 (4)

ie7Last modified: 2009-01-13fVersion: 5.20090115CCE IDCCE DescriptionCCE ParametersCCE Technical MechanismsOld v4 CCE IDNIST SCAP Microsoft Internet Explorer Version 7.0 OVAL(SCAP-IE7-OVAL-Beta-v3.xml)NIST SCAP Microsoft Internet Explorer Version 7.0 XCCDF (SCAP-IE7-XCCDF-Beta-v3.xmlFDCC IE7 XCCDF (fdcc-accepted-content-20080110\fdcc-ie7-xccdf.xml)FDCC IE7 OVAL (fdcc-accepted-content-20080110\fdcc-ie7-oval.xmlCCE-4017-0The "Security Zones: Use Only Machine Settings" setting should be configured correctly.(1) enabled/disabledHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_onlyCCE-5oval:org.mitre.oval:def:1277, oval:org.mitre.oval:def:2050UseOnlyMachineSettings-LocalComputer, UseOnlyMachineSettings-LocalComputer-Disableduse_only_machine_settings_local_computeroval:gov.nist.fdcc.ie7:def:1277CCE-3924-8Internet Explorer Processes (Restrict ActiveX Install)(1) enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!explorer.exe, HKLM\Software\Policies\Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict ActiveX Install, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exeCCE-119oval:org.mitre.oval:def:658IEProcesses-RestrictActiveXInstall-LocalComputerIEProcesses_RestrictActiveXInstall_LocalComputeroval:gov.nist.fdcc.ie7:def:658CCE-3929-7The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.(1) enabled/disabledHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_editCCE-146oval:org.mitre.oval:def:1400DoNotAllowUsersAddDeleteSites-LocalComputerDoNotAllowUsersAddDeleteSites_LocalComputeroval:gov.nist.fdcc.ie7:def:1400CCE-3576-6The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.(1) enabled/disabledHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheckCCE-212oval:org.mitre.oval:def:1357DisablePeriodicCheckForIESoftwareUpdates-LocalComputerDisablePeriodicCheckForIESoftwareUpdates_LocalComputeroval:gov.nist.fdcc.ie7:def:1357CCE-4043-6Internet Explorer Processes (Zone Elevation Protection)enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exeCCE-347oval:org.mitre.oval:def:620IEProcesses_ProtectionFromZoneElevation_LocalComputeroval:gov.nist.fdcc.ie7:def:620CCE-4047-7The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly.enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet E,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Binary Behavior Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exeCCE-382oval:org.mitre.oval:def:884IEProcesses-ConsistentMimeHandling-LocalComputerIEProcesses_ConsistentMimeHandling_LocalComputeroval:gov.nist.fdcc.ie7:def:884CCE-3941-2The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly.enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignaturesCCE-449oval:org.mitre.oval:def:680, oval:org.mitre.oval:def:1392AllowSoftwareRunInstallSignatureInvalid-LocalComputer, AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-LocalUserAllowSoftwareRunInstallSignatureInvalid_LocalComputeroval:gov.nist.fdcc.ie7:def:680CCE-3338-1The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly.(1) enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/MK Protocol Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exeCCE-591oval:org.mitre.oval:def:617IEProcesses-MKProtocolSecurityRestriction-LocalComputerIEProcesses_MKProtocolSecurityRestriction_LocalComputeroval:gov.nist.fdcc.ie7:def:617CCE-4118-6The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.(1) enabled/disabledHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exeCCE-622oval:org.mitre.oval:def:1188DisableSoftwareUpdateShellNotifications-LocalComputerDisableSoftwareUpdateShellNotifications_LocalComputeroval:gov.nist.fdcc.ie7:def:1188CCE-4122-8The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly.enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exeCCE-668oval:org.mitre.oval:def:320IEProcesses-RestrictFileDownload-LocalComputerIEProcesses_RestrictFileDownload_LocalComputeroval:gov.nist.fdcc.ie7:def:320CCE-3518-8The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.(1) enabled/disabledHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetupCCE-684oval:org.mitre.oval:def:1198DisableAutomaticInstallOfIEComponents-LocalComputerDisableAutomaticInstallOfIEComponents_LocalComputeroval:gov.nist.fdcc.ie7:def:1198CCE-3201-1The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.(1) number of proxy settingsHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUserCCE-693oval:org.mitre.oval:def:1181MakeProxySettingsPerMachine-LocalComputerMakeProxySettingsPerMachine_LocalComputeroval:gov.nist.fdcc.ie7:def:1181CCE-3744-0The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly.enabled/disabledLocal Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExtensionManagementCCE-708oval:org.mitre.oval:def:1380, oval:org.mitre.oval:def:1358, oval:org.mitre.oval:def:1694DoNotAllowUsersEnableDisableAddOns-LocalComputer, DoNotAllowUsersEnableDisableAddOns-LocalUserDoNotAllowUsersEnableDisableAddOns_LocalComputeroval:gov.nist.fdcc.ie7:def:1694CCE-3894-3The "Turn Off Crash Detection" setting should be configured correctly.enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetectionCCE-753oval:org.mitre.oval:def:487TurnOffCrashDetection-LocalComputerTurnOffCrashDetection_LocalComputeroval:gov.nist.fdcc.ie7:def:487CCE-4162-4The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly.enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Scripted Window Security Restrictions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\iexplore.exeCCE-827oval:org.mitre.oval:def:465IEProcesses-ScriptedWindowSecurityRestrictions-LocalComputerIEProcesses_ScriptedWindowSecurityRestrictions_LocalComputeroval:gov.nist.fdcc.ie7:def:465CCE-3933-9The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.(1) enabled/disabledHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_editCCE-833oval:org.mitre.oval:def:1404DoNotAllowUsersChangePolicies-LocalComputerDoNotAllowUsersChangePolicies_LocalComputeroval:gov.nist.fdcc.ie7:def:1404CCE-4149-1The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly.enabled/disabledHKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Mime Sniffing Safety Feature, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exeCCE-985oval:org.mitre.oval:def:317IEProcesses-MimeSniffingSafetyFeature-LocalComputerIEProcesses_MimeSniffingSafetyFeature_LocalComputeroval:gov.nist.fdcc.ie7:def:317CCE-4026-1The "Check for Signature on Downloaded Programs" setting should be configured correctly.enabled/disabledLocal Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\CheckExeSignaturesCCE-1025oval:org.mitre.oval:def:395CheckSignatureDownloadedPrograms-LocalComputerCheckSignatureDownloadedPrograms_LocalComputeroval:gov.nist.fdcc.ie7:def:395CCE-4171-5The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly.enabled/disabledLocal Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Inte