[Forgot Password]
Login  Register Subscribe

23631

 
 

119105

 
 

98250

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*


oval:org.secpod.oval:def:26067
The password hashing algorithm should be set correctly in /etc/libuser.conf.

oval:org.secpod.oval:def:25891
Root login via SSH should be disabled (and dependencies are met)

oval:org.secpod.oval:def:25892
System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume.

oval:org.secpod.oval:def:26068
The direct gnome login warning banner should be set correctly.

oval:org.secpod.oval:def:25893
Idle activation of the screen lock should be enabled.

oval:org.secpod.oval:def:26069
The TFTP daemon should use secure mode.

oval:org.secpod.oval:def:25894
The kernel module rds should be disabled.

oval:org.secpod.oval:def:25895
The password hashing algorithm should be set correctly in /etc/pam.d/common-password.

oval:org.secpod.oval:def:25896
The kernel module cramfs should be disabled.

oval:org.secpod.oval:def:25897
The kernel module hfsplus should be disabled.

oval:org.secpod.oval:def:25898
The default umask for all users specified in /etc/login.defs

oval:org.secpod.oval:def:26060
The DPKG package 'isc-dhcp-server' should be removed.

oval:org.secpod.oval:def:26061
Emulation of the rsh command through the ssh server should be disabled (and dependencies are met)

oval:org.secpod.oval:def:26062
Plaintext authentication of mail clients should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:26063
The DPKG package 'vsftpd' should be installed.

oval:org.secpod.oval:def:26064
Require the use of TLS for ldap clients.

oval:org.secpod.oval:def:26065
Enable the GUI warning banner.

oval:org.secpod.oval:def:26066
The DPKG package 'xserver-common' should be removed.

oval:org.secpod.oval:def:25998
By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers ...

oval:org.secpod.oval:def:25999
The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing ca ...

oval:org.secpod.oval:def:26056
The DPKG package 'aide' should be installed.

oval:org.secpod.oval:def:26057
Only SSH protocol version 2 connections should be permitted.

oval:org.secpod.oval:def:26058
The DPKG package 'apache2' should be removed.

oval:org.secpod.oval:def:26059
SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

oval:org.secpod.oval:def:26050
The DPKG package 'screen' should be installed.

oval:org.secpod.oval:def:26051
The DPKG package 'tftpd' should be removed.

oval:org.secpod.oval:def:26052
The SELinux in /boot/grub/grub.cfg should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:26053
The DPKG package 'squid' should be removed.

oval:org.secpod.oval:def:26054
The rsh service should be disabled if possible.

oval:org.secpod.oval:def:26055
The DPKG package 'xinetd' should be removed.

oval:org.secpod.oval:def:25987
The file /etc/pam.d/common-auth should not contain the nullok option

oval:org.secpod.oval:def:25988
The kernel runtime parameter "fs.suid_dumpable" should be set to "0".

oval:org.secpod.oval:def:25989
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account.

oval:org.secpod.oval:def:25990
The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1".

oval:org.secpod.oval:def:26045
The rlogin service should be disabled if possible.

oval:org.secpod.oval:def:25991
The nosuid mount option prevents set-user-identifier (suid) and set-group-identifier (sgid) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce suid and g ...

oval:org.secpod.oval:def:26046
The DPKG package 'bind' should be removed.

oval:org.secpod.oval:def:25992
All wireless interfaces should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:26047
Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met).

oval:org.secpod.oval:def:26048
The bind9 service should be disabled if possible.

oval:org.secpod.oval:def:25993
If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22).

oval:org.secpod.oval:def:25994
The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1".

oval:org.secpod.oval:def:26049
The DPKG package 'dovecot' should be removed.

oval:org.secpod.oval:def:25995
Check if SplitHosts line in logwatch.conf is set appropriately.

oval:org.secpod.oval:def:25996
The nodev option should be enabled for all NFS mounts in /etc/fstab.

oval:org.secpod.oval:def:25997
A remote NTP Server for time synchronization should be specified (and dependencies are met)

oval:org.secpod.oval:def:26040
The DPKG package 'rsyslog' should be installed.

oval:org.secpod.oval:def:26041
The DPKG package 'telnetd' should be removed.

oval:org.secpod.oval:def:26042
The telnet service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:26043
The DPKG package 'slapd' should be removed.

oval:org.secpod.oval:def:26044
The DPKG package 'rsh-server' should be removed.

oval:org.secpod.oval:def:25976
The logrotate (syslog rotater) service should be enabled.

oval:org.secpod.oval:def:25977
The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:25978
The kernel module usb-storage should be disabled.

oval:org.secpod.oval:def:25979
DHCP configuration should be static for all interfaces.

oval:org.secpod.oval:def:26034
File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly.

oval:org.secpod.oval:def:25980
Verify which group owns the /boot/grub/grub.cfg file.

oval:org.secpod.oval:def:26035
The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:25981
The /etc/gshadow file should be owned by the appropriate user.

oval:org.secpod.oval:def:26036
The sshd service should be disabled if possible.

oval:org.secpod.oval:def:25982
The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:26037
The DPKG package 'snmpd' should be removed.

oval:org.secpod.oval:def:25983
All files should be owned by a user

oval:org.secpod.oval:def:26038
The DPKG package 'vsftpd' should be removed.

oval:org.secpod.oval:def:25984
Core dumps for all users should be disabled

oval:org.secpod.oval:def:26039
Require the use of TLS for ldap clients.

oval:org.secpod.oval:def:25985
The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME.

oval:org.secpod.oval:def:25986
The kernel runtime parameter "net.ipv4.conf.all.accept_source_route" should be set to "0".

oval:org.secpod.oval:def:26030
num_logs setting in /etc/audit/auditd.conf is set to at least a certain value

oval:org.secpod.oval:def:26031
max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value

oval:org.secpod.oval:def:26032
Ctrl-Alt-Del Reboot Activation should be set as appropriate.

oval:org.secpod.oval:def:26033
The Avahi daemon should be configured to serve via Ipv6 or not as appropriate.

oval:org.secpod.oval:def:25899
The password dcredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:26070
The apache2 Proxy Module Support should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:26071
Dovecot plaintext authentication of clients should be enabled or disabled as necessary

oval:org.secpod.oval:def:26072
The DPKG package 'sendmail' should be removed.

oval:org.secpod.oval:def:26073
SSL capabilities should be enabled for the mail server.

oval:org.secpod.oval:def:26074
The DPKG package 'strongswan' should be installed.

oval:org.secpod.oval:def:25929
Syslog logs should be sent to a remote loghost

oval:org.secpod.oval:def:25921
The passwords to remember should be set correctly.

oval:org.secpod.oval:def:25922
The nosuid mount option should be set for temporary storage partitions such as /tmp. The suid/sgid permissions should not be required in these world-writable directories.

oval:org.secpod.oval:def:25923
The kernel module bluetooth should be disabled.

oval:org.secpod.oval:def:25924
Legitimate character and block devices should not exist within temporary directories like /run/shm. The nodev mount option should be specified for /run/shm.

oval:org.secpod.oval:def:25925
Postfix network listening should be disabled

oval:org.secpod.oval:def:25926
Look for argument audit=1 in the kernel line in /etc/grub.conf.

oval:org.secpod.oval:def:25927
Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used.

oval:org.secpod.oval:def:25928
The kernel module hfs should be disabled.

oval:org.secpod.oval:def:25930
rsyslogd should reject remote messages

oval:org.secpod.oval:def:25931
The /etc/group file should be owned by the appropriate user.

oval:org.secpod.oval:def:25918
The kernel module udf should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:25919
The kernel module tipc should be disabled.

oval:org.secpod.oval:def:25910
Idle activation of the screen saver should be enabled.

oval:org.secpod.oval:def:25911
The password ucredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:25912
The password difok should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:25913
It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /run/shm. The noexec mount option prevents binaries from being executed out of /run/shm.

oval:org.secpod.oval:def:25914
The password lcredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:25915
The screen saver should be blank.

oval:org.secpod.oval:def:25916
Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options, which is used as temporary storage by many program, particularly system services such as daemons. It is not uncommon for the /var directory to contain world-writable directories, installed by ot ...

oval:org.secpod.oval:def:25917
The kernel module jffs2 should be disabled.

oval:org.secpod.oval:def:25920
It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /tmp. The noexec mount option prevents binaries from being executed out of /tmp.

oval:org.secpod.oval:def:25907
The kernel module freevxfs should be disabled.

oval:org.secpod.oval:def:25908
If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later.

oval:org.secpod.oval:def:25909
The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp.

oval:org.secpod.oval:def:25900
The squashfs Kernel Module should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:25901
The password ocredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:25902
The kernel module sctp should be disabled.

oval:org.secpod.oval:def:25903
Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

oval:org.secpod.oval:def:25904
The kernel module dccp should be disabled.

oval:org.secpod.oval:def:25905
All password hashes should be shadowed.

oval:org.secpod.oval:def:25906
The nosuid mount option should be set for temporary storage partitions such as /run/shm. The suid/sgid permissions should not be required in these world-writable directories.

oval:org.secpod.oval:def:25965
The Set Password Warning Age should be set appropriately.

oval:org.secpod.oval:def:25966
This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:25967
The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1".

oval:org.secpod.oval:def:25968
The 'grub.cfg' file should be owned by appropriate user. By default, this file is located at /boot/grub/grub.cfg or, for EFI systems, at /boot/grub/grub.cfg.

oval:org.secpod.oval:def:25969
The kernel runtime parameter "kernel.randomize_va_space" should be set to "2".

oval:org.secpod.oval:def:26023
Configure the system to notify users of last logon/access using pam_lastlog.

oval:org.secpod.oval:def:26024
The /etc/apache2/conf-available/* files should have the appropriate permissions.

oval:org.secpod.oval:def:26025
The kernel runtime parameter "kernel.dmesg_restrict" should be set to "1".

oval:org.secpod.oval:def:25970
The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0".

oval:org.secpod.oval:def:25971
The password minimum length should be set appropriately.

oval:org.secpod.oval:def:26026
The maximum number of concurrent login sessions per user should meet minimum requirements.

oval:org.secpod.oval:def:26027
In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period.

oval:org.secpod.oval:def:25972
The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0".

oval:org.secpod.oval:def:25973
The kernel runtime parameter "kernel.exec-shield" should be set to "1".

oval:org.secpod.oval:def:26028
Directory permissions for /etc/apache2/conf-enabled/ should be set as appropriate.

oval:org.secpod.oval:def:25974
Look for argument "nousb" in the kernel line in /etc/grub.conf

oval:org.secpod.oval:def:26029
Protect against unnecessary release of information.

oval:org.secpod.oval:def:25975
The minimum password age policy should be set appropriately.

oval:org.secpod.oval:def:26020
action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account

oval:org.secpod.oval:def:26021
The '.rhosts' or 'hosts.equiv' files should exists or doesn't exists on the system.

oval:org.secpod.oval:def:26022
The accounts should be configured to expire automatically following Inactivity accounts.

oval:org.secpod.oval:def:25954
File permissions for '/etc/group' should be set correctly.

oval:org.secpod.oval:def:26009
The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0".

oval:org.secpod.oval:def:25955
The root account is the only system account that should have a login shell.

oval:org.secpod.oval:def:25956
The '/etc/shadow' file should be owned by the appropriate group.

oval:org.secpod.oval:def:25957
The SELinux state should be enforcing the local policy.

oval:org.secpod.oval:def:25958
Only the root account should be assigned a user id of 0.

oval:org.secpod.oval:def:25959
The nosuid option should be enabled for all NFS mounts in /etc/fstab.

oval:org.secpod.oval:def:26012
Test if HostLimit line in logwatch.conf is set appropriately. On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is runni ...

oval:org.secpod.oval:def:26013
The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME.

oval:org.secpod.oval:def:26014
The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.

oval:org.secpod.oval:def:26015
The password hashing algorithm should be set correctly in /etc/login.defs.

oval:org.secpod.oval:def:25960
The system login banner text should be set correctly.

oval:org.secpod.oval:def:25961
The /etc/gshadow file should be owned by the appropriate group.

oval:org.secpod.oval:def:26016
The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:25962
The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1".

oval:org.secpod.oval:def:26017
max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action

oval:org.secpod.oval:def:25963
The Kernel Parameter for Accepting Source-Routed Packets By Default should be enabled or disabled as appropriate. The kernel runtime parameter "net.ipv4.conf.default.accept_source_route" should be set to "0".

oval:org.secpod.oval:def:26018
space_left_action setting in /etc/audit/auditd.conf is set to a certain action

oval:org.secpod.oval:def:25964
The maximum password age policy should meet minimum requirements.

oval:org.secpod.oval:def:26019
admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action

oval:org.secpod.oval:def:26010
The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:26011
The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The noexec option prevents code from being executed directly from the media itself, ...

oval:org.secpod.oval:def:25943
The SELinux policy should be set appropriately.

oval:org.secpod.oval:def:25944
The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1".

oval:org.secpod.oval:def:25945
Logins through the Direct root Logins Not Allowed should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:25946
The grub boot loader should have password protection enabled.

oval:org.secpod.oval:def:25947
The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1".

oval:org.secpod.oval:def:25948
Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives

oval:org.secpod.oval:def:25949
The /etc/group file should be owned by the appropriate group.

oval:org.secpod.oval:def:26001
File uploads via vsftpd should be enabled or disabled as appropriate

oval:org.secpod.oval:def:26002
The password retry should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:26003
The PATH variable should be set correctly for user root

oval:org.secpod.oval:def:26004
Logging of vsftpd transactions should be enabled or disabled as appropriate

oval:org.secpod.oval:def:25950
The /etc/shadow file should be owned by the appropriate user.

oval:org.secpod.oval:def:26005
A warning banner for all FTP users should be enabled or disabled as appropriate

oval:org.secpod.oval:def:25951
File permissions for '/boot/grub/grub.cfg' should be set appropriate.

oval:org.secpod.oval:def:26006
Directory permissions for /var/log/apache2 should be set appropriately.

oval:org.secpod.oval:def:25952
This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:26007
The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.

oval:org.secpod.oval:def:25953
The /etc/passwd file should be owned by the appropriate user.

oval:org.secpod.oval:def:26008
Global IPv6 initialization should be disabled.

oval:org.secpod.oval:def:26000
The Set Lockout Time For Failed Password Attempts should be set correctly.

oval:org.secpod.oval:def:25932
The environment variable PATH should be set correctly for the root user.

oval:org.secpod.oval:def:25933
The allowed period of inactivity before the screensaver is activated.

oval:org.secpod.oval:def:25934
The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0".

oval:org.secpod.oval:def:25935
The number of allowed failed logins should be set correctly.

oval:org.secpod.oval:def:25936
The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0".

oval:org.secpod.oval:def:25937
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

oval:org.secpod.oval:def:25938
The /etc/passwd file should be owned by the appropriate group.

oval:org.secpod.oval:def:25939
The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devic ...

oval:org.secpod.oval:def:25940
The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0".

oval:org.secpod.oval:def:25941
This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:25942
All files should be owned by a group

CPE    1
cpe:/o:ubuntu:ubuntu_linux:14.10
*XCCDF
xccdf_org.secpod_benchmark_general_Ubuntu_14_10

© 2013 SecPod Technologies