nuclear regulatory commission computer security office ... · in the cis aix 6.1 benchmark. these...
TRANSCRIPT
Nuclear Regulatory Commission Computer Security Office
Computer Security Standard
Office Instruction: CSO-STD-1417
Office Instruction Title: IBM AIX 6.1 Server Configuration Standard
Revision Number: 1.0
Effective Date: January 1, 2014
Primary Contacts: Kathy Lyons-Burke, SITSO
Responsible Organization: CSO/PST
Summary of Changes: CSO-STD-1417, “IBM AIX 6.1 Server Configuration Standard” provides the minimum configuration settings that must be applied to NRC servers running AIX 6.1 operating systems.
Training: As requested
ADAMS Accession No.: ML13255A205
Approvals
Primary Office Owner Policies, Standards, and Training Signature Date
Standards Working Group Chair
Bill Dabbs /RA/ 10/9/13
Responsible SITSO Kathy Lyons-Burke /RA/ 10/9/13
DAA for Non-Major IT Investments
Director, CSO Tom Rich /RA/ 10/9/13
Director, OIS Jim Flanagan /RA/ 10/9/13
CSO Standard CSO-STD-1417 Page i
TABLE OF CONTENTS
1 PURPOSE ............................................................................................................................................. 1
2 GENERAL REQUIREMENTS .............................................................................................................. 1
2.1 DEVIATION REQUEST PROCESS ........................................................................................................ 1
3 SPECIFIC REQUIREMENTS ............................................................................................................... 2
3.1 REQUIREMENTS THAT ARE DIFFERENT FROM THE CIS BENCHMARK ................................................... 2
4 DEFINITIONS ..................................................................................................................................... 27
5 ACRONYMS ....................................................................................................................................... 29
Computer Security Standard CSO-STD-1417
IBM AIX 6.1 Server Configuration Standard
1 PURPOSE
CSO-STD-1417, “IBM® AIX® 6.1 Server Configuration Standard,” provides configuration settings for the Nuclear Regulatory Commission (NRC) servers running the IBM Advanced Interactive eXecutive (AIX) 6.1 operating system.1 These settings serve to minimize the probability of NRC sensitive information compromise. The standard applies to systems used to process Sensitive Unclassified Non-Safeguards Information (SUNSI) or Safeguards Information (SGI).
This configuration standard is intended to be used by system administrators and information system security officers (ISSOs) that have the required knowledge, skills, and abilities to apply configuration settings to AIX 6.1 operating systems. AIX 6.1 servers must meet all federally mandated and NRC-defined security requirements.
2 GENERAL REQUIREMENTS All NRC servers running the AIX 6.1 operating system that are owned, managed, and/or operated by the NRC or by other parties on behalf of the NRC must comply with this standard as a minimum set of controls. Additional controls may be required after a system risk analysis is completed.
AIX 6.1 servers operated by the NRC or other parties on behalf of the NRC must comply with the Center for Internet Security (CIS) AIX 6.1 Benchmark, as modified by the settings/ requirements provided in this standard and with the overarching requirements stated in CSO-STD-1101, “UNIX and Linux Server Security Configuration Standard.” Section 3 of this standard explains how specific requirements within the CIS Benchmark are amended by NRC-specific requirements. The effective version of the CIS Benchmark is specified on the Computer Security Office (CSO) Standards web page.
2.1 Deviation Request Process
There may be circumstances when a specific configuration requirement cannot be met because of technical system limitations, business process impact, or cost-risk analysis. Implementations that do not meet this minimum configuration standard must obtain deviation approval using the CSO Deviation Request (DR) process.
1 IBM and AIX are registered trademarks of the International Business Machines (IBM) Corporation.
CSO Standard CSO-STD-1417 Page 2
3 SPECIFIC REQUIREMENTS This section provides requirements that differ from or are required in addition to those published in the CIS AIX 6.1 Benchmark. These differences include amendments to settings in the CIS Benchmark and additional requirements identified through a review of the Defense Information Systems Agency (DISA) AIX 6.1 Security Technical Implementation Guide (STIG).
3.1 Requirements that are Different from the CIS Benchmark This section provides the NRC-specific requirements that are different from the published CIS Benchmark requirements. In Table 3.1-1 below, the section headers match the headers in the CIS Benchmark; DISA requirements were added to the appropriate sections.
The following defines the information contained within the columns of Table 3.1-1:
• Step: The unique identifier of this configuration item within this standard.
• Source: The identification of the source (e.g., CIS, DISA) for the requirement.
• CIS/DISA ID: The CIS/DISA identifier number for this configuration item. Some items have multiple IDs, which indicate that different attributes of multiple requirements from an external standard were combined into a single requirement for this standard.
• Setting Name: The configuration item or issue.
• CIS/DISA Setting: The configuration setting per the CIS Benchmark or DISA STIG.
• NRC-Specific Requirement: The NRC setting (which is different from the CIS Benchmark requirement) for a configuration item.
• Rationale: This field provides the rationale for the NRC-specific requirement that is different from the published setting in the CIS Benchmark.
CS
O S
tand
ard
CS
O-S
TD
-141
7
P
age
3
Tab
le 3
.1-1
: A
IX 6
.1 N
RC
-Sp
ecif
ic R
equ
irem
ents
th
at a
re D
iffe
ren
t fr
om
th
e C
IS B
ench
mar
k
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
1.1
AIX
Sec
uri
ty E
xper
t –
Pas
swo
rd P
olic
y
1.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.1
/etc
/sec
urity
/use
r –
min
diff
In /
etc/
secu
rity/
user
, se
t th
e de
faul
t min
diff
attr
ibut
e to
be
grea
ter
than
or
equa
l to
4 fo
r th
e m
inim
um n
umbe
r of
ch
arac
ters
that
are
re
quire
d in
a n
ew
pa
ssw
ord
wh
ich
we
re
not i
n th
e o
ld p
assw
ord.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
2.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.2
/etc
/sec
urity
/use
r –
min
age
In /
etc/
secu
rity/
user
, se
t th
e de
faul
t min
age
attr
ibut
e to
1 fo
r th
e m
inim
um n
umbe
r of
w
eek
s be
fore
a
pass
wo
rd c
an b
e ch
ange
d.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
3.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.3
/etc
/sec
urity
/use
r –
max
age
In /
etc/
secu
rity/
user
, se
t th
e de
faul
t ma
xage
at
trib
ute
to b
e le
ss th
an
or e
qual
to 1
3 fo
r th
e m
axim
um n
umbe
r of
w
eek
s th
at a
pas
swor
d is
va
lid.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 4
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
4.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.4
/etc
/sec
urity
/use
r –
min
len
In
/et
c/se
curit
y/us
er,
set
the
defa
ult m
inle
n at
trib
ute
to b
e gr
eate
r th
an o
r eq
ual t
o 8
for
the
min
imum
leng
th o
f a
pass
wo
rd.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
5.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.5
/etc
/sec
urity
/use
r –
min
alp
ha
In
/et
c/se
curit
y/us
er,
set
the
defa
ult m
inal
pha
at
trib
ute
to b
e gr
eate
r th
an o
r eq
ual t
o 2
for
the
min
imum
num
ber
of
alp
hab
etic
cha
ract
ers
in
a pa
ssw
ord
.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
6.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.6
/etc
/sec
urity
/use
r –
min
oth
er
In /
etc/
secu
rity/
user
, se
t th
e de
faul
t min
othe
r at
trib
ute
to b
e gr
eate
r th
an o
r eq
ual t
o 2
for
the
num
ber
of c
hara
cter
s w
ithin
a p
assw
ord
that
m
ust b
e no
n-al
pha
betic
.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nt fo
r th
ese
valu
es.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 5
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
7.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.9
/etc
/sec
urity
/use
r –
hist
size
In
/et
c/se
curit
y/us
er,
set
the
defa
ult h
ists
ize
attr
ibut
e to
be
grea
ter
than
or
equa
l to
20 fo
r th
e nu
mb
er o
f pre
viou
s pa
ssw
ord
s to
be
stor
ed
in th
e pa
ssw
ord
his
tory
to
pre
vent
pas
swo
rd
reus
e.
NR
C e
sta
blis
hes
pas
swo
rd
requ
irem
ent
s ba
sed
on
the
secu
rity
cate
go
rizat
ion
of th
e sy
stem
, w
het
her
the
pass
wo
rd is
an
adm
inis
trat
ive
pass
wo
rd, a
nd
the
leve
l of
prot
ectio
n re
qu
ired
for
the
info
rmat
ion
on t
he s
yste
m.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
8.
C
IS
CIS
-AIX
5.3
-6.1
: 1.1
.11
/e
tc/s
ecur
ity/lo
gin
.cfg
–
pw
d_a
lgor
ithm
In /e
tc/s
ecur
ity/lo
gin.
cfg,
se
t the
usw
use
r st
anza
p
wd
_alg
orith
m a
ttrib
ute
to s
sha2
56.
C
IS
reco
mm
end
s se
tting
the
pass
wo
rd a
lgor
ithm
to
sha2
56 to
sup
port
lon
g pa
ssw
ord
s.
Enc
rypt
ion
mus
t be
im
plem
ente
d a
ccor
ding
to th
e
requ
irem
ent
s in
C
SO
-ST
D-2
009,
“C
rypt
ogra
phic
Con
trol
S
tand
ard.
”
CS
O-S
TD
-200
9, “
Cry
pto
gra
phi
c C
ontr
ol S
tand
ard
” pr
ovid
es th
e N
RC
req
uire
men
ts fo
r cr
ypto
grap
hy.
1.2
AIX
Sec
uri
ty E
xper
t –
Lo
gin
Po
licy
9.
C
IS
CIS
-AIX
5.3
-6.1
: 1.2
.6
/etc
/sec
urity
/us
er –
log
inre
trie
s In
/et
c/se
curit
y/us
er,
set
the
defa
ult l
ogin
retr
ies
attr
ibut
e to
3 fo
r th
e nu
mb
er o
f inv
alid
logi
n at
tem
pts
prio
r to
the
user
ac
cou
nt b
eing
lock
ed
auto
mat
ical
ly.
NR
C s
tan
dard
s es
tabl
ish
limits
for
the
num
ber
of
cons
ecut
ive
inva
lid a
cces
s at
tem
pts
by
a us
er b
ased
on
the
secu
rity
cate
gori
zatio
n of
th
e sy
stem
, w
het
her
the
pass
wo
rd is
for
an
adm
inis
trat
or, a
nd th
e le
vel o
f pr
otec
tion
req
uire
d fo
r th
e in
form
atio
n on
the
sys
tem
.
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m
Sec
urity
Co
ntro
ls S
tand
ard”
(A
C-7
), e
stab
lishe
s th
e m
axim
um n
umbe
r of
co
nsec
utiv
e in
valid
acc
ess
atte
mpt
s.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 6
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
1.3
AIX
Sec
uri
ty E
xper
t –
Sys
tem
Ser
vice
s M
anag
emen
t
10.
C
IS
CIS
-AIX
5.3
-6.1
: 1.3
.31
/e
tc/in
etd.
conf
–
time
In /
etc/
inet
d.co
nf,
com
men
t out
the
time
entr
ies.
The
syn
chro
niza
tion
of
time
serv
ice
is o
bso
lete
an
d h
as b
een
su
pers
ede
d b
y N
etw
ork
T
ime
Pro
toco
l (N
TP
).
NR
C s
tan
dard
s re
quir
e sy
stem
s a
nd n
etw
ork
dev
ices
to
syn
chro
niz
e a
syst
em’s
cl
ock
with
the
NR
C ti
me
sour
ce o
r a
time
serv
er
appr
opri
ate
to a
noth
er
age
ncy-
ow
ne
d ne
twor
k.
To
ena
ble
corr
elat
ion
of e
vent
s fo
r au
dit l
ogs
, all
syst
ems
mus
t re
fere
nce
the
sam
e tim
e so
urce
.
CS
O-S
TD
-200
5, “
NR
C S
yste
m
Mon
itori
ng S
tand
ard,
” es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
the
spec
ific
time
serv
ers
to b
e us
ed.
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m
Sec
urity
Co
ntro
ls S
tand
ard”
(A
U-8
(1)
), e
stab
lishe
s tim
e sy
nchr
oni
zatio
n re
quire
me
nts.
11.
D
ISA
G
EN
000
250,
G
EN
000
251,
G
EN
000
252,
G
EN
000
253
Tim
e sy
nchr
oni
zatio
n co
nfig
urat
ion
file
(/et
c/nt
p.co
nf)
The
tim
e sy
nch
roni
zatio
n co
nfig
urat
ion
file
(suc
h as
/etc
/ntp
.con
f) m
ust b
e o
wn
ed b
y ro
ot, m
ust b
e gr
oup-
ow
ne
d b
y bi
n, s
ys,
or s
yste
m, m
ust
have
m
ode
064
0 or
less
pe
rmis
sive
an
d m
ust n
ot
have
an
ext
ende
d A
cces
s C
ontr
ol L
ist
(AC
L).
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e tim
e sy
nchr
oni
zatio
n co
nfig
urat
ion
fil
e.
A s
ynch
ron
ize
d sy
stem
clo
ck is
cr
itica
l for
the
enf
orce
me
nt o
f tim
e-ba
sed
polic
ies
and
the
corr
elat
ion
of lo
gs a
nd
audi
t re
cord
s w
ith o
ther
sys
tem
s.
If an
illic
it tim
e so
urce
is u
sed
for
sync
hro
niza
tion,
the
inte
grity
of
syst
em lo
gs a
nd
the
secu
rity
of
the
syst
em c
ou
ld b
e co
mpr
omis
ed.
If th
e co
nfig
urat
ion
files
con
trol
ling
time
sync
hro
niza
tion
are
not
prot
ecte
d, u
naut
horiz
ed
mod
ifica
tions
cou
ld r
esul
t in
the
failu
re o
f tim
e sy
nchr
oni
zatio
n.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 7
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
12.
D
ISA
G
EN
000
242
N
umb
er o
f cl
ock
sync
hro
niza
tion
sour
ces
The
sys
tem
mus
t use
at
leas
t tw
o tim
e so
urce
s fo
r cl
ock
sync
hro
niza
tion.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e nu
mbe
r of
clo
ck s
ynch
roni
zatio
n so
urce
s if
a sy
stem
con
nect
s to
net
wor
ks o
r ot
her
syst
ems.
If a
syst
em is
com
plet
ely
isol
ated
, tim
e sy
nchr
oni
zatio
n (a
nd t
wo
time
sour
ces)
is n
ot
requ
ired.
A s
ynch
ron
ize
d sy
stem
clo
ck is
cr
itica
l for
the
enf
orce
me
nt o
f tim
e-ba
sed
polic
ies
and
the
corr
elat
ion
of lo
gs a
nd
audi
t re
cord
s w
ith o
ther
sys
tem
s.
For
red
unda
ncy,
tw
o tim
e so
urce
s ar
e re
quir
ed s
o sy
nchr
oni
zatio
n co
ntin
ues
to
func
tion
if o
ne s
ourc
e fa
ils.
If th
e sy
stem
is c
ompl
etel
y is
olat
ed (
no c
onn
ectio
ns to
ne
twor
ks o
r ot
her
syst
ems)
, tim
e sy
nchr
oni
zatio
n is
not
re
quire
d as
no
corr
elat
ion
of
even
ts o
r op
erat
ion
of
time-
depe
nde
nt
prot
ocol
s be
twe
en s
yste
ms
will
be
nece
ssar
y.
If th
e sy
stem
is
com
plet
ely
isol
ated
, th
is
requ
irem
ent
is n
ot a
pplic
able
.
13.
C
IS
CIS
-AIX
5.3
-6.1
: 1.3
.35
/e
tc.in
etd.
conf
–
ftp
In /
etc/
inet
d.co
nf,
com
men
t out
the
ftp
entr
y.
File
Tra
nsfe
r P
roto
col
(FT
P)
shou
ld n
ot b
e st
arte
d au
tom
atic
ally
. F
TP
is a
n un
encr
ypte
d ne
twor
k pr
otoc
ol; F
TP
sh
ould
onl
y be
use
d if
ther
e is
a m
issi
on c
ritic
al
reas
on
to d
o so
.
NR
C s
tan
dard
s re
stric
t the
us
e of
FT
P.
CS
O-S
TD
-200
8, “
NR
C N
etw
ork
P
roto
col S
tan
dar
d,”
spec
ifica
lly
rest
ricts
the
use
of F
TP
at N
RC
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 8
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
14.
D
ISA
G
EN
000
000-
AIX
030
0
boot
p se
rvic
e di
sabl
ed
T
he s
yste
m m
ust n
ot
have
the
boot
p s
ervi
ce
activ
e.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r di
sabl
ing
the
boot
p se
rvic
e.
The
boo
tp s
ervi
ce is
use
d fo
r N
etw
ork
Inst
alla
tion
Man
age
me
nt (
NIM
) an
d re
mo
te
boot
ing
of s
yste
ms.
The
boo
tp
serv
ice
shou
ld n
ot b
e ac
tive
unle
ss it
is n
eede
d fo
r N
IM
serv
ers
or b
oot
ing
rem
ote
syst
ems.
R
unni
ng
unne
cess
ary
serv
ices
incr
ease
s th
e at
tack
ve
ctor
of
the
syst
em.
1.6
AIX
Sec
uri
ty E
xper
t –
TC
P/IP
Har
den
ing
15.
D
ISA
G
EN
000
000-
AIX
021
0
tcp_
icm
psec
ure
The
sys
tem
mus
t pro
vid
e pr
otec
tion
from
Inte
rnet
C
ontr
ol M
essa
ge
Pro
toco
l (IC
MP
) at
tack
s on
Tra
nsm
issi
on
Con
tro
l P
roto
col (
TC
P)
conn
ectio
ns.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r tc
p_ic
mps
ecur
e.
The
IC
MP
atta
cks
may
be
in
the
form
of I
CM
P s
ourc
e qu
enc
h at
tack
s an
d P
ath
Max
imum
Tra
nsm
issi
on U
nit
Dis
cove
ry (
PM
TU
D)
atta
cks.
If
this
net
wor
k op
tion
tcp_
icm
psec
ure
is tu
rned
on,
th
e sy
stem
doe
s no
t rea
ct to
IC
MP
sou
rce
que
nch
mes
sag
es.
Thi
s w
ill p
rote
ct
agai
nst I
CM
P s
ourc
e qu
ench
at
tack
s. T
he p
aylo
ad o
f the
IC
MP
mes
sage
is te
sted
to
dete
rmin
e if
the
sequ
ence
nu
mb
er o
f the
TC
P h
eade
r po
rtio
n of
the
pa
ylo
ad is
with
in
the
rang
e of
acc
epta
ble
se
quen
ce n
umbe
rs.
Thi
s w
ill
miti
gate
PM
TU
D a
ttack
s to
a
larg
e e
xten
t.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 9
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
16.
D
ISA
G
EN
007
820
IP
tunn
el
conf
igur
atio
n
The
sys
tem
mus
t not
ha
ve In
tern
et P
roto
col
(IP
) tu
nnel
s co
nfig
ured
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r IP
tunn
el
conf
igur
atio
n.
IP tu
nnel
ing
mec
hani
sms
can
be
use
d to
byp
ass
netw
ork
filte
ring.
17.
D
ISA
G
EN
007
900
R
ever
se-p
ath
filte
r fo
r IP
v6
netw
ork
traf
fic
The
sys
tem
mus
t use
an
appr
opri
ate
reve
rse-
pat
h fil
ter
for
IPv6
net
wo
rk
traf
fic, i
f the
sys
tem
use
s IP
v6.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r re
vers
e-pa
th fi
lters
for
IPv6
ne
twor
k tr
affic
.
Rev
erse
-pat
h fil
terin
g pr
ovid
es
prot
ectio
n ag
ains
t spo
ofe
d so
urce
add
ress
es b
y ca
usin
g
the
syst
em t
o di
scar
d pa
cket
s th
at h
ave
sour
ce a
ddre
sses
for
wh
ich
the
syst
em h
as n
o ro
ute
or if
the
rout
e d
oes
not p
oint
to
wa
rds
the
inte
rfac
e on
wh
ich
the
pack
et a
rriv
ed.
Dep
end
ing
on th
e ro
le o
f the
sys
tem
, re
vers
e-pa
th fi
lterin
g m
ay
caus
e le
gitim
ate
traf
fic to
be
disc
arde
d; th
eref
ore,
sho
uld
be
used
with
a m
ore
per
mis
sive
m
ode
or fi
lter,
or
not a
t all.
W
hene
ver
poss
ible
, re
vers
e-pa
th fi
lterin
g sh
ould
be
used
.
18.
D
ISA
G
EN
007
780
D
isab
le 6
to4
T
he s
yste
m m
ust n
ot
have
6to
4 en
abl
ed.
N
RC
ad
here
s to
the
DIS
A
ST
IG’s
set
ting
for
disa
blin
g 6t
o4.
6to4
is a
n IP
v6 tr
ansi
tion
mec
hani
sm th
at
invo
lves
tu
nne
ling
IPv6
pac
kets
en
caps
ulat
ed in
IPv4
pac
kets
on
an
ad-
hoc
bas
is.
Thi
s is
not
a
pref
erre
d tr
ansi
tion
stra
teg
y an
d in
crea
ses
the
atta
ck
surf
ace
of th
e sy
stem
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 10
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
19.
D
ISA
G
EN
000
000-
AIX
023
0
IP
frag
men
tatio
n at
tack
s pr
otec
tion
The
sys
tem
mus
t pro
vid
e pr
otec
tion
agai
nst I
P
frag
men
tatio
n at
tack
s.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r IP
fr
agm
enta
tion
atta
cks
prot
ectio
n.
The
par
amet
er ip
_nfr
ag
prov
ides
an
addi
tiona
l la
yer
of
prot
ectio
n ag
ains
t IP
fr
agm
enta
tion
atta
cks.
The
va
lue
the
ip_n
frag
spe
cifie
s is
th
e m
axim
um n
umbe
r of
fr
agm
ents
of
an I
P p
acke
t th
at
can
be k
ept
in th
e IP
re
asse
mbl
y qu
eue
at a
ny
time.
T
he d
efau
lt va
lue
of th
is
netw
ork
opt
ion
is 2
00.
Thi
s is
a
reas
ona
ble
va
lue
for
mos
t en
viro
nme
nts
and
offe
rs
prot
ectio
n fr
om I
P
frag
men
tatio
n at
tack
s.
20.
D
ISA
G
EN
003
602
IC
MP
tim
esta
mp
requ
ests
The
sys
tem
mus
t not
pr
oces
s IC
MP
tim
esta
mp
requ
ests
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r IC
MP
tim
esta
mp
req
uest
s.
Pro
cess
ing
ICM
P ti
mes
tam
p re
ques
ts in
cre
ases
the
atta
ck
surf
ace
of th
e sy
stem
.
21.
D
ISA
G
EN
003
611
M
artia
n p
acke
ts
The
sys
tem
mus
t log
m
artia
n p
acke
ts.
Add
ru
les
to lo
g in
bou
nd
traf
fic c
onta
inin
g in
valid
so
urce
add
ress
es,
wh
ich
min
ima
lly in
clu
de th
e sy
stem
’s o
wn
add
ress
es
and
broa
dcas
t ad
dres
ses
for
atta
ched
su
bnet
s.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r lo
ggin
g m
artia
n pa
cket
s.
Mar
tian
pac
kets
are
pac
kets
co
ntai
nin
g ad
dre
sses
kno
wn
by
the
syst
em t
o be
inva
lid.
Lo
ggi
ng
the
rece
ipt o
f the
se
pack
ets
allo
ws
the
syst
em
adm
inis
trat
or to
iden
tify
mis
conf
igur
atio
ns o
r at
tack
s in
pr
ogre
ss.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 11
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
1.7
AIX
Sec
uri
ty E
xper
t –
Mis
cella
neo
us
En
han
cem
ents
22.
C
IS
CIS
-AIX
5.3
-6.1
: 1.7
.7
Mis
cella
neo
us
Enh
anc
emen
ts
– de
fau
lt um
ask
Che
ck g
lob
al
initi
aliz
atio
n fil
es
for
the
conf
igur
ed u
mas
k va
lue.
C
heck
loca
l ini
tializ
atio
n fil
es fo
r th
e co
nfig
ure
d um
ask
valu
e.
The
sys
tem
an
d us
er
defa
ult
umas
k m
ust b
e 07
7.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r de
faul
t um
ask.
The
um
ask
cont
rols
the
defa
ult
acce
ss m
ode
assi
gned
to n
ew
ly
crea
ted
files
. A
n um
ask
of 0
77
limits
ne
w fi
les
to m
ode
700
or
less
per
mis
sive
. A
lthou
gh
umas
k ca
n b
e re
pres
ente
d as
a
4-di
git n
umb
er, t
he fi
rst d
igit
repr
esen
ting
spec
ial a
cces
s m
odes
is t
ypic
ally
igno
red
or
requ
ired
to b
e 0.
Thi
s re
quire
me
nt a
ppl
ies
to th
e gl
oba
lly c
onfig
ured
sys
tem
de
fau
lts a
nd th
e us
er d
efa
ults
fo
r ea
ch a
cco
unt
on
the
syst
em
.
23.
D
ISA
G
EN
002
715,
G
EN
002
716,
G
EN
002
717,
G
EN
002
718
Sys
tem
aud
it to
ol
exec
uta
bles
Sys
tem
aud
it to
ol
exec
uta
bles
(e.
g., a
udit,
au
ditc
at, a
uditc
onv,
au
ditp
r, a
udits
elec
t, au
dits
trea
m, a
uditb
in,
and
aud
itmer
ge)
mus
t be
ow
ned
by
root
, mus
t be
grou
p-o
wn
ed
by
bin,
sys
, or
sys
tem
, mus
t ha
ve
mod
e 0
750
or le
ss
perm
issi
ve, a
nd
mus
t not
ha
ve e
xte
nded
AC
Ls.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r sy
stem
au
dit
tool
exe
cuta
bles
.
To
prev
ent u
naut
horiz
ed
acce
ss o
r m
anip
ulat
ion
of
syst
em a
udit
logs
, the
tool
s fo
r m
anip
ulat
ing
thos
e lo
gs m
ust
be p
rote
cte
d.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 12
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
24.
D
ISA
G
EN
006
565
P
erio
dic
verif
icat
ion
of
syst
em
soft
war
e
The
sys
tem
pa
ckag
e m
ana
gem
ent
tool
mus
t be
use
d to
ver
ify s
yste
m
soft
war
e pe
rio
dica
lly.
Che
ck th
e ro
ot c
ront
ab
for
a jo
b in
voki
ng th
e sy
stem
pac
kage
m
ana
gem
ent
tool
to
verif
y th
e in
tegr
ity o
f in
stal
led
pac
kage
s.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r pe
riodi
c ve
rific
atio
n of
sys
tem
so
ftw
are.
The
sys
tem
pa
ckag
e m
ana
gem
ent
tool
ca
n be
use
d to
ver
ify t
hat
syst
em s
oftw
are
has
not b
een
tam
pere
d w
ith.
25.
D
ISA
G
EN
006
570
V
erifi
catio
n of
A
CLs
. T
he fi
le in
tegr
ity to
ol
mus
t be
conf
igur
ed to
ve
rify
AC
Ls.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r pe
riodi
c ve
rific
atio
n of
AC
Ls.
AC
Ls c
an p
rovi
de p
erm
issi
ons
be
yond
thos
e pe
rmitt
ed th
rou
gh
the
file
mod
e; th
eref
ore,
the
y m
ust
be v
erifi
ed b
y fil
e in
tegr
ity
tool
s.
26.
D
ISA
G
EN
006
571
V
erifi
catio
n of
ex
tend
ed
attr
ibut
es
The
file
inte
grity
too
l m
ust b
e co
nfig
ured
to
verif
y e
xten
ded
at
trib
utes
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r pe
riodi
c ve
rific
atio
n of
ext
end
ed
attr
ibut
es.
Ext
end
ed
attr
ibut
es in
file
sy
stem
s m
ay
cont
ain
arbi
trar
y da
ta a
nd
file
met
adat
a w
ith
secu
rity
impl
icat
ions
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 13
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
2.1
No
n A
IX S
ecu
rity
Exp
ert
Man
aged
Rec
om
men
dat
ion
s –
Co
nfi
gu
rin
g s
yslo
g
27.
C
IS
CIS
-AIX
5.3
-6.1
: 2.1
.1
Con
figur
ing
Sys
log
– lo
cal
log
gin
g
The
ben
chm
ark
reco
mm
ends
im
plem
entin
g a
loca
l sy
slog
co
nfig
urat
ion
wh
ich
is n
ot
auto
mat
ical
ly
esta
blis
hed.
The
be
nchm
ark
also
re
com
men
ds a
we
ekly
ro
tatio
n in
a fo
ur w
eek
cy
cle.
NR
C s
tan
dard
s es
tabl
ish
spec
ific
requ
ire
men
ts fo
r th
e in
form
atio
n th
at
shal
l be
reco
rded
and
ret
ain
ed in
logs
.
NR
C s
tan
dard
s al
so e
stab
lish
the
requ
ired
freq
uenc
y fo
r In
form
atio
n S
yste
m S
ecur
ity
Offi
cer
(IS
SO
) lo
g re
vie
ws
base
d on
the
secu
rity
cate
gori
zatio
n of
the
syst
em
and
the
info
rmat
ion
that
mus
t be
ret
aine
d fr
om th
e au
dit l
og
re
vie
w.
CS
O-S
TD
-200
5, “
NR
C S
yste
m
Mon
itori
ng S
tand
ard,
” es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
loca
l log
ging
.
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m
Sec
urity
Co
ntro
ls S
tand
ard”
(A
U-2
), e
stab
lishe
s th
e ev
ents
th
at s
hall
be
audi
ted.
28.
C
IS
CIS
-AIX
5.3
-6.1
: 2.1
.2
Con
figur
ing
Sys
log
– re
mot
e lo
ggin
g
Exp
licitl
y de
fine
a re
mot
e ho
st fo
r au
th.in
fo d
ata
in
/etc
/sys
log.
conf
.
To
furt
her
enh
ance
the
loca
l sys
log
log
gin
g pr
oces
s, C
IS
reco
mm
end
s th
at s
yslo
g in
form
atio
n, in
par
ticul
ar
that
gen
erat
ed b
y th
e au
th fa
cilit
y, is
logg
ed
rem
otel
y.
NR
C s
tan
dard
s es
tabl
ish
spec
ific
requ
ire
men
ts fo
r th
e in
form
atio
n th
at
shal
l be
reco
rded
and
ret
ain
ed in
logs
.
CS
O-S
TD
-200
5, “
NR
C S
yste
m
Mon
itori
ng S
tand
ard,
” es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
rem
ote
audi
t lo
ggi
ng.
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m
Sec
urity
Co
ntro
ls S
tand
ard”
(A
U-2
), e
stab
lishe
s th
e ev
ents
th
at s
hall
be
audi
ted.
29.
D
ISA
G
EN
005
390,
G
EN
005
395,
G
EN
005
400,
G
EN
005
420
The
sys
log.
con
f fil
e co
nfig
urat
ion
The
/et
c/sy
slog
.con
f fil
e m
ust
be o
wn
ed b
y ro
ot,
mus
t be
grou
p-o
wn
ed b
y bi
n, s
ys,
or s
yste
m,
mus
t ha
ve m
ode
06
40 o
r le
ss
perm
issi
ve, a
nd
mus
t not
ha
ve a
n e
xten
ded
AC
L.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r sy
slog
.con
f fil
e co
nfig
urat
ion.
Una
utho
rized
use
rs m
ust n
ot b
e al
low
ed
to a
cces
s or
mod
ify th
e /e
tc/s
yslo
g.co
nf f
ile.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 14
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
2.2
No
n A
IX S
ecu
rity
Exp
ert
Man
aged
Rec
om
men
dat
ion
s –
Sec
ure
Rem
ote
Acc
ess
30.
C
IS
CIS
-AIX
5.3
-6.1
: 2.2
.5
Con
figur
ing
SS
H –
ban
ner
conf
igur
atio
n
Edi
t the
/e
tc/s
sh/s
shd_
conf
ig f
ile
and
conf
igur
e a
path
to a
lo
gin
mes
sage
.
Set
a lo
gin
hera
ld
mes
sag
e th
at r
equ
ires
a us
er to
acc
ept
the
term
s an
d co
nditi
ons
of a
n or
gani
zatio
n’s
ac
cept
abl
e us
age
st
anda
rds.
NR
C s
tan
dard
s es
tabl
ish
the
requ
irem
ent
that
sys
tem
s m
ust b
e co
nfig
ured
to d
ispl
ay
wa
rnin
g b
anne
rs to
use
rs
wh
en
the
y in
itial
ly a
cces
s an
N
RC
IT
sys
tem
.
CS
O-G
UID
-11
02, “
NR
C
Pas
swor
d an
d W
arni
ng
Ban
ner
G
uida
nce,
” es
tabl
ishe
s th
e N
RC
req
uire
men
t for
wa
rnin
g
ban
ners
.
31.
D
ISA
G
EN
005
521
S
SH
dae
mon
lo
gin
rest
rictio
ns
The
Sec
ure
She
ll (S
SH
) da
emon
mus
t res
tric
t lo
gin
abili
ty to
spe
cific
us
ers
and/
or g
roup
s.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r S
SH
da
emon
logi
n re
stric
tions
.
Res
tric
ting
SS
H lo
gins
to a
lim
ited
grou
p o
f us
ers,
suc
h as
sy
stem
adm
inis
trat
ors,
pre
vent
s pa
ssw
ord
-gue
ssin
g, o
ther
SS
H
atta
cks
from
rea
chin
g sy
stem
ac
cou
nts,
and
oth
er a
cco
unts
no
t aut
hor
ize
d fo
r S
SH
acc
ess.
2.3
No
n A
IX S
ecu
rity
Exp
ert
Man
aged
Rec
om
men
dat
ion
s –
Sen
dm
ail C
on
fig
ura
tio
n
32.
D
ISA
G
EN
004
480
S
MT
P s
ervi
ce
log
file
ow
ner
Iden
tify
any
log
file
s co
nfig
ured
for
the
mai
l se
rvic
e at
any
sev
erity
le
vel,
or th
ose
conf
igur
ed
for
all s
ervi
ces.
C
heck
th
e o
wn
ersh
ip o
f the
se
log
files
.
The
Sim
ple
Ma
il T
rans
port
Pro
toco
l (S
MT
P)
serv
ice
log
file
mus
t be
ow
ned
by
root
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r S
MT
P
serv
ice
log
file
ow
ner
.
NR
C S
tan
dard
s an
d th
e C
IS
Ben
chm
ark
do n
ot p
rovi
de a
re
quire
men
t fo
r th
is s
ettin
g.
If th
e S
MT
P s
ervi
ce lo
g fil
e is
not
o
wn
ed b
y ro
ot, t
hen
una
utho
rized
per
son
nel m
ay
mod
ify o
r de
lete
the
file
to h
ide
a sy
stem
com
pro
mis
e.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 15
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
33.
D
ISA
G
EN
004
500
S
MT
P s
ervi
ce
log
file
perm
issi
ons
Che
ck th
e m
od
e of
the
SM
TP
ser
vice
log
file.
The
SM
TP
ser
vice
log
file
mus
t hav
e m
ode
0644
or
less
per
mis
sive
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r S
MT
P
serv
ice
log
file
perm
issi
ons.
NR
C S
tan
dard
s an
d th
e C
IS
Ben
chm
ark
do n
ot p
rovi
de a
re
quire
men
t fo
r th
is s
ettin
g.
If th
e S
MT
P s
ervi
ce lo
g fil
e is
m
ore
perm
issi
ve th
an 0
644,
un
aut
horiz
ed u
sers
ma
y b
e al
low
ed
to c
hang
e th
e lo
g fil
e.
34.
D
ISA
G
EN
004
510
S
MT
P s
ervi
ce
log
file
exte
nded
AC
L
Che
ck if
ext
ende
d pe
rmis
sion
s ar
e di
sabl
ed.
The
SM
TP
ser
vice
log
file
mus
t not
ha
ve a
n ex
tend
ed A
CL.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r S
MT
P
serv
ice
log
file
exte
nded
AC
L pe
rmis
sion
s.
NR
C S
tan
dard
s an
d th
e C
IS
Ben
chm
ark
do n
ot p
rovi
de a
re
quire
men
t fo
r th
is s
ettin
g.
If th
e S
MT
P s
ervi
ce lo
g fil
e h
as
an e
xten
ded
AC
L, u
naut
hori
zed
user
s m
ay
be a
llow
ed
to a
cces
s or
mod
ify t
he lo
g fil
e.
2.4
No
n A
IX S
ecu
rity
Exp
ert
Man
aged
Rec
om
me
nd
atio
ns
– C
om
mo
n D
eskt
op
En
viro
nm
ent
(CD
E)
35.
C
IS
CIS
-AIX
5.3
-6.1
: 2.4
.5
CD
E –
sc
reen
save
r lo
ck
Set
the
defa
ult
timeo
ut
para
met
ers
dtse
ssio
n*sa
vert
imeo
ut:
and
dtse
ssio
n*lo
ckT
imeo
ut:
Set
a p
assw
ord
prot
ecte
d sc
reen
save
r in
voke
d b
y th
e C
DE
se
ssio
n m
anag
er a
fter
10 m
inut
es o
f ke
ybo
ard
or m
ouse
inac
tivity
.
NR
C s
tan
dard
s es
tabl
ish
spec
ific
requ
ire
men
ts fo
r th
e le
ngth
of i
nact
ivity
bef
ore
initi
atin
g a
sess
ion
lock
bas
ed
on th
e ca
tego
rizat
ion
of th
e sy
stem
.
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m
Sec
urity
Co
ntro
ls S
tand
ard”
(A
C-1
1), e
stab
lishe
s th
e le
ngt
h of
inac
tivity
bef
ore
initi
atin
g a
sess
ion
lock
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 16
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
36.
D
ISA
G
EN
000
510
G
raph
ical
de
skto
p en
viro
nme
nt
sess
ion
lock
pa
ttern
The
sys
tem
mus
t di
spla
y a
pub
licly
-vie
wab
le
patte
rn d
urin
g a
grap
hica
l des
ktop
en
viro
nme
nt s
essi
on
lock
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e gr
aphi
cal d
eskt
op
envi
ronm
ent s
essi
on lo
ck
patte
rn.
To
prot
ect t
he o
n-sc
reen
co
nten
t of a
se
ssio
n, th
e co
nten
t mus
t be
repl
aced
with
a
pub
licly
-vie
wa
ble
pat
tern
upo
n
sess
ion
lock
. E
xam
ples
of
pub
licly
vie
wa
ble
pat
tern
s in
clud
e sc
reen
sav
er p
atte
rns,
ph
oto
gra
phic
imag
es, s
olid
co
lors
, or
a bl
ank
scr
een,
so
lon
g as
no
ne o
f th
ose
patte
rns
conv
ey
sens
itive
info
rmat
ion.
37.
D
ISA
G
EN
005
160
A
ny X
Win
dow
s ho
st m
ust
writ
e
.Xa
utho
rity
file
s.
Che
ck fo
r .X
auth
ority
fil
es b
ein
g ut
ilize
d b
y lo
okin
g fo
r su
ch fi
les
in
the
hom
e d
irect
ory
of a
us
er th
at u
ses
X.
Ens
ure
the
X W
indo
ws
host
is c
onfig
ured
to
wri
te .X
aut
hori
ty fi
les
into
us
er h
ome
dire
ctor
ies.
E
dit t
he X
acce
ss fi
le.
Ens
ure
the
line
that
w
rite
s th
e .X
auth
ority
file
is
unc
omm
ente
d.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r w
ritin
g .X
aut
horit
y fil
es.
.Xa
utho
rity
file
s en
sure
the
use
r is
aut
hori
zed
to a
cces
s th
e sp
ecifi
c X
Win
dow
s ho
st.
If
.Xa
utho
rity
file
s ar
e no
t use
d,
una
utho
rized
acc
ess
to th
e X
W
indo
ws
host
ma
y b
e ob
tain
ed.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 17
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
38.
D
ISA
G
EN
005
220
.X
aut
horit
y or
X
*.ho
sts
(or
equ
ival
ent)
fil
e(s)
mus
t be
used
to r
estr
ict
acce
ss to
the
X
serv
er.
Sea
rch
the
syst
em fo
r an
X
*.ho
sts
files
, wh
ere
* is
a
disp
lay
num
ber
that
m
ay b
e us
ed t
o lim
it X
w
indo
w c
onne
ctio
ns.
If
no fi
les
are
fou
nd,
X*.
host
s fil
es a
re n
ot
bein
g us
ed.
If th
e X
*.ho
sts
files
con
tain
an
y un
aut
horiz
ed h
osts
, thi
s is
a fi
ndin
g.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r re
stric
ting
acce
ss to
the
X s
erve
r.
If ac
cess
to
the
X s
erve
r is
not
re
stric
ted,
a u
ser’s
X s
essi
on
may
be
com
prom
ised
.
39.
D
ISA
G
EN
005
240
T
he .X
auth
ority
ut
ility
mus
t onl
y pe
rmit
acce
ss
to a
utho
rized
ho
sts.
Rem
ove
una
utho
rized
cl
ient
s fr
om th
e x
aut
h co
nfig
urat
ion.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r us
ing
the
.Xa
utho
rity
utili
ty to
onl
y pe
rmit
acce
ss t
o au
thor
ize
d ho
sts.
If un
auth
oriz
ed c
lient
s ar
e pe
rmitt
ed a
cce
ss to
the
X
serv
er, a
use
r’s X
ses
sion
ma
y be
com
prom
ised
.
40.
D
ISA
G
EN
005
200
X
dis
pla
y ex
port
ing
X
dis
pla
ys m
ust
not b
e ex
port
ed
to th
e w
orld
. N
RC
ad
here
s to
the
DIS
A
ST
IG’s
set
ting
for
X d
ispl
ay
expo
rtin
g.
Ope
n X
dis
pla
ys a
llow
an
atta
cker
to c
aptu
re k
eys
trok
es
and
to e
xecu
te c
omm
ands
re
mot
ely.
M
any
user
s ha
ve
thei
r X
Ser
ver
set t
o xh
ost +
, pe
rmitt
ing
acce
ss to
the
X
Ser
ver
by
anyo
ne, f
rom
an
ywh
ere.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 18
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
41.
D
ISA
G
EN
005
760,
G
EN
005
770
N
FS
exp
ort
conf
igur
atio
n fil
e
The
Net
wor
k F
ile S
yste
m
(NF
S)
expo
rt
conf
igur
atio
n fil
e m
ust
have
mo
de 0
644
or
less
pe
rmis
sive
, an
d m
ust n
ot
have
an
ext
ende
d A
CL.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e N
FS
ex
port
con
figur
atio
n fil
e.
File
sys
tem
ext
end
ed A
CLs
pr
ovid
e ac
cess
to fi
les
beyo
nd
wh
at is
allo
we
d b
y th
e m
ode
nu
mbe
rs o
f th
e fil
es.
Exc
essi
ve
perm
issi
ons
on
the
NF
S e
xpor
t co
nfig
urat
ion
file
coul
d al
low
un
aut
horiz
ed m
odifi
catio
n of
the
fil
e, w
hic
h co
uld
resu
lt in
Den
ial
of S
ervi
ce to
aut
horiz
ed N
FS
ex
port
s an
d th
e cr
eatio
n of
ad
diti
onal
una
uth
oriz
ed
exp
orts
.
2.5
No
n A
IX S
ecu
rity
Exp
ert
Man
aged
Rec
om
men
dat
ion
s –
NF
S
42.
D
ISA
G
EN
005
760
N
FS
exp
ort
conf
igur
atio
n fil
e
The
NF
S e
xpor
t co
nfig
urat
ion
file
(chm
od
0644
/et
c/ex
port
s) m
ust
have
mo
de 0
644
or
less
pe
rmis
sive
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r N
FS
exp
ort
conf
igur
atio
n fil
e pe
rmis
sion
s.
Exc
essi
ve p
erm
issi
ons
on th
e N
FS
exp
ort c
onf
igur
atio
n fil
e co
uld
allo
w u
nau
thor
ized
m
odifi
catio
n of
the
file
, w
hich
co
uld
resu
lt in
Den
ial o
f Ser
vice
to
aut
horiz
ed N
FS
exp
orts
and
th
e cr
eatio
n of
add
ition
al
una
utho
rized
exp
orts
.
2.7
No
n A
IX S
ecu
rity
Exp
ert
Man
aged
Rec
om
men
dat
ion
s –
SN
MP
43.
C
IS
CIS
-AIX
5.3
-6.1
: 2.7
S
NM
P
Def
ine
com
mun
ity
strin
gs th
at a
re g
reat
er
than
six
cha
ract
ers
and
incl
ude
s a
com
bin
atio
n of
lette
rs, n
umbe
rs, a
nd
spec
ial c
hara
cter
s.
With
the
Sys
tem
Net
wor
k M
onito
ring
Pro
toco
l (S
NM
P),
co
mm
unity
str
ings
mus
t be
set u
sing
NR
C s
tand
ards
that
es
tabl
ish
the
requ
irem
ents
for
stro
ng p
assw
ord
s.
CS
O-S
TD
-000
1, “
NR
C S
tron
g P
assw
ord
Sta
nda
rd,”
es
tabl
ishe
s th
e N
RC
re
quire
me
nts
for
thes
e va
lues
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 19
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
44.
D
ISA
G
EN
005
320,
G
EN
005
360,
G
EN
005
365,
G
EN
005
375
The
snm
pd.c
onf
file
conf
igur
atio
n
The
snm
pd.c
onf f
ile m
ust
have
mo
de 0
600
or
less
pe
rmis
sive
, mus
t be
ow
ned
by
root
, mus
t be
grou
p-o
wn
ed
by
bin,
sys
, or
sys
tem
, an
d m
ust
not
have
an
ext
ende
d A
CL.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r sn
mpd
.con
f fil
e co
nfig
urat
ion.
The
snm
pd.c
onf f
ile c
onta
ins
auth
ent
icat
ors
and
mus
t be
prot
ecte
d fr
om u
naut
horiz
ed
acce
ss a
nd
mo
dific
atio
n.
2.11
No
n A
IX S
ecu
rity
Ex
per
t M
anag
ed R
eco
mm
end
atio
ns
– P
erm
issi
on
s an
d O
wn
ersh
ip
45.
D
ISA
G
EN
000
000-
AIX
008
5,
GE
N00
000
0-A
IX0
090,
G
EN
000
000-
AIX
010
0,
GE
N00
000
0-A
IX0
110
The
/e
tc/n
etsv
c.co
nf
file
conf
igur
atio
n
The
/etc
/net
svc.
conf
file
m
ust b
e ro
ot o
wn
ed,
m
ust b
e gr
oup-
ow
ned
by
bin,
sys
, or
sys
tem
, m
ust
have
mo
de 0
644
or
less
pe
rmis
sive
, an
d m
ust n
ot
have
an
ext
ende
d A
CL.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r us
ing
the
/etc
/net
svc.
conf
file
co
nfig
urat
ion.
The
/etc
/net
svc.
conf
file
is u
sed
to s
peci
fy th
e o
rder
ing
of n
ame
reso
lutio
n fo
r th
e se
ndm
ail
com
man
d, a
lias
reso
lutio
n fo
r th
e se
ndm
ail c
omm
and,
and
ho
st n
ame
reso
lutio
n ro
utin
es.
Mal
icio
us c
han
ges
cou
ld
prev
ent
the
syst
em fr
om
func
tion
ing
corr
ectly
or
com
prom
ise
syst
em s
ecur
ity.
46.
D
ISA
G
EN
001
362,
G
EN
001
363,
G
EN
001
364,
G
EN
001
365
The
/e
tc/r
esol
v.co
nf
file
conf
igur
atio
n
The
/etc
/res
olv.
conf
file
m
ust b
e ro
ot o
wn
ed,
m
ust b
e gr
oup-
ow
ned
by
bin,
sys
, or
sys
tem
, m
ust
have
mo
de 0
644
or
less
pe
rmis
sive
, an
d m
ust n
ot
have
an
ext
ende
d A
CL.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r us
ing
the
/etc
/res
olv.
conf
file
co
nfig
urat
ion.
The
res
olv.
con
f (or
equ
iva
lent
) fil
e co
nfig
ures
the
sys
tem
’s
Dom
ain
Nam
e S
yste
m (
DN
S)
reso
lver
. D
NS
is u
sed
to
reso
lve
host
na
mes
to IP
ad
dres
ses.
If
the
DN
S
conf
igur
atio
n is
mod
ifie
d m
alic
ious
ly, h
ost
nam
e re
solu
tion
may
fai
l or
retu
rn
inco
rrec
t inf
orm
atio
n.
DN
S m
ay
be u
sed
by
a va
riety
of s
yste
m
secu
rity
func
tions
, suc
h as
tim
e sy
nchr
oni
zatio
n, c
entr
aliz
ed
auth
ent
icat
ion,
and
rem
ote
syst
em lo
ggin
g.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 20
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
47.
D
ISA
G
EN
001
366,
G
EN
001
367,
G
EN
001
368,
G
EN
001
369
The
/etc
/hos
ts
file
conf
igur
atio
n
The
/etc
/hos
ts fi
le m
ust
be r
oot o
wn
ed,
mus
t be
grou
p-o
wn
ed
by
bin,
sys
, or
sys
tem
, mus
t ha
ve
mod
e 0
644
or le
ss
perm
issi
ve, a
nd
mus
t not
ha
ve a
n e
xten
ded
AC
L.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r us
ing
the
/etc
/hos
ts fi
le c
onfig
urat
ion.
The
/etc
/hos
ts fi
le (
or
equ
ival
ent)
con
figur
es lo
cal
host
nam
e to
IP a
ddre
ss
map
pin
gs th
at t
ypic
ally
take
pr
ece
denc
e ov
er D
NS
re
solu
tion.
If
this
file
is
mal
icio
usly
mo
difie
d, th
e fil
e co
uld
caus
e th
e fa
ilure
or
com
prom
ise
of s
ecur
ity
func
tions
re
quir
ing
nam
e re
solu
tion,
wh
ich
ma
y in
clud
e
time
sync
hro
niza
tion,
ce
ntra
lized
aut
hent
icat
ion,
an
d re
mot
e sy
stem
logg
ing.
48.
D
ISA
G
EN
001
720,
G
EN
001
730,
G
EN
001
740,
G
EN
001
760
Glo
bal
initi
aliz
atio
n fil
e
conf
igur
atio
n
All
glob
al i
nitia
lizat
ion
files
mus
t be
root
ow
ned,
m
ust b
e gr
oup-
ow
ned
by
bin,
sys
, se
curit
y or
sy
stem
, m
ust
have
mod
e 06
44 o
r le
ss p
erm
issi
ve,
and
mus
t not
hav
e an
ex
tend
ed A
CL.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r gl
obal
in
itia
lizat
ion
file
con
figur
atio
n.
Glo
bal i
nitia
liza
tion
files
are
us
ed to
co
nfig
ure
the
user
’s
shel
l env
iron
men
t upo
n lo
gin.
M
alic
ious
mo
dific
atio
n of
thes
e fil
es c
ould
com
prom
ise
acco
unt
s up
on
log
on.
49.
D
ISA
G
EN
001
800,
G
EN
001
810,
G
EN
001
820,
G
EN
001
830
Ske
leto
n fil
e an
d d
irect
ory
conf
igur
atio
n
All
skel
eton
file
s an
d di
rect
orie
s (t
ypic
ally
in
/etc
/ske
l) m
ust
be o
wne
d b
y ro
ot o
r bi
n, m
ust b
e gr
oup-
ow
ne
d b
y se
curit
y,
mus
t hav
e m
ode
06
44 o
r le
ss p
erm
issi
ve, a
nd
mus
t not
hav
e ex
tend
ed
AC
Ls.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r sk
elet
on fi
le
and
dire
ctor
y co
nfig
urat
ions
.
If th
e sk
elet
on fi
les
are
not
prot
ecte
d, u
naut
horiz
ed
pers
onn
el c
ould
cha
nge
use
r st
artu
p pa
ram
ete
rs a
nd
poss
ibly
jeop
ardi
ze u
ser
files
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 21
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
50.
D
ISA
G
EN
001
860,
G
EN
001
870,
G
EN
001
880,
G
EN
001
890
Loca
l in
itia
lizat
ion
file
co
nfig
urat
ion
All
loca
l in
itial
izat
ion
files
m
ust
be o
wn
ed b
y th
e us
er o
r ro
ot, m
ust b
e gr
oup-
ow
ne
d b
y th
e us
er’s
prim
ary
grou
p or
ro
ot, m
ust h
ave
mod
e 07
40 o
r le
ss p
erm
issi
ve,
and
mus
t not
hav
e ex
tend
ed A
CL
s.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r lo
cal
initi
aliz
atio
n fil
e c
onfig
urat
ion.
Loca
l ini
tializ
atio
n fil
es a
re u
sed
to c
onfig
ure
the
user
’s s
hel
l en
viro
nme
nt u
pon
logi
n.
Mal
icio
us m
odi
ficat
ion
of th
ese
files
cou
ld c
ompr
omis
e ac
cou
nts
upo
n lo
gon
.
51.
D
ISA
G
EN
002
200,
G
EN
002
210,
G
EN
002
220,
G
EN
002
230
She
ll fil
e co
nfig
urat
ion
A
ll sh
ell
files
mus
t be
ow
ned
by
root
or
bin
mus
t be
grou
p-o
wn
ed b
y ro
ot,
bin,
sys
, o
r sy
stem
, m
ust h
ave
mo
de 0
755
or
less
per
mis
sive
, and
m
ust n
ot h
ave
exte
nded
A
CLs
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r sh
ell f
ile
conf
igur
atio
n.
She
lls w
ith w
orld
/gro
up w
rite
perm
issi
ons
giv
e th
e ab
ility
to
m
alic
ious
ly m
odi
fy th
e sh
ell t
o
obta
in u
nau
tho
rized
acc
ess.
If
shel
l file
s ar
e g
roup
-ow
ned
by
user
s ot
her
tha
n ro
ot o
r a
syst
em g
roup
, th
ey
coul
d be
m
odifi
ed b
y in
trud
ers
or
mal
icio
us u
sers
to p
erfo
rm
una
utho
rized
act
ions
. If
shel
l fil
es a
re o
wn
ed
by
user
s ot
her
than
roo
t or
bin
, th
ey
cou
ld b
e m
odifi
ed b
y in
trud
ers
or
mal
icio
us u
sers
to p
erfo
rm
una
utho
rized
act
ions
.
52.
D
ISA
G
EN
003
760,
G
EN
003
770,
G
EN
003
780,
G
EN
003
790
The
ser
vice
s fil
e co
nfig
urat
ion
The
ser
vice
s fil
e m
ust b
e o
wn
ed b
y ro
ot o
r bi
n,
mus
t be
grou
p-o
wn
ed b
y bi
n, s
ys,
or s
yste
m,
mus
t ha
ve m
ode
04
44 o
r le
ss
perm
issi
ve, a
nd
mus
t not
ha
ve a
n e
xten
ded
AC
L.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r se
rvic
es fi
le
conf
igur
atio
n.
The
ser
vice
s fil
e is
crit
ical
to th
e pr
oper
op
erat
ion
of n
etw
ork
serv
ices
and
mus
t be
prot
ecte
d fr
om u
naut
hor
ized
mod
ifica
tion.
U
naut
horiz
ed m
odifi
catio
n co
uld
resu
lt in
the
failu
re o
f ne
twor
k se
rvic
es.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 22
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
53.
D
ISA
G
EN
006
100,
G
EN
006
120,
G
EN
006
140,
G
EN
006
150
SM
B
conf
igur
atio
n fil
e
The
/usr
/lib/
smb.
conf
file
m
ust
be o
wn
ed b
y ro
ot,
mus
t be
grou
p-o
wn
ed b
y bi
n, s
ys,
or s
yste
m,
mus
t ha
ve m
ode
06
44 o
r le
ss
perm
issi
ve, a
nd
mus
t not
ha
ve a
n e
xten
ded
AC
L.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e S
erve
r M
essa
ge B
lock
(S
MB
) co
nfig
urat
ion
file.
A c
ompr
omis
ed
conf
igur
atio
n
coul
d en
dan
ger
the
secu
rity
of
the
Sam
ba c
onfig
urat
ion
file
and,
ulti
mat
ely,
the
syst
em a
nd
netw
ork.
54.
D
ISA
G
EN
006
210,
G
EN
006
200,
G
EN
006
180,
G
EN
006
160
smbp
assw
d fi
le
conf
igur
atio
n
The
/v
ar/p
rivat
e/sm
bpas
swd
fil
e m
ust n
ot h
ave
an
exte
nded
AC
L, m
ust
have
mo
de 0
600
or
less
pe
rmis
sive
, mus
t be
grou
p-o
wn
ed
by
sys
or
syst
em, a
nd
mus
t be
ow
ned
by
root
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e sm
bpas
swd
file
con
figur
atio
n.
If th
e sm
bpas
swd
file
ma
y b
e m
alic
ious
ly a
cces
sed
or
mod
ified
, pot
ent
ially
res
ultin
g in
th
e co
mpr
omis
e of
Sam
ba
acco
unts
.
55.
D
ISA
G
EN
008
060,
G
EN
008
080,
G
EN
008
100,
G
EN
008
120
lda
p.co
nf fi
le
conf
igur
atio
n
If th
e sy
stem
is u
sing
Li
ght
wei
ght D
irec
tory
A
cces
s P
roto
col (
LDA
P)
for
auth
entic
atio
n or
ac
cou
nt in
form
atio
n, th
e /e
tc/ld
ap.c
onf
(or
eq
uiv
alen
t) fi
le m
ust
have
mo
de 0
644
or
less
pe
rmis
sive
, mus
t be
ow
ned
by
root
, mus
t be
grou
p-o
wn
ed
by
secu
rity,
bi
n, s
ys, o
r sy
stem
, and
m
ust n
ot h
ave
an
exte
nded
AC
L.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e ld
ap.
conf
file
con
figur
atio
n.
LDA
P c
an b
e u
sed
to p
rovi
de
user
aut
hen
ticat
ion
and
acc
oun
t in
form
atio
n, w
hic
h ar
e vi
tal t
o sy
stem
sec
urity
. T
he L
DA
P
clie
nt c
onf
igur
atio
n m
ust b
e pr
otec
ted
from
una
utho
rized
m
odifi
catio
n.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 23
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
56.
D
ISA
G
EN
008
140,
G
EN
008
160,
G
EN
008
180,
G
EN
008
200
TLS
cer
tific
ate
auth
ority
file
an
d/or
dire
ctor
y co
nfig
urat
ion
If th
e sy
stem
is u
sing
LD
AP
for
auth
entic
atio
n or
acc
ount
info
rmat
ion,
th
e T
rans
port
La
yer
Pro
toco
l (T
LS)
cert
ifica
te
auth
ority
file
an
d/or
di
rect
ory
(as
app
ropr
iate
) m
ust
be o
wn
ed b
y ro
ot,
mus
t be
grou
p-o
wn
ed b
y ro
ot,
bin,
sys
, o
r sy
stem
, m
ust h
ave
mo
de 0
644
(0
755
for
dire
ctor
ies)
or
less
per
mis
sive
, and
m
ust n
ot h
ave
an
exte
nded
AC
L.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e T
LS
cert
ifica
te a
uth
ority
file
an
d/or
di
rect
ory
conf
igur
atio
n.
LDA
P c
an b
e u
sed
to p
rovi
de
user
aut
hen
ticat
ion
and
acc
oun
t in
form
atio
n, w
hic
h ar
e vi
tal t
o sy
stem
sec
urity
. T
he L
DA
P
clie
nt c
onf
igur
atio
n m
ust b
e pr
otec
ted
from
una
utho
rized
m
odifi
catio
n.
2.12
No
n A
IX S
ecu
rity
Ex
per
t M
anag
ed R
eco
mm
en
dat
ion
s –
Mis
cella
neo
us
Co
nfi
gu
rati
on
Ch
ang
es
57.
D
ISA
G
EN
003
540
N
on-E
xecu
tab
le
Pro
gram
S
tack
s.
On
64-b
it sy
stem
s, v
erify
th
e se
d_co
nfig
(S
tack
E
xecu
tion
Dis
abl
e)
setti
ng is
“al
l.”
(32-
bit
syst
ems
do
not
supp
ort
sed_
conf
ig.
Thi
s is
a
perm
ane
nt fi
nd
ing
on
32-b
it A
IX s
yste
ms.
)
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r no
n-e
xecu
tabl
e pr
ogra
m
stac
ks.
A c
omm
on t
ype
of e
xplo
it is
the
stac
k bu
ffer
over
flow
. A
n ap
plic
atio
n re
ceiv
es, f
rom
an
atta
cker
, mor
e da
ta th
an th
e ap
plic
atio
n is
pre
pare
d fo
r an
d st
ores
this
info
rmat
ion
on
its
stac
k, w
ritin
g b
eyo
nd
the
rese
rve
d sp
ace.
Thi
s ca
n be
de
sign
ed
to c
aus
e e
xecu
tion
of
the
data
writ
ten
on th
e st
ack.
O
ne m
echa
nism
to m
itiga
te th
is
vuln
erab
ility
is f
or th
e sy
stem
to
proh
ibit
the
exe
cutio
n of
in
stru
ctio
ns in
sec
tions
of
mem
ory
iden
tifie
d as
par
t of t
he
stac
k.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 24
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
58.
C
IS
CIS
-AIX
5.3
-6.1
: 2.1
2.11
M
isce
llan
eous
C
onfig
– ft
p ba
nne
r
If F
TP
is r
equi
red
on th
e sy
stem
, est
ablis
h an
F
TP
logi
n ba
nner
that
di
spla
ys n
eces
sary
w
arn
ing
to u
sers
tryi
ng to
ga
in u
nau
thor
ized
ac
cess
to th
e sy
stem
an
d th
at a
ll ac
tivity
will
be
mon
itore
d a
nd
repo
rte
d.
NR
C s
tan
dard
s re
stric
t the
us
e of
FT
P.
CS
O-S
TD
-200
8, “
NR
C N
etw
ork
P
roto
col S
tan
dar
d,”
spec
ifica
lly
rest
ricts
the
use
of F
TP
at N
RC
.
59.
C
IS
CIS
-AIX
5.3
-6.1
: 2.1
2.12
M
isce
llan
eous
C
onfig
–
/etc
/mot
d
Cre
ate
a /e
tc/m
otd
file.
Set
a p
ost i
nitia
l lo
gin
stat
utor
y w
arn
ing
mes
sag
e th
at c
ould
aid
in
the
pros
ecut
ion
of
offe
nder
s g
uilty
of
una
utho
rized
sys
tem
ac
cess
.
NR
C s
tan
dard
s es
tabl
ish
the
spec
ific
requ
ire
men
t tha
t sy
stem
s m
ust b
e co
nfig
ured
to
dis
pla
y w
arn
ing
ban
ners
to
user
s w
hen
the
y in
itial
ly
acce
ss a
n N
RC
IT s
yste
m.
CS
O-G
UID
-11
02, “
NR
C
Pas
swor
d an
d W
arni
ng
Ban
ner
G
uida
nce,
” es
tabl
ishe
s th
e N
RC
req
uire
men
ts fo
r w
arn
ing
ban
ners
.
60.
D
ISA
G
EN
000
340
S
yste
m a
ccou
nt
UID
re
serv
atio
ns
Use
r Id
entif
iers
(U
IDs)
re
serv
ed f
or s
yste
m
acco
unt
s m
ust n
ot b
e as
sig
ned
to n
on-
syst
em
acco
unts
.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r th
e sy
stem
ac
cou
nt U
ID r
eser
vatio
ns.
Res
erve
d U
IDs
are
typ
ical
ly
used
by
syst
em
sof
twar
e pa
cka
ges.
If
non-
syst
em
acco
unt
s ha
ve U
IDs
in th
is
rang
e, th
ey
ma
y co
nflic
t w
ith
syst
em s
oftw
are,
pos
sibl
y le
adi
ng
to th
e us
er h
avin
g pe
rmis
sion
s to
mod
ify s
yste
m
files
.
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 25
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
61.
D
ISA
G
EN
000
360
G
roup
iden
tifie
r re
serv
atio
ns
Gro
up Id
entif
iers
(G
IDs)
re
serv
ed f
or s
yste
m
acco
unt
s m
ust n
ot b
e as
sig
ned
to n
on-
syst
em
grou
ps.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r gr
oup
ide
ntifi
er r
eser
vatio
ns.
Res
erve
d G
IDs
are
typ
ical
ly
used
by
syst
em
sof
twar
e pa
cka
ges.
If
non-
syst
em
grou
ps h
ave
GID
s in
this
ran
ge,
th
ey m
ay c
onfli
ct w
ith s
yste
m
soft
war
e, p
ossi
bly
lead
ing
to
the
grou
p ha
ving
per
mis
sio
ns to
m
odify
sys
tem
file
s.
62.
D
ISA
G
EN
000
380
G
ID d
efin
ed in
bo
th
/etc
/pas
swd
file
and
/etc
/gro
up
file.
All
GID
s re
fere
nced
in
the
/etc
/pas
swd
file
mus
t be
def
ine
d in
the
/etc
/gro
up fi
le.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r G
ID
defin
ed in
bot
h /e
tc/p
assw
d fil
e an
d /e
tc/g
roup
file
.
If a
user
is a
ssig
ned
the
GID
of
a gr
oup
that
do
es n
ot e
xist
on
the
syst
em, a
nd
a gr
oup
with
th
at G
ID is
sub
sequ
ently
cr
eate
d, th
e us
er m
ay
hav
e un
inte
nde
d ri
ght
s to
the
grou
p.
63.
D
ISA
G
EN
008
420
M
emor
y
addr
ess
rand
omiz
atio
n te
chni
ques
The
sys
tem
mus
t use
av
aila
ble
mem
ory
addr
ess
ran
dom
izat
ion
tech
niqu
es.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r m
emor
y ad
dres
s ra
ndo
miz
atio
n te
chni
ques
.
Suc
cess
ful e
xplo
itatio
n of
buf
fer
over
flow
vul
ner
abili
ties
relie
s in
so
me
mea
sure
on
a pr
edic
tab
le
addr
ess
stru
ctur
e.
Add
ress
ra
ndom
izat
ion
tech
niqu
es
redu
ce th
e pr
oba
bili
ty o
f a
succ
essf
ul e
xplo
it.
2.14
No
n A
IX S
ecu
rity
Ex
per
t M
anag
ed R
eco
mm
en
dat
ion
s –
En
cryp
ted
File
sys
tem
s (E
FS
)
64.
C
IS
CIS
-AIX
5.3
-6.1
: 2.1
4
Enc
rypt
ed F
ile
(EF
S)
(AIX
6.1
on
ly)
Set
up
EF
S w
hic
h ar
e a
n en
han
cem
ent
of A
IX 6
.1.
Thi
s en
able
s u
sers
to
encr
ypt t
heir
ow
n da
ta
with
in a
jfs2
file
sys
tem
.
Enc
rypt
ion
shal
l be
impl
emen
ted
acc
ordi
ng to
C
SO
-ST
D-2
009,
“C
rypt
ogra
phic
Con
trol
S
tand
ard.
”
CS
O-S
TD
-200
9, “
Cry
pto
gra
phi
c C
ontr
ol S
tand
ard
” pr
ovid
es th
e N
RC
req
uire
men
ts fo
r cr
ypto
grap
hy.
2.16
No
n A
IX S
ecu
rity
Ex
per
t M
anag
ed R
eco
mm
end
atio
ns
– G
ener
al P
erm
issi
on
s M
anag
emen
t
CS
O S
tand
ard
CS
O-S
TD
-141
7
Pag
e 26
Ste
p
So
urc
e C
IS/D
ISA
ID
Set
tin
g N
ame
CIS
/DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e
65.
D
ISA
G
EN
001
940
U
ser
exe
cute
d w
orld
-wri
tab
le
prog
ram
s
Use
r st
art-
up fi
les
mus
t no
t exe
cute
w
orld
-wri
tab
le p
rogr
ams.
NR
C a
dhe
res
to th
e D
ISA
S
TIG
’s s
ettin
g fo
r us
er
exec
ute
d w
orld
-wri
tabl
e pr
ogra
ms.
If st
art-
up fi
les
exec
ute
wo
rld-w
rita
ble
pro
gram
s,
espe
cial
ly in
unp
rote
cte
d di
rect
orie
s, th
ey
coul
d b
e m
alic
ious
ly m
odi
fied
to b
ecom
e T
roja
ns d
estr
oyi
ng u
ser
files
or
othe
rwis
e co
mpr
omis
ing
the
syst
em a
t the
use
r, o
r hi
gher
, le
vel.
If
the
syst
em is
co
mpr
omis
ed a
t the
use
r le
vel,
com
prom
ise
of th
e sy
stem
at
the
root
an
d ne
twor
k le
vel
even
tual
ly b
ecom
es m
uch
easi
er.
CSO Standard CSO-STD-1417 Page 27
4 DEFINITIONS
External Standard
An external security standard (e.g., a configuration baseline or set of requirements for the use of a technology or technologies) developed by a U.S. Government agency (e.g., Committee on National Security Systems [CNSS], DISA, National Security Agency [NSA], National Institute of Standards and Technology [NIST]), private organization (e.g., CIS), or a software / hardware vendor. External standards are used by the NRC as the basis for NRC cyber security standards.
Martian Packets Martian packets are packets containing addresses known by the system to be invalid. Logging these messages allows the system administrator to identify misconfigurations or attacks in progress.
CSO Standard CSO-STD-1417 Page 28
This page intentionally left blank.
CSO Standard CSO-STD-1417 Page 29
5 ACRONYMS
AC Access Control
ACL Access Control List
AIX Advanced Interactive eXecutive
AU Audit and Accountability
CDE Common Desktop Environment
CIS Center for Internet Security
CNSS Committee on National Security Systems
CSO Computer Security Office
DAA Designated Approving Authority
DISA Defense Information Systems Agency
DNS Domain Name System
DR Deviation Request
EFS Encrypted File System
FTP File Transfer Protocol
GID Group Identifier
IBM International Business Machines
ICMP Internet Control Message Protocol
IP Internet Protocol
ISSO Information System Security Officer
LDAP Lightweight Directory Access Protocol
NFS Network File System
NIM Network Installation Management
NIST National Institute of Standards and Technology
NSA National Security Agency
NRC Nuclear Regulatory Commission
NTP Network Time Protocol
PMTUD Path Maximum Transmission Unit Discovery
SGI Safeguards Information
SMB Server Message Block
SMTP Simple Mail Transport Protocol
SNMP Simple Network Management Protocol
SSH Secure Shell
CSO Standard CSO-STD-1417 Page 30
STD Standard
STIG Security Technical Implementation Guide
SUNSI Sensitive Unclassified Non-Safeguards Information
TCP Transmission Control Protocol
TLS Transport Layer Security
UID User Identifier
CSO Standard CSO-STD-1417 Page 31
CSO-STD-1417 Change History
Date Version Description of Changes Method Used to Announce & Distribute
Training
30-Sep-13 1.0 Initial issuance Distribution at ISSO forum and posting on CSO web page
Upon request