AuditPro v4.0.0

Description:
This is the uname information from the system, identifying the operating system, kernel version, processor type and other related information

CVE Reference No.:

Solution:
This probe is purely for informational purposes, and no action is required.

Description:
This probe identifies the partitions, drive capacity and other related information.

CVE Reference No.:

Solution:
This probe is purely for informational purposes, and no action is required.

Description:
This probe displays information about the CPU, such as its speed, vendor, cache size, etc.

CVE Reference No.:

Solution:
This probe is purely for informational purposes, and no action is required.

Description:
This is the list of open ports along with the banners grabbed from the open ports. Any ports that are present in the disallowed list, and are found to be open are marked as high severity violations. Any ports that are in the allowed list and are found to be open are marked as compliance entries. The default disallowed list contains known Trojan and virus ports. The port scan also maps the open ports to known services. A port scan is typically the first stage in the security assessment exercise, and the output will help you determine the network exposure of your system.

CVE Reference No.: CVE-NO-MATCH

Severity	Port	State	Process
	2208	LISTEN	hpiod
	3306	LISTEN	mysqld
	111	LISTEN	portmap
	631	LISTEN	cupsd
	25	LISTEN	sendmail:
	2207	LISTEN	python
	991	LISTEN	rpc.statd
	N/A	LISTEN	sshd

Solution:
Make sure that only trusted services are keeping ports open. For instance, HTTP ports 80 or 443 should not be found open on a workstation. Ensure that there is a functional justification for keeping the ports open. If you wish to investigate a port, the first step would be to issue a 'netstat -antp' command on the target system, and determine ports that are in 'LISTENING' mode. This will also show the service that is keeping the particular port open. Make sure only known and fully patched services are responsible for the open ports. Also make sure that the services do not reveal the type and version of the software in the banner.

Description:
This probe lists out those services that are started through the /etc/rcx.d scripts at various Unix run-levels. Some of these services, such as 'sendmail' may not be required. You can decided which services should be disabled, and which should be enabled with the policy. Simply enter the name of the service as it shows up in the output of the 'chkconfig' command. Violations and compliance with the policy are shown in the report.

CVE Reference No.: CVE-NO-MATCH

Solution:
Ensure that all the services that are started during system boot are absolutely necessary. Disable unnecessary services by issuing the following command (for Linux):
chkconfig --levels 123456 <service_name> off. Alternatively, you could locate the script that starts this service in /etc/rc{1,2,3,4,5,6}.d directories. Change the name of the script so that it starts with a letter other than an 'S' or a 'K'. Files beginning with S are those that will be executed during system startup and those beginning with a K will be executed during system shutdown.

Description:
This probe determines the network interfaces connected to the machine. The output gives details of the interface name, IP address, MAC address, subnet mask, broadcast address, MTU and other network parameters associated with all the network devices attached to the server. Ensure that no interfaces are in promiscuous mode.

CVE Reference No.:

Severity	Name	Options	Type	IP/CIDR	Broadcast Address
	lo	LOOPBACK,UP,LOWER_UP	loopback	127.0.0.1/8	00:00:00:00:00:00
	eth0	BROADCAST,MULTICAST,UP,LOWER_UP	ether	192.168.0.120/24	192.168.0.255
	sit0	NOARP	sit	N/A	0.0.0.0

Solution:
Ensure that only the necessary network interface cards are configured and enabled on the system, and that none of them is in Promiscuous mode, unless this is an IDS sensor.

Description:
Ensure that there are no unnecessary routes to other networks as this increases the exposure of this system to other users. Unnecessary routing entries also provide additional information to an attacker if the system has been compromised as this system can then be used to compromise other systems. The default gateway should also be checked to see if it's the legitimate gateway and that it has not been modified to some other host, which might be a compromised host on the Internet or network.

CVE Reference No.:

Solution:
Ensure that the information is consistent with your network architecture, and contains the minimum possible information.

Description:
This probe checks if a login banner with the appropriate content exists in the file /etc/issue. This file does not exist by default.

CVE Reference No.:

Severity	General Banner
	Red Hat Enterprise Linux Server release 5 (Tikanga) Kernel /r on an /m

Solution:
Recommend that this file be created with a message giving the name of the organization, and warning that all access is monitored and any unauthorized access will be punishable as per the Company's Security Policy, as well as the law of the land pertaining to information systems. Ensure that the warning banner contains the following points:
1. The system is property of your organization.
2. The system is subject to monitoring.
3. Monitoring is authorized in accordance with applicable laws and regulations and conducted for purposes of systems management and protection, protection against improper or unauthorized use or access, and verification of applicable security features or procedures.
4. Use of the system constitutes consent to monitoring.
5. Unauthorized use of this computer may subject the user to criminal prosecution and penalties.

Description:
If FTP is enabled, then the /etc/ftpusers file can be used to ensure that users listed in this file are NOT allowed to connect via FTP. This check determines that all the system users and privileged user accounts such as 'root' are entered into this file.

CVE Reference No.: CVE-NO-MATCH

Severity	Username
	N/A

Solution:
Ensure that all system users on your Unix system as well as the 'root' account and any other sensitive accounts are listed in this file.

Description:
The xinetd service is an enhanced version of the older inetd service, with security features that were never included in inetd. It is a super server that assists other network services such as FTP and Telnet. When a client tries to connect to an xineted-based service on the host, like telnet, it connects first to the xinetd daemon. Xinetd receives the connection request and then it starts an instance of the server program appropriate to the specific service. In the case of telnet, it starts in.telnetd. Xinetd provides service specific configuration options, such as access control (which inetd needed TCP Wrappers to provide), logging, resource utilization, binding and redirection.

CVE Reference No.:

Solution:
Make sure only the necessary services are started by xinetd. If any violations are shown, you need to modify the configuration of that service in the /etc/xinetd.d folder, and then restart the xinetd service.

Description:
The $HOME/.rhosts (or .rlogin) file defines which remote hosts (computers on a network) can invoke certain commands on the local host without supplying a password. This file is a hidden file in the local user's home directory and must be owned by the local user.The format of the $HOME/.rhosts file is: HostNameField [UserNameField] When a remote command executes, the local host uses the local /etc/hosts.equiv file and the $HOME/.rhosts file of the local user account to validate the remote host and remote user.

CVE Reference No.:

Severity	.rhosts files
	find: /proc/15384/task/15384/fd/5: No such file or directory
	find: /proc/15384/fd/5: No such file or directory

Solution:
Although you can set any permissions for this file, it is recommended that the permissions of the .rhosts file be set to 600 (read and write by owner only). Due to serious problems rlogin was rarely used across untrusted networks (like the public internet) and even in closed deployments it has fallen into relative disuse (with many Unix and Linux distributions no longer including it by default). Many networks which formerly relied on rlogin and telnet have replaced it with SSH and its rlogin-equivalent slogin.

Description:
This probe determines the local accounts on the target system. The policy allows you to set regular expression based strings, which should never occur in a account name. These typically consist of generic names such as 'test', 'guest', 'vendor', etc. We strongly recommend you add to this list by including the name of your organization, city, line of business, etc. This probe does case insensitive pattern matching, so it will detect these strings if they occur anywhere in the username.

CVE Reference No.: CVE-NO-MATCH

Solution:
It is recommended to give unique names to each user account, which positively identifies the actual user. The use of generic names such as 'test' or 'admin', must be strongly prohibited, as it takes away accountability. Investigate any suspicious or generic account names that are marked in the output, and ensure that they are renamed to represent genuine users of the system.

Description:
This probe determines the members of the 'wheel' group. It lists out any users that are members, but are not in the 'allowed' list as specified by the Policy. All users in the 'wheel' group have the right to 'su' to root.

CVE Reference No.:

Severity	Current members
	root

Solution:
Make sure only trusted users are members of the 'wheel' group.

Description:
All system users must be given false shells to prevent an attacker from trying to create a backdoor by logging in using such account. The list of invalid shells includes /sbin/nologin, /bin/false, and any others that you specify via the policy.

CVE Reference No.: CVE-NO-MATCH

Severity	System User	Login Shell
	adm	/sbin/nologin
	bin	/sbin/nologin
	daemon	/sbin/nologin
	ftp	/sbin/nologin
	games	/sbin/nologin
	gdm	/sbin/nologin
	gopher	/sbin/nologin
	halt	/sbin/halt
	lp	/sbin/nologin
	mail	/sbin/nologin
	mailnull	/sbin/nologin
	news	N/A
	nfsnobody	/sbin/nologin
	nobody	/sbin/nologin
	nscd	/sbin/nologin
	ntp	/sbin/nologin
	operator	/sbin/nologin
	pcap	/sbin/nologin
	rpc	/sbin/nologin
	rpcuser	/sbin/nologin
	rpm	/sbin/nologin
	shutdown	/sbin/shutdown
	smmsp	/sbin/nologin
	sshd	/sbin/nologin
	sync	/bin/sync
	uucp	/sbin/nologin
	vcsa	/sbin/nologin
	xfs	/sbin/nologin

Solution:
Ensure that all system accounts (listed as inactive in the output of the 'last' command), have been assigned an invalid shell.

Description:
This probe checks if system users have been locked out by supplying an invalid password hash in the /etc/shadow file. This will prevent an attacker from using such an account as a backdoor for access the system.

CVE Reference No.: CVE-NO-MATCH

Severity	System User	Lock Character(s)
	adm	*
	bin	*
	daemon	*
	ftp	*
	games	*
	gdm	!!
	gopher	*
	halt	*
	lp	*
	mail	*
	mailnull	!!
	news	*
	nfsnobody	!!
	nobody	*
	nscd	!!
	ntp	!!
	operator	*
	pcap	!!
	rpc	!!
	rpcuser	!!
	rpm	!!
	shutdown	*
	smmsp	!!
	sshd	!!
	sync	*
	uucp	*
	vcsa	!!
	xfs	!!

Solution:
Ensure that all system accounts have invalid hash values in their password fields.

Description:
Usually attackers will attempt to leave backdoors on a system that they have compromised. One of the ways in which this is done is by creating new user accounts in the /etc/passwd and /etc/shadow files. This probe determines if specific accounts exist, which may indicate that the server may have been compromised. The account names that are checked for, are those supplied in the policy.

CVE Reference No.:

Solution:
Investigate why and how such account(s) got created in the first place. We recommend a thorough, in-depth forensics investigation bearing in mind, that there is a high likelihood that the server has been compromised.

Description:
A User ID of 0 on the Unix system represents a super-user. This probe determines if there are any users other than root, that have a user ID of 0 in the /etc/passwd file

CVE Reference No.: CVE-NO-MATCH

Severity	Username
	root

Solution:
If there is a violation of this policy, it must be dealt with immediately. We recommend a detailed forensics investigation to check how and under what circumstances was another account with user ID 0 created on the system. It may be the case, that this system has been completely compromised.

Description:
All non-system users on the Unix system must have a valid password. This probe determines if the account has a non-blank entry in the second column of /etc/passwd

CVE Reference No.: CVE-NO-MATCH

Solution:
Ensure that all user accounts have a valid password, subject to password complexity requirements.

Description:
This probe determines if the password expiry parameters in the /etc/shadow file are set as per the policy. The parameters considered are:

CVE Reference No.:

Solution:
Ensure that the password aging parameters are set in accordance with your organizational security policy. For existing users, this can be done by using the 'chage' command, and on a system-wide level this can be done by setting the correct parameters in the /etc/login.defs file. These parameters are:
PASS_MIN_DAYS (number)
The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, a zero value will be assumed.

PASS_MIN_LEN (number)
The minimum number of characters in an acceptable password. An attempt to assign a password with fewer characters will be rejected. A zero value suppresses this check. If not specified, a zero value will be assumed.

PASS_MAX_DAYS (number)
The maximum number of days a password may be used. If the password is older than this, then the account will be locked. If not specified, a large value will be assumed.

PASS_WARN_AGE (number)
The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

Description:
Checks for the time for which the target Linux box is running.

CVE Reference No.:

Solution:

Description:
It check's when was the linux boz last rebooted.

CVE Reference No.:

Solution:

Description:
Checks for currently logged in users to the target linux box.

CVE Reference No.:

Solution:

Description:
Check if the any user is connected to the target linux box remotely.

CVE Reference No.:

Solution:

Description:
Checks for allowed terminal for root logins like telnet,WinSCP etc.

CVE Reference No.:

Severity	Allowed Terminals
	console
	vc/1
	vc/2
	vc/3
	vc/4
	vc/5
	vc/6
	vc/7
	vc/8
	vc/9
	vc/10
	vc/11
	tty1
	tty2
	tty3
	tty4
	tty5
	tty6
	tty7
	tty8
	tty9
	tty10
	tty11

Solution:

Description:
This probe displays the free and consumed memory within the system

CVE Reference No.:

Solution:
Check to see if enough memory is free. If not, check the output in the 'ps' or 'top' commands to determine which processes are consuming maximum memory.

Description:
This probe displays the running processes, process IDs, CPU usage, memory usage, and other related information

CVE Reference No.:

Solution:
Ensure that no single process is hogging maximum CPU or memory.

Description:

CVE Reference No.:

Severity	Status
	Single User boot mode is not password protected through 'sulogin'

Solution:
Set a strong password for Single User boot mode.

Description:
Checks for the value of the PATH environment variable

CVE Reference No.:

Severity	Status
	No period at end of the path environment variable for 'root'
	Root directory (/) not found in path environment variable for 'root'
	Double colon (::) not found in path environment variable for 'root'

Solution:

Description:
Checks for Installable File System (IFS)

CVE Reference No.:

Severity	Status
	Forward slash(/) not present in IFS environment variable for 'root'

Solution:

Description:
This probe determines the mounted partitions and their parameters

CVE Reference No.:

Solution:
This is an informational probe, and usually does not require any fix to be applied

Description:
This probe determines if disk usage has crossed a preset limit as defined in the policy.

CVE Reference No.: