IBM BigFix Compliance: Updated DISA STIG Checklist for HPUX 11.31 - RG03, published 2017-10-25

Product:
IBM BigFix Compliance

Title:
Updated DISA STIG Checklist for HPUX 11.31 - RG03 to support a more recent version of benchmark

Security Benchmark:
HP-UX 11.31 STIG Version 1, Release 14

Published Sites:
DISA STIG Checklist for HPUX 11.31 - RG03 site version 4
(The site version is provided for air-gap customers.)

Changelist:
Added:
· HPUX0210: The system must disable accounts after three consecutive unsuccessful SSH login attempts
· HPUX0220: The system must impose the same restrictions on root logins that are already applied to non-root users
· HPUX0225: The system must impose the same restrictions on root passwords that are already applied to non-root users
· HPUX0230: The ability to boot the system into single user mode must be restricted to root
· HPUX0240: The /var/adm/userdb directory must be owned by root
· HPUX0250: The /var/adm/userdb directory must be group-owned by sys
· HPUX0260: The /var/adm/userdb directory must have mode 0700 or less permissive
· HPUX0270: The /var/adm/userdb directory must not have an extended ACL
· HPUX0280: The /var/adm/userdb/USERDB.DISABLED file must be owned by root
· HPUX0290: The /var/adm/userdb/USERDB.DISABLED file must be group-owned by sys
· HPUX0300: The /var/adm/userdb/USERDB.DISABLED file must have mode 0444 or less permissive
· HPUX0310: The /var/adm/userdb/USERDB.DISABLED file must not have an extended ACL
· HPUX0320: The /etc/security.dsc file must be owned by root
· HPUX0330: The /etc/security.dsc file must be group-owned by sys.
· HPUX0340: The /etc/security.dsc file must have mode 0444 or less permissive
· HPUX0350: The /etc/security.dsc file must not have an extended ACL.
· HPUX0360: The /etc/pam.conf file must be owned by root.
· HPUX0370: The /etc/pam.conf file must be group-owned by sys.
· HPUX0380: The /etc/pam.conf file must have mode 0444 or less permissive.
· HPUX0390: The /etc/pam.conf file must not have an extended ACL.
· HPUX0410: The /etc/pam_user.conf file must be owned by root.
· HPUX0420: The /etc/pam_user.conf file must be group-owned by sys
· HPUX0430: The /etc/pam_user.conf file must have mode 0444 or less permissive
· HPUX0440: /etc/pam_user.conf file must not have an extended ACL
· HPUX0450: During a password change, the system must determine if password aging attributes are inherited from the /etc/default/security file attributes when no password aging is specified in the shadow file for local users
· HPUX0460: The system must display the date and time of the last successful account login upon login by means other than SSH.
· HPUX0470: The system and user default umask must be 0077 for all sessions initiated via PAM

Updated:
· GEN002680: System audit logs must be owned by root
Now checks ownership of PRI_AUDFILE and SEC_AUDFILE set in /etc/rc.config.d/auditing.
· GEN002690:System audit logs must be group-owned by root, bin, sys, or other
Now checks group ownership of PRI_AUDFILE and SEC_AUDFILE set
in /etc/rc.config.d/auditing.
· GEN002700: System audit logs must have mode 0640 or less permissive
Now checks permissions of PRI_AUDFILE and SEC_AUDFILE set in
/etc/rc.config.d/auditing.
· GEN002710:All system audit files must not have extended ACLs.
Now checks ACLs of PRI_AUDFILE and SEC_AUDFILE set in
/etc/rc.config.d/auditing.
· GEN002715: System audit tool executables must be owned by root
Also checks /usr/sbin/userdb*.
· GEN002716: System audit tool executables must be group-owned by root, bin, sys, or other
Also checks /usr/sbin/userdb*.
· GEN002717: System audit tool executables must have mode 0750 or less permissive
Also checks /usr/sbin/userdb*.
· GEN002718: System audit tool executables must not have extended ACLs
Also checks /usr/sbin/userdb*.
· GEN004540: The SMTP service HELP command must not be enabled
checks to make sure /etc/mail/helpfile is empty.
· GEN000450: The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
Also checks /var/adm/userdb/.
· GEN001400: The /etc/shadow (or equivalent) file must be owned by root
Also checks /tcb/files/auth/[A-Z]/
.
· GEN001410: The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys or other
Also checks /tcb/files/auth/[A-Z]/.
· GEN001430: The /etc/shadow file must not have an extended ACL
Also checks /tcb/files/auth/[A-Z]/
.

The following checks now check settings for trusted mode or SMSE mode as
appropriate.

· GEN000020: The system must require authentication upon booting into single-user and maintenance modes
· GEN000460: The system must disable accounts after three consecutive unsuccessful login attempts
· GEN000540: Users must not be able to change passwords more than once every 24 hours
· GEN000560: The system must not have accounts configured with blank or null passwords.
· GEN000580: The system must require that passwords contain a minimum of 15 characters
· GEN000585: The system must enforce the correctness of the entire password during authentication
· GEN000590: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes
· GEN000595: The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm
· GEN000600: The system must require passwords contain at least one uppercase alphabetic character
· GEN000610: The system must require passwords contain at least one lowercase alphabetic character
· GEN000620: The system must require passwords contain at least one numeric character
· GEN000640: The system must require passwords contain at least one special character
· GEN000700: User passwords must be changed at least every 60 days.
· GEN000800: The system must prohibit the reuse of passwords within five iterations.
· GEN001020: The root account must not be used for direct logins.
· HPUX0020: The system must be configured to operate in a security mode.

Details:
· Both analysis and remediation checks are included
· Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.

Actions to take:
· To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using IBM BigFix version 9.2 and later.
· If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.

More information:
To know more about IBM BigFix Compliance SCM checklists, please see
· IBM Developer Works:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/SCM%20Checklists
· IBM BigFix Blog:
https://www.ibm.com/developerworks/community/blogs/a1a33778-88b7-452a-9133-c955812f8910?lang=en
· IBM BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance

We hope you find this latest release of SCM content useful and effective. Thank you!

– The IBM BigFix Compliance team