[BESAdmin-Announcements] IBM BigFix Compliance: Updated DISA STIG Checklist for HPUX 11.31 - RG03, published 2017-10-25
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Wed Oct 25 04:00:40 PDT 2017
Product:
IBM BigFix Compliance
Title:
Updated DISA STIG Checklist for HPUX 11.31 - RG03 to support a more recent
version of benchmark
Security Benchmark:
HP-UX 11.31 STIG Version 1, Release 14
Published Sites:
DISA STIG Checklist for HPUX 11.31 - RG03 site version 4
(The site version is provided for air-gap customers.)
Changelist:
Added:
· HPUX0210: The system must disable accounts after three consecutive
unsuccessful SSH login attempts
· HPUX0220: The system must impose the same restrictions on root
logins that are already applied to non-root users
· HPUX0225: The system must impose the same restrictions on root
passwords that are already applied to non-root users
· HPUX0230: The ability to boot the system into single user mode
must be restricted to root
· HPUX0240: The /var/adm/userdb directory must be owned by root
· HPUX0250: The /var/adm/userdb directory must be group-owned by sys
· HPUX0260: The /var/adm/userdb directory must have mode 0700 or
less permissive
· HPUX0270: The /var/adm/userdb directory must not have an extended
ACL
· HPUX0280: The /var/adm/userdb/USERDB.DISABLED file must be owned
by root
· HPUX0290: The /var/adm/userdb/USERDB.DISABLED file must be
group-owned by sys
· HPUX0300: The /var/adm/userdb/USERDB.DISABLED file must have mode
0444 or less permissive
· HPUX0310: The /var/adm/userdb/USERDB.DISABLED file must not have
an extended ACL
· HPUX0320: The /etc/security.dsc file must be owned by root
· HPUX0330: The /etc/security.dsc file must be group-owned by sys.
· HPUX0340: The /etc/security.dsc file must have mode 0444 or less
permissive
· HPUX0350: The /etc/security.dsc file must not have an extended
ACL.
· HPUX0360: The /etc/pam.conf file must be owned by root.
· HPUX0370: The /etc/pam.conf file must be group-owned by sys.
· HPUX0380: The /etc/pam.conf file must have mode 0444 or less
permissive.
· HPUX0390: The /etc/pam.conf file must not have an extended ACL.
· HPUX0410: The /etc/pam_user.conf file must be owned by root.
· HPUX0420: The /etc/pam_user.conf file must be group-owned by sys
· HPUX0430: The /etc/pam_user.conf file must have mode 0444 or less
permissive
· HPUX0440: /etc/pam_user.conf file must not have an extended ACL
· HPUX0450: During a password change, the system must determine if
password aging attributes are inherited from the /etc/default/security
file attributes when no password aging is specified in the shadow file for
local users
· HPUX0460: The system must display the date and time of the last
successful account login upon login by means other than SSH.
· HPUX0470: The system and user default umask must be 0077 for all
sessions initiated via PAM
Updated:
· GEN002680: System audit logs must be owned by root
Now checks ownership of PRI_AUDFILE and SEC_AUDFILE set in
/etc/rc.config.d/auditing.
· GEN002690:System audit logs must be group-owned by root, bin, sys,
or other
Now checks group ownership of PRI_AUDFILE and SEC_AUDFILE set
in /etc/rc.config.d/auditing.
· GEN002700: System audit logs must have mode 0640 or less
permissive
Now checks permissions of PRI_AUDFILE and SEC_AUDFILE set in
/etc/rc.config.d/auditing.
· GEN002710:All system audit files must not have extended ACLs.
Now checks ACLs of PRI_AUDFILE and SEC_AUDFILE set in
/etc/rc.config.d/auditing.
· GEN002715: System audit tool executables must be owned by root
Also checks /usr/sbin/userdb*.
· GEN002716: System audit tool executables must be group-owned by
root, bin, sys, or other
Also checks /usr/sbin/userdb*.
· GEN002717: System audit tool executables must have mode 0750 or
less permissive
Also checks /usr/sbin/userdb*.
· GEN002718: System audit tool executables must not have extended
ACLs
Also checks /usr/sbin/userdb*.
· GEN004540: The SMTP service HELP command must not be enabled
checks to make sure /etc/mail/helpfile is empty.
· GEN000450: The system must limit users to 10 simultaneous system
logins, or a site-defined number, in accordance with operational
requirements.
Also checks /var/adm/userdb/*.
· GEN001400: The /etc/shadow (or equivalent) file must be owned by
root
Also checks /tcb/files/auth/[A-Z]/*.
· GEN001410: The /etc/shadow file (or equivalent) must be
group-owned by root, bin, sys or other
Also checks /tcb/files/auth/[A-Z]/*.
· GEN001430: The /etc/shadow file must not have an extended ACL
Also checks /tcb/files/auth/[A-Z]/*.
The following checks now check settings for trusted mode or SMSE mode as
appropriate.
· GEN000020: The system must require authentication upon booting
into single-user and maintenance modes
· GEN000460: The system must disable accounts after three
consecutive unsuccessful login attempts
· GEN000540: Users must not be able to change passwords more than
once every 24 hours
· GEN000560: The system must not have accounts configured with blank
or null passwords.
· GEN000580: The system must require that passwords contain a
minimum of 15 characters
· GEN000585: The system must enforce the correctness of the entire
password during authentication
· GEN000590: The system must use a FIPS 140-2 approved cryptographic
hashing algorithm for generating account password hashes
· GEN000595: The password hashes stored on the system must have been
generated using a FIPS 140-2 approved cryptographic hashing algorithm
· GEN000600: The system must require passwords contain at least one
uppercase alphabetic character
· GEN000610: The system must require passwords contain at least one
lowercase alphabetic character
· GEN000620: The system must require passwords contain at least one
numeric character
· GEN000640: The system must require passwords contain at least one
special character
· GEN000700: User passwords must be changed at least every 60 days.
· GEN000800: The system must prohibit the reuse of passwords within
five iterations.
· GEN001020: The root account must not be used for direct logins.
· HPUX0020: The system must be configured to operate in a security
mode.
Details:
· Both analysis and remediation checks are included
· Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
Actions to take:
· To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using IBM BigFix version 9.2
and later.
· If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see
https://ibm.biz/Bd4LBt.
More information:
To know more about IBM BigFix Compliance SCM checklists, please see
· IBM Developer Works:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/SCM%20Checklists
· IBM BigFix Blog:
https://www.ibm.com/developerworks/community/blogs/a1a33778-88b7-452a-9133-c955812f8910?lang=en
· IBM BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
We hope you find this latest release of SCM content useful and effective.
Thank you!
-- The IBM BigFix Compliance team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20171025/86e75f1c/attachment.html>
More information about the Besadmin-announcements
mailing list