AnsweredAssumed Answered

Identifying CID's

Question asked by Vishu Ishu on Jan 15, 2015
Latest reply on Feb 23, 2015 by Tim White

Can someone helpme in identifying matching CID's, we are wanted to have these below in our Qualys PC


 

 

  • All default administrative logins (e.g. bin,
    sys, adm, daemon, uucp, lp) except UID-0, must be disabled and deny access.
  • Administrative password (UID-0) must not be
    transmitted in clear text over any network during login process.
  • All passwords must not be transmitted in clear
    text over any network.  Disable telnet,
    rlogin, remsh and rcp services.
  • tftpd is not permitted, except for servers that
    have a business need to have the tftp daemon (tftpd) running to answer requests
    for service (such as ignite servers and systems that manage router
    configurations.)  These systems must be configured to allow only Agilent
    internal connections.
  • Root access/login to ftp must not be
    permitted.  Solaris - put root in /etc/ftpusers to disable root access.
  • Inetd services must be configured to allow
    systems with a business need for access only.
  • Inetd configuration files must not be publicly
    writable.
  • Inetd configuration files must be owned by an
    administrative UID.
  • Inetd services must be configured with logging
    enabled.
  • syslogd must be running
  • System logging is required.
  • The system logging file of systems in the DMZ
    must have read/write access restricted to administrative users and groups. All
    critical/abnormal events must be sent to another server.
  • The rpc services listed in the appendix must be
    explicitly disabled on Extreme Risk systems.
  • Do not allow root write access over NFS (No Set
    UID).
  • BIND version number must not be displayed when
    queried.  Alter VERSION.BIND.TXT to not give version number.
  • Unauthorized zone transfers must be blocked for
    external facing authoritative name servers.
  • Install upgrades (or recompile software) when
    BIND software is exposed to new vulnerabilities.
  • Running named daemon must be 'chroot'ed to
    /opt/named.
  • Running named daemon must be owned by
    unprivileged, non-root account.
  • For external facing authoritative name servers
    do not allow recursive queries.  This is to prevent cache poisoning.
  • For external facing authoritative name servers
    NS records must be converted to hide internal nameserver identification.
  • SNMP must not run on external facing systems.
  • SNMP must be configured to allow only Agilent
    internal connections.
  • No incomplete or blank lines in the passwd file.
  • The $PATH must be initialized in system-wide shell
    startup files such as profile, login, and  bashrc files.
  • Super-user's $PATH must be restricted to include
    only managed administrative directories that are not world writable.
  • Super-users (UID-0) must be managed to allow
    only authorized user access.
  • Permissions for super-users (UID-0) $HOME and
    startup files must be restricted to permission 700.
  • Super-users (UID-0) must deny terminal messages.
  • Dormant accounts must be disabled according to
    the Server Security Standard.
  • Login banner must be set up to display standard
    Agilent's legal notice.
  • Home directory of super-users (UID-0) must not
    be the system root directory /.
  • No unknown and undocumented SUID and/or SGID
    binaries or scripts.
  • Login/accounting files must exist to record
    login information.
  • Login/accounting files must be writable by
    administrative users and groups only.
  • Operating system files/directories must not be
    publicly writable and have administrative ownership; see list in appendix.
  • Crontab and at files must be owned and
    accessible by the primary user.
  • Restrictive umask is required in system-wide
    shell startup files such as profile, login, and  bashrc files to prevent
    public write.
  • Current working directory must not be set first
    in global and user's $PATH
  • User's $PATH must not include publicly writable
    files/directories.
  • Verify password quality (Administrative
    passwords 0% cracked, all other passwords less than 2%)
  • Periodically check for unauthorized and
    inadvertent changes in the operating system and configuration files (security
    monitoring)
  • Periodically review log files.  Review bad
    login attempts, bad su attempts, bad inetd connect attempts, root login
    attempts, unauthorized ROOT su/su2/sudo attempts, system reboots.
  • Periodically scan files for known virus, worms,
    Trojan horses and other malicious and unauthorized code on any system with
    SAMBA enabled.

Outcomes