Revision 1.11Oct 5, 2020
Functional Update
- GEN000000-LNX00600 - PAM system must not grant sole access to admin privileges to the first user who logs into the console.
- GEN000140-3 - A file integrity baseline including cryptographic hashes must be maintained - 'database has been configured'
- GEN000240 - The system clock must be synchronized to an authoritative DoD time source.
- GEN000241 - The system clock must be synchronized continuously.
- GEN000242 - The system must use at least two time sources for clock synchronization - 'cron jobs'
- GEN000450 - System must limit users to 10 simultaneous system logins or a site-defined number in accordance with operational requirements
- GEN000452 - The system must display the date and time of the last successful account login upon login.
- GEN000460 - The system must disable accounts after three consecutive unsuccessful login attempts.
- GEN000560 - The system must not have accounts configured with blank or null passwords.
- GEN001060 - The system must log successful and unsuccessful access to the root account - rsyslog 'authpriv.*'
- GEN001060 - The system must log successful and unsuccessful access to the root account - rsyslog.conf
- GEN001060 - The system must log successful and unsuccessful access to the root account - syslog 'authpriv.*'
- GEN001060 - The system must log successful and unsuccessful access to the root account - syslog.conf
- GEN001100 - Root passwords must never be passed over a network in clear text form.
- GEN001375 - For systems using DNS resolution, at least two name servers must be configured
- GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name server
- GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name server
- GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EACCES'
- GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EPERM'
- GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F success=0'
- GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F exit=-EACCES'
- GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F exit=-EPERM'
- GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F success=0'
- GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F exit=-EACCES'
- GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F exit=-EPERM'
- GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F success=0'
- GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F exit=-EACCES'
- GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F exit=-EPERM'
- GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F success=0'
- GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F exit=-EACCES'
- GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F exit=-EPERM'
- GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F success=0'
- GEN002730 - The audit system must alert the SA when the audit storage volume approaches its capacity - 'action_mail_account'
- GEN002860 - Audit logs must be rotated daily.
- GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/rsyslog.conf contains *.* @<server>'
- GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/syslog.conf contains *.* @<server>'
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'adm' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'adm' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'bin' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'bin' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'daemon' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'daemon' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'ftp' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'ftp' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'games' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'games' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'gopher' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'gopher' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'halt' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'halt' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'lp' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'lp' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'mail' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'mail' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'news' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'news' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'nobody' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'nobody' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'operator' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'operator' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'shutdown' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'shutdown' - cron.deny
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'uucp' - cron.allow
- GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'uucp' - cron.deny
- GEN003160 - Cron logging must be implemented - rsyslog.conf
- GEN003160 - Cron logging must be implemented - syslog.conf
- GEN003160 - Cron logging must be implemented.
- GEN003280 - Access to the 'at' utility must be controlled via the at.allow and/or at.deny file(s).
- GEN003300 - The at.deny file must not be empty if it exists.
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ftp' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ftp' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'games' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'games' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'gopher' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'gopher' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'halt' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'halt' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'mail' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'mail' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'news' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'news' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'operator' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'operator' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'shutdown' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'shutdown' - at.deny
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.allow
- GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.deny
- GEN003540 - The system must implement non-executable program stacks - 'kernel.exec-shield'
- GEN003540 - The system must implement non-executable program stacks - 'kernel.randomize_va_space'
- GEN003540 - The system must implement non-executable program stacks.
- GEN003660 - The system must log authentication informational data - rsyslog authpriv.*
- GEN003660 - The system must log authentication informational data - rsyslog authpriv.debug
- GEN003660 - The system must log authentication informational data - rsyslog authpriv.info
- GEN003660 - The system must log authentication informational data - rsyslog.conf
- GEN003660 - The system must log authentication informational data - syslog authpriv.*
- GEN003660 - The system must log authentication informational data - syslog authpriv.debug
- GEN003660 - The system must log authentication informational data - syslog authpriv.info
- GEN003660 - The system must log authentication informational data - syslog.conf
- GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_on_failure'
- GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_on_success'
- GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_type'
- GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_on_failure'
- GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_on_success'
- GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_type'
- GEN003820 - The rsh daemon must not be running.
- GEN003830 - The rlogind service must not be running.
- GEN003840 - The rexec daemon must not be running.
- GEN003860 - The system must not have the finger service active.
- GEN004440 - Sendmail logging must not be set to less than nine in the sendmail.cf file.
- GEN004540 - The SMTP service HELP command must not be enabled - SmtpGreetingMessage
- GEN004540 - The SMTP service HELP command must not be enabled.
- GEN004540 - The SMTP service HELP command must not be enabled. helpfile does not exist
- GEN004560 - The SMTP service's SMTP greeting must not provide version information.
- GEN004580 - The system must not use .forward files - '/etc/mail/sendmail.cf'
- GEN004580 - The system must not use .forward files - 'find .forward'
- GEN004600 - The SMTP service must be an up-to-date version - 'postfix'
- GEN004600 - The SMTP service must be an up-to-date version - 'sendmail'
- GEN004620 - The Sendmail server must have the debug feature disabled.
- GEN004660 - The SMTP service must not have the EXPN feature active.
- GEN004680 - The SMTP service must not have the VRFY feature active.
- GEN004700 - The Sendmail service must not have the wizard backdoor active.
- GEN004710 - Mail relaying must be restricted - '/etc/mail/sendmail.cf DaemonPortOptions'
- GEN004710 - Mail relaying must be restricted - '/etc/postfix/main.cf inet_interfaces'
- GEN004710 - Mail relaying must be restricted - '/etc/postfix/main.cf smtpd_client_restrictions permit not before reject'
- GEN004710 - Mail relaying must be restricted - '/etc/postfix/main.cf smtpd_client_restrictions reject exists'
- GEN004710 - Mail relaying must be restricted - 'promiscuous_relay'
- GEN004800 - Unencrypted FTP must not be used on the system - 'gssftp'
- GEN004800 - Unencrypted FTP must not be used on the system - 'vsftpd'
- GEN004820 - Anonymous FTP must not be active on the system unless authorized.
- GEN004840 - If the system is an anonymous FTP server, it must be isolated to the DMZ network.
- GEN004880 - The ftpusers file must exist.
- GEN004900 - The ftpusers file must contain account names not allowed to use FTP.
- GEN004920 - The ftpusers file must be owned by root - '/etc/ftpusers'
- GEN004920 - The ftpusers file must be owned by root - '/etc/vsftpd.ftpusers'
- GEN004920 - The ftpusers file must be owned by root - '/etc/vsftpd/ftpusers'
- GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system - '/etc/ftpusers'
- GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system - '/etc/vsftpd.ftpusers'
- GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system - '/etc/vsftpd/ftpusers'
- GEN004940 - The ftpusers file must have mode 0640 or less permissive - '/etc/ftpusers'
- GEN004940 - The ftpusers file must have mode 0640 or less permissive - '/etc/vsftpd.ftpusers'
- GEN004940 - The ftpusers file must have mode 0640 or less permissive - '/etc/vsftpd/ftpusers'
- GEN004950 - The ftpusers file must not have an extended ACL - '/etc/ftpusers'
- GEN004950 - The ftpusers file must not have an extended ACL - '/etc/vsftpd.ftpusers'
- GEN004950 - The ftpusers file must not have an extended ACL - '/etc/vsftpd/ftpusers'
- GEN004980 - The FTP daemon must be configured for logging or verbose mode.
- GEN005000 - Anonymous FTP accounts must not have a functional shell.
- GEN005040 - All FTP gssftp users must have a default umask of 077 - '/etc/vsftpd/vsftpd.conf anon_umask'
- GEN005040 - All FTP gssftp users must have a default umask of 077 - '/etc/vsftpd/vsftpd.conf local_umask'
- GEN005040 - All FTP gssftp users must have a default umask of 077 - '/etc/xinetd.d/gssftp'
- GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
- GEN005100 - The TFTP daemon must have mode 0755 or less permissive.
- GEN005120 - The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell.
- GEN005160 - Any X Windows host must write .Xauthority files.
- GEN005180 - All .Xauthority files must have mode 0600 or less permissive.
- GEN005190 - The .Xauthority files must not have extended ACLs.
- GEN005200 - X displays must not be exported to the world.
- GEN005220 - .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
- GEN005240 - The .Xauthority utility must only permit access to authorized hosts.
- GEN005260 - X Window System connections that are not required must be disabled.
- GEN005390 - The /etc/rsyslog.conf file must have mode 0640 or less permissive.
- GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive.
- GEN005395 - The /etc/rsyslog.conf file must not have an extended ACL.
- GEN005395 - The /etc/syslog.conf file must not have an extended ACL.
- GEN005450 - The system must use a remote syslog server (loghost) - rsyslog.conf
- GEN005450 - The system must use a remote syslog server (loghost) - syslog.conf
- GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups - '/etc/pam.d/sshd pam_access.so required'
- GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups - '/etc/ssh/sshd_config AllowGroups'
- GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups - '/etc/ssh/sshd_config AllowUsers'
- GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups.
- GEN005740 - The NFS export configuration file must be owned by root.
- GEN005750 - The NFS export configuration file must be group-owned by root, bin, sys, or system.
- GEN005760 - The NFS export configuration file must have mode 0644 or less permissive.
- GEN005770 - The NFS exports configuration file must not have an extended ACL.
- GEN005800 - All NFS-exported system files and system directories must be owned by root.
- GEN005810 - All NFS-exported system files and system directories must be group-owned by root, bin, sys, or system.
- GEN005820 - The NFS anonymous UID and GID must be configured to values that have no permissions - 'anongid'
- GEN005820 - The NFS anonymous UID and GID must be configured to values that have no permissions - 'anonuid'
- GEN005840 - The NFS server must be configured to restrict file system access to local hosts.
- GEN005880 - The NFS server must not allow remote root access - 'all_squash / root_squash'
- GEN005880 - The NFS server must not allow remote root access - 'no_root_squash'
- GEN006060 - The system must not run the Samba service unless needed.
- GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - '/etc/xinetd.d/swat'
- GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - 'samba-swat'
- GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - 'samba3x-swat'
- GEN006100 - The /etc/samba/smb.conf file must be owned by root.
- GEN006120 - The /etc/samba/smb.conf file must be group-owned by root, bin, sys, or system.
- GEN006140 - The /etc/samba/smb.conf file must have mode 0644 or less permissive.
- GEN006150 - The /etc/samba/smb.conf file must not have an extended ACL.
- GEN006160 - The /etc/samba/passdb.tdb and /etc/samba.secrets.tdb files must be owned by root - '/etc/samba.secrets.tdb'
- GEN006160 - The /etc/samba/passdb.tdb and /etc/samba.secrets.tdb files must be owned by root - '/etc/samba/passdb.tdb'
- GEN006180 - The smbpasswd file must be group-owned by root - '/etc/samba/passdb.tdb'
- GEN006180 - The smbpasswd file must be group-owned by root - '/etc/samba/secrets.tdb'
- GEN006200 - The smbpasswd file must have mode 0600 or less permissive - '/etc/samba/passdb.tdb'
- GEN006200 - The smbpasswd file must have mode 0600 or less permissive - '/etc/samba/secrets.tdb'
- GEN006210 - The /etc/smbpasswd file must not have an extended ACL - '/etc/samba/passdb.tdb'
- GEN006210 - The /etc/smbpasswd file must not have an extended ACL - '/etc/samba/secrets.tdb'
- GEN006220 - The smb.conf file must use the 'hosts' option to restrict access to Samba.
- GEN006225 - Samba must be configured to use an authentication mechanism other than 'share.'
- GEN006230 - Samba must be configured to use encrypted passwords.
- GEN006235 - Samba must be configured to not allow guest access to shares.
- GEN006240 - The system must not run an Internet Network News (INN) server.
- GEN006260 - The /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive
- GEN006270 - The /etc/news/incoming.conf file must not have an extended ACL.
- GEN006280 - The /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.
- GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
- GEN006300 - The /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive
- GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
- GEN006320 - The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
- GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
- GEN006340 - Files in /etc/news must be owned by root or news.
- GEN006360 - The files in /etc/news must be group-owned by root or news.
- GEN006380 - The system must not use UDP for NIS/NIS+.
- GEN006420 - NIS maps must be protected through hard-to-guess domain names.
- GEN006565 - The system package management tool must be used to verify system software periodically.
- GEN006570 - The file integrity tool must be configured to verify ACLs.
- GEN006571 - The file integrity tool must be configured to verify extended attributes.
- GEN006575 - The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
- GEN006600 - The system's access control program must log each system access attempt - /etc/rsyslog.conf not found
- GEN006600 - The system's access control program must log each system access attempt - /etc/syslog.conf not found
- GEN006600 - The system's access control program must log each system access attempt - rsyslog *.debug
- GEN006600 - The system's access control program must log each system access attempt - rsyslog *.info
- GEN006600 - The system's access control program must log each system access attempt - rsyslog authpriv.*
- GEN006600 - The system's access control program must log each system access attempt - rsyslog authpriv.debug
- GEN006600 - The system's access control program must log each system access attempt - rsyslog authpriv.info
- GEN006600 - The system's access control program must log each system access attempt - syslog *.debug
- GEN006600 - The system's access control program must log each system access attempt - syslog *.info
- GEN006600 - The system's access control program must log each system access attempt - syslog authpriv.*
- GEN006600 - The system's access control program must log each system access attempt - syslog authpriv.debug
- GEN006600 - The system's access control program must log each system access attempt - syslog authpriv.info
- GEN006620 - The system's access control program must be configured to grant or deny system access to specific hosts.
- GEN006640 - The system must use and update a DoD-approved virus scan program.
- GEN007020 - The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
- GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp /bin/true'
- GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp_ipv4 /bin/true'
- GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp_ipv6 /bin/true'
- GEN007260 - The AppleTalk protocol must be disabled or not installed - 'install appletalk'
- GEN007480 - The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required - 'install rds /bin/true'
- GEN007540 - The Transparent Inter-Process Communication (TIPC) must be disabled or not installed - 'install tipc /bin/true'
- GEN007660 - The Bluetooth protocol handler must be disabled or not installed - 'install bluetooth /bin/true'
- GEN007850 - The DHCP client must not send dynamic DNS updates.
- GEN007960 - The 'ldd' command must be disabled unless it protects against the execution of untrusted files.
- GEN007980 - If using LDAP for auth or account information, must use a TLS connection using FIPS 140-2 algorithms - '/etc/ldap.conf'
- GEN007980 - If using LDAP for auth or account information, must use a TLS connection using FIPS 140-2 algorithms - 'ssl start_tls'
- GEN007980 - If using LDAP for auth or account information, must use a TLS connection using FIPS 140-2 approved algorithms - 'tls_ciphers'
- GEN008000 - If using LDAP for auth or account info, certs used must be provided from DoD or an approved external PKI - 'manual cert check'
- GEN008000 - If using LDAP for auth or account info, certs used must be provided from DoD or an approved external PKI - 'tls_cert'
- GEN008020 - If using LDAP for auth or acct info, the LDAP TLS connection must require a cert that has a valid trust path to a trusted CA.
- GEN008040 - If using LDAP for auth or account information, the system must check that the LDAP server's certificate has not been revoked.
- GEN008050 - If using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
- GEN008060 - If using LDAP for authentication or account information the /etc/ldap.conf file must have mode 0644 or less permissive.
- GEN008080 - If using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
- GEN008100 - If using LDAP for auth or account information, the /etc/ldap.conf file must be group-owned by root, bin, sys, or system.
- GEN008120 - If using LDAP for auth or acct information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
- GEN008140 - If using LDAP for auth or account information, the TLS certificate auth file and dir must be owned by root - '/etc/ssl/'
- GEN008140 - If using LDAP for auth or account information, the TLS certificate auth file and dir must be owned by root - '/etc/ssl/certs'
- GEN008140 - If using LDAP for auth or acct information, the TLS certificate auth file and dir must be owned by root - '/etc/ssl/ca.cert'
- GEN008160 - Using LDAP for auth or account info, the TLS cert file and dir must be group-owned by root,bin,sys,or system - '/etc/ssl/'
- GEN008160 - Using LDAP for auth or acct info, the TLS cert file and dir must be group-owned by root,bin,sys,or system - '/etc/ssl/certs'
- GEN008160 - Using LDAP for auth or acct info, the TLS cert file and dir must be group-owned by root,bin,sys,or system - /etc/ssl/ca.cert
- GEN008180 - If using LDAP for auth or account info, the TLS cert file and dir must have mode 0644 or less permissive - '/etc/ssl/ca.cert'
- GEN008180 - If using LDAP for auth or account info, the TLS cert file and dir must have mode 0644 or less permissive - '/etc/ssl/certs'
- GEN008180 - If using LDAP for auth or account info, the TLS cert file and dir must have mode 0755 or less permissive - '/etc/ssl/'
- GEN008200 - If using LDAP for auth or account info, the TLS cert file and/or directory (as appropriate) must not have an extended ACL.
- GEN008220 - For systems using NSS LDAP, the TLS certificate file must be owned by root - ''/etc/openldap/cacerts/cert.pem
- GEN008240 - Using LDAP for auth or acct info, TLS cert must be group-owned by root,bin,sys,or system - '/etc/openldap/cacerts/cert.pem'
- GEN008260 - If using LDAP for auth or acct info, the TLS cert must have mode 0644 or less permissive - '/etc/openldap/cacerts/cert.pem'
- GEN008280 - If using LDAP for auth or acct info, the TLS cert must not have an extended ACL - '/etc/openldap/cacerts/cert.pem'
- GEN008300 - If using LDAP for auth or acct info, the LDAP TLS key file must be owned by root - '/etc/openldap/cacerts/key.pem'
- GEN008320 - If using LDAP for auth or acct info, the LDAP TLS key file must be group-owned by root - '/etc/openldap/cacerts/key.pem'
- GEN008340 - If using LDAP for auth or acct info, the LDAP TLS key must have mode 0600 or less permissive - '/etc/openldap/cacerts/key.pem'
- GEN008360 - If using LDAP for auth or acct info, the LDAP TLS key file must not have an extended ACL - '/etc/openldap/cacerts/key.pem'
- GEN008480 - The system must have USB Mass Storage disabled unless needed.
- GEN008500 - The system must have IEEE 1394 (Firewire) disabled unless needed.
- GEN008800 - The package management tool must cryptographically verify the authenticity of packages during install - '/etc/yum.repos.d/*'
- GEN008800 - The package management tool must cryptographically verify the authenticity of packages during installation - '/etc/yum.conf'