Reviewing local properties in individual templates
The following sections list the properties in each of the Compliance Content local property classes for your review:
- Overview
- DISA properties in the local property class
- PCI properties in the local property class
- Where to go from here
Overview
Each of the Compliance Content templates contains several editable, local properties that control various aspects of connecting with target servers, including the following properties:
- password attributes (such as length, numbers of different character types to be included, and expiration period) and logon specifications (number of attempts, lockout attributes)
- for SUSE Linux: pathway to the postgres.log file
- for Windows: specifications of the NTFS drive, the SMTP service, and the NNTP service
Ordinarily, the default values for these local properties should be sufficient at your site. You may still want to review these properties to tailor them to the unique needs of your local system.
For more information about setting property values, see Setting-values-for-system-object-properties.
DISA properties in the local property class
The following PCIv3 properties are present in the local property class:
Property | DISA Template Version | Description | Default Value |
|---|---|---|---|
ACL_ALLOWED_FILES | Red Hat Enterprise Linux 5 | Comma separated ACLs allowed files | /tmp,/pqr |
ACL_EXCEPTIONAL_ | Red Hat Enterprise Linux 5, | Comma separated list of ACLs to be excluded. |
|
AIDE_CONF_PATH | Red Hat Enterprise Linux 5 | File location of aide configuration. | /etc/aide.conf |
ALIASES_FILE | Red Hat Enterprise Linux 5 | /etc/aliases file or equivalent | ??SENDMAIL_ALIASES?? |
ALLOWED_WINDOWS_ | Windows Server 2003 DC, | These features will be allowed. | GPMC BACKUP BitLocker |
ALLOWED_FILES_WITH_ | Red Hat Enterprise Linux 5 | List of allowed files with uneven permission |
|
ALWAYS_COMPLIANT | Windows Server 2003 DC, |
| TRUE |
ANONYMOUS_FTP_ | Red Hat Enterprise Linux 5, | Email ID used for anonymous ftp test. | |
APP_DAEMON_NAME | HP-UX 11.23 | Name of the host-based intrusion detection system application installed on target. |
|
APPLICATION_ | Windows Server 2003 DC, | Comma separated list of application accounts | Guest,Application |
APPLICATION_GROUP | Red Hat Enterprise Linux 5, | Semi colon separated list of application group |
|
APPLICATION_USER | Red Hat Enterprise Linux 5, | Semi colon separated list of application users | root |
APPROVED_SHELLS | Red Hat Enterprise Linux 5, | Comma seperated list of approved shells | /usr/bin/false, |
AT_ALLOW_USER_LIST | Red Hat Enterprise Linux 5 | Pipe separated lists of users allowed to submit 'at' jobs. |
|
AT_DENY_USER_LIST | Red Hat Enterprise Linux 5 | Pipe separated lists of users denied to submit 'at' jobs. |
|
AT_SPOOL_DIR | Red Hat Enterprise Linux 5, | Location of at spool directory | /var/spool/cron/atjobs |
AUDISP_SYSLOG_ | Red Hat Enterprise Linux 5 | File location of audisp and syslog. | /etc/audisp/plugins.d/syslog.conf |
AUDIT_KERNEL_ADMIN | HP-UX 11.23 | Admin kernel module to be audited. | egrep 'admin' /etc/audit/ |
AUDIT_KERNEL_ | HP-UX 11.23 | Modload kernel module to be audited | egrep 'modload' /etc/audit/ |
AUDIT_KERNEL_ | HP-UX 11.23 | Modpath kernel module to be audited | egrep 'modpath' /etc/audit/ |
AUDIT_KERNEL_ | HP-UX 11.23 | Moduload kernel module to be audited | egrep 'moduload' /etc/audit/ |
AUDIT_MAIL_ACCNT | Red Hat Enterprise Linux 5 | Audit mail account. | root |
AUDIT_RULES | Red Hat Enterprise Linux 5, | Audit Rules | \-a,\-w |
AUDIT_RULES_ | Red Hat Enterprise Linux 5 | Command - Audit | auditctl -l |
AUDIT_RULES_FILE | Red Hat Enterprise Linux 5 | Path to audit.rules file | /etc/audit/audit.rules |
AUDIT_TOOLS | HP-UX 11.23 | Audit tool executables | /usr/sbin/audevent |
AUDITD_CONF_PATH | Red Hat Enterprise Linux 5 | File location of auditd configuration. | /etc/audit/auditd.conf |
AUDITD_RESTART_ | Red Hat Enterprise Linux 5 | Command for auditd restart | /etc/rc.d/init.d/auditd restart |
AUDITORS_GROUP | Windows Server 2003 DC, | Auditors group | Auditors |
AUTHPRIV_LOG_ | Red Hat Enterprise Linux 5 | The authpriv selector to be used in /etc/syslog.conf | authpriv |
AUTHPRIV_SYSLOG_ | Red Hat Enterprise Linux 5, | syslog authpriv action list | /var/log/secure |
AUTOFS_REQUIRED | HP-UX 11.23 | This flag says whether autofs service is required or not | FALSE |
BACKUP_DEVICES | Red Hat Enterprise Linux 5, | Comma separated list of backup devices |
|
BACKUP_USERS | Red Hat Enterprise Linux 5, | Semicolon separated list of backup users. | root |
BANNER_FILE_FTP | HP-UX 11.23 | banner msg file for ftp | /etc/ftpd/banner_msg |
BANNER_FILE_NAMES | Red Hat Enterprise Linux 5, | Banner File Names | /etc/issue |
BANNER_MSG1 | Red Hat Enterprise Linux 5 | Banner Message | |
BANNER_LONG_PART1 | Red Hat Enterprise Linux 5, | Banner Information Line 1 | |
BANNER_LONG_PART2 | Red Hat Enterprise Linux 5, | Banner Information Line 2 | |
BANNER_LONG_PART3 | Red Hat Enterprise Linux 5, | Banner Information Line 3 | |
BANNER_LONG_PART4 | Red Hat Enterprise Linux 5, | Banner Information Line 4 | |
BANNER_LONG_PART5 | Red Hat Enterprise Linux 5, | Banner Information Line 5 | |
BANNER_LONG_PART6 | Red Hat Enterprise Linux 5, | Banner Information Line 6 | |
BANNER_LONG_PART7 | Red Hat Enterprise Linux 5, | Banner Information Line 7 | |
BANNER_MESSAGE | HP-UX 11.23 |
| |
DEBUG_PROGRAMS | Windows Server 2003 DC, | List for User Right - Debug Programs | Administrators |
CBC_CRYPT_ALGO | HP-UX 11.23 | FIPS 140-2 approved cryptographic algorithms | aes128-ctr, |
CENTRALIZED_ | HP-UX 11.23 | The centralized process core dump data directory. |
|
CENTRALIZED_SYSLOG_ | Red Hat Enterprise Linux 5 | The FQ_HOST server property of systems that are authorized syslog server. |
|
CRASH_DUMP_ | Red Hat Enterprise Linux 5 | Crash dump supported file system type values seperated by comma | ext3, ext2, nfs |
CRON_DENIED_ | Red Hat Enterprise Linux 5 | Pipe seprated user list | daemon|bin |
CRON_GLOBAL_FILES | Red Hat Enterprise Linux 5 | Space separated list of global cron files | /etc/cron.d |
CRON_LOG_FILTER | Red Hat Enterprise Linux 5 | The cron selector to be used in /etc/syslog.conf | cron |
CRON_SYSLOG_LOG_ | Red Hat Enterprise Linux 5, | syslog cron action list | /var/log/cron |
CRONTAB_CREATOR | HP-UX 11.23 | Crontab creator user UID, example root user has UID 0. | 0 |
CRONTAB_CREATOR_ | HP-UX 11.23 |
| root |
CONFIGURATION_ | Red Hat Enterprise Linux 5 | Configuration levels represent increasing levels of security assurance | All |
CONSOLE_PERM_FILE | Red Hat Enterprise Linux 5 | This file determines the permissions that will be given to priviledged users of the console at login time, and the permissions to which to revert when the users log out. | /etc/security/console.perms |
CMDEXEC_ROOT_ENV | Red Hat Enterprise Linux 5 | Command to fetch root environment | su -c env - root |
COMMUNITY_ | Red Hat Enterprise Linux 5 | The community name or password in snmpd.conf file | public, private, |
CUPSD_ACCESS_TO_ | Red Hat Enterprise Linux 5 | Comma separated list of hosts allowed to have access to cupsd | @LOCAL |
CUPSD_CONF_FILE_ | Red Hat Enterprise Linux 5 | cupsd.conf file path | /etc/cups/cupsd.conf |
BOOTLOADER_PATH | Red Hat Enterprise Linux 5 | The path of the bootloader on the system. | /boot/grub/grub.conf |
BOOT_LOADER_ | Red Hat Enterprise Linux 5 | This file specifies the config details of boot loader. By default, it is /boot/grub/grub.conf. | /etc/security/access.conf |
BLOCKED_FTPUSERS | Red Hat Enterprise Linux 5 | List of users to whom ftp access must be blocked separated by newline character (\n) | nobody |
DEFAULT_CRASH_ | Red Hat Enterprise Linux 5 | Default File location - Crash Directory | /var/crash |
DEFAULT_SHELL_ | Red Hat Enterprise Linux 5, | Default Shell for user | /bin/sh |
DEFAULT_SHELLS_ | Red Hat Enterprise Linux 5 | Pipe seperated list of shells to be used in /etc/shells. These values are added to /etc/shells file if /etc/shells file doesnt exist or is empty. |
|
DENY_LOGON_ | Windows Server 2003 DC, | If terminal service is in used set value to Guests else set it to Everyone | Everyone |
DHCLIENT_CONF_ | Red Hat Enterprise Linux 5 | File Path - DHCP Configuration | /etc/dhclient.conf |
DISA_LEGAL_NOTICE_ | Windows Server 2003 DC, | DISA Legal Notice text |
|
DISA_LEGAL_NOTICE_ | Windows Server 2003 DC, | DISA Legal Notice text. | |
DISA_LEGAL_NOTICE_ | |||
DISA_LEGAL_NOTICE_ | |||
DISA_LEGAL_NOTICE_ | |||
DISA_LEGAL_TITLE_ | Windows Server 2003 DC, | DISA Legal title |
|
DOD_APRVD_TLC_ | Red Hat Enterprise Linux 5 | DOD approved TLC certificate path | /etc/pki/tls/cert.pem |
DOMAIN_ACCOUNTS_ | Windows Server 2003 DC, | Comma separated list of Domain Accounts requiring smart card (CAC) |
|
DOMAIN_SUPPORTS_ | Windows Server 2008 DC, | DOMAIN SUPPORTS EXCHANGE 2003 | FALSE |
DOMAIN_SUPPORTS_ | Windows Server 2003 DC, | DOMAIN SUPPORTS EXCHANGE 2003 SERVERS | 1 |
EO_TIMEOUT | Red Hat Enterprise Linux 5 | Time out in minutes value for EO execution | 0 |
ETC_SHELLS_PATH | Red Hat Enterprise Linux 5 | Path of ete shells. | /etc/shells |
EXCLUDE_HOME_ | Red Hat Enterprise Linux 5 | Comma separated list of users to be excluded from compliance where shared home directory is present | rdsmon, rdsroot |
EXCLUDED_USER_LIST | Red Hat Enterprise Linux 5 | Comma separated list of the users to be excluded from compliance check. | root, sync, shutdown, halt |
EVENT_LOGS_DIR | Windows Server 2003 DC, | Event log directory | ??TARGET.SYSTEMROOT??/ |
Windows Server 2008 DC, | Event log directory | ??TARGET.SYSTEMROOT??/ | |
FRS_DIRECTORY_ | Windows Server 2003 DC, | FRS directory data location | /C/Windows/NTDS/ |
FIND_FILES_TIMEOUT | Red Hat Enterprise Linux 5 | Time out in minutes value for find files | 0 |
FIND_SOUND_DEVICE_ | Red Hat Enterprise Linux 5 | Command - Find audio device | find /dev/audio /dev/snd -type c; |
FIPS_CRYPT_ALGO | Red Hat Enterprise Linux 5 | FIPS 140-2 approved cryptographic algorithms. | aes128-ctr, aes192-ctr, |
FIPS_HASHING_ALGO | Red Hat Enterprise Linux 5 | Pipe seperated list of FIPS approved cryptographic hashing algorithm | sha256|sha512 |
FSTAB_FILE_PATH | Red Hat Enterprise Linux 5 | the path for system configuration file fstab | /etc/fstab |
FTP_PASSWORD | Windows Server 2003 DC, | FTP password | password |
FTP_PORT | Red Hat Enterprise Linux 5 | Port on which ftp service is run within the organization (default 21). | 21 |
FTP_USER | Windows Server 2003 DC, | FTP user | anonymous |
FTP_USERS_FILES | Red Hat Enterprise Linux 5 | The list of ftpusers file. | /etc/ftpusers |
GNOME_BANNER_ | Red Hat Enterprise Linux 5 | Gnome Banner Message | |
GLOBAL_ | Red Hat Enterprise Linux 5 | All the global initialization files that are used to configure the users shell environment upon login. | /etc/bashrc |
GRUB_CONF_PATH | Red Hat Enterprise Linux 5 | File location of grub configuration. | /boot/grub/grub.conf |
GRUB_MENU_LST_ | Red Hat Enterprise Linux 5 | Grub menu.lst file path. | /boot/grub/menu.lst |
GSSFTP_SERVICES_ | Red Hat Enterprise Linux 5 | TO CHECK IF GSSFTP SERVICES ARE ENCRYPTED OR NOT | N |
GSSFTP_USER_FILE | Red Hat Enterprise Linux 5 | The path for ftpusers file used for gssftp service. | /etc/ftpusers |
HIDS_INSTALLED | Red Hat Enterprise Linux 5 | Is HIDS Installed | FALSE |
HIPS | Red Hat Enterprise Linux 5 | Deamon process name for host-based intrusion detection application. |
|
HIPS_DEAMON_NAME | Red Hat Enterprise Linux 5 | The name of host-based intrusion detection application deamon | Hip |
HIPS_PACKAGE_NAME | Red Hat Enterprise Linux 5 | The name of rpm package for host-based intrusion detection application | MFEhiplsm |
INND_SPEC_FILE | Red Hat Enterprise Linux 5 | file where you specify which hosts will be feeding you news using the NNTP protocol. | /etc/news/incoming.conf |
INND_UNRESTRICTED_ | Red Hat Enterprise Linux 5 | File whose purpose is to cross reference those hosts that have unrestricted incoming connection limits. | /etc/news/infeed.conf |
IS_ALL_INTERFACES_ | Red Hat Enterprise Linux 5 | If all interfaces on the system are authorized for management traffic | FALSE |
IS_AUDIT_LOG_ | Windows Server 2003 DC, | if Audit logs are archived | TRUE |
IPV6_TRANSITION_ | Windows Server 2008 DC, | IPv6 Transition Complete | FALSE |
IS_DHCP_CLIENT_ | Red Hat Enterprise Linux 5 | Parameter indicating DHCP client is enabled or disabled. Possible values- yes/no | no |
IS_GOLD_DISK | Windows Server 2008 DC | It is TRUE, if target server is a GOLD DISK. | TRUE |
IS_F_SECURE_SSH_ | Red Hat Enterprise Linux 5 | If the SSH server is F-Secure | FALSE |
IS_PROCESS_CORE_ | Red Hat Enterprise Linux 5 | This property used to specify core dumps has been approved by the IAO or not. By default it is not approved and value is False. | FALSE |
IS_SYSLOG_ | Red Hat Enterprise Linux 5 | Instead of Syslog, it checks if there is any alternate access control program used which sucessfully logs access attempts | FALSE |
IS_SYSTEM_ | Red Hat Enterprise Linux 5 | If the system part of a stand alone network which is not connected to the GIG set to false. | TRUE |
JOURNALING_ | Red Hat Enterprise Linux 5 | Comma seperated file systems which supports journaling | ext3, ext4, jfs, |
KERNEL_CORE_ | Red Hat Enterprise Linux 5 | The kernel core dump data directory path | /var/crash |
LDAP_CONF_FILE | Red Hat Enterprise Linux 5 | LDAP configuration file path | /etc/ldap.conf |
LOCAL_ | Windows Server 2003 MS, | Comma separated list of local administrator accounts |
|
LOGHOSTS_SEND | Red Hat Enterprise Linux 5 | The documented value/values for remote log host |
|
LOGIN_ACCESS_ | Red Hat Enterprise Linux 5 | Login access control table file | /etc/security/access.conf |
MAIL_ALIAS_CONF_ | Red Hat Enterprise Linux 5 | This file contains the mail alias entries for system program | /etc/aliases |
MAIL_SYSLOG_LOG_ | Red Hat Enterprise Linux 5 | syslog mail action list | /var/log/maillog |
MAIL_LOG_FILTER | Red Hat Enterprise Linux 5 | The mail selector to be used in /etc/syslog.conf | |
MAX_DISPLAY | Red Hat Enterprise Linux 5 | Maximum lines to be displayed | all |
MAX_INFO_LINES | Red Hat Enterprise Linux 5 | Maximum info lines to be displayed | all |
MAXLOGINS | Red Hat Enterprise Linux 5 | Maximum number of simultaneous system logins attempts per user. | 10 |
MAX_OUTPUT_LINES | Red Hat Enterprise Linux 5 | Represents no of lines that can be used output by EO. As OM do not parse output more than 50000 lines. | 1000 |
MANUAL_PAGE_FILES | Red Hat Enterprise Linux 5 | Manual page files | /usr/share/man/* |
MESSAGES_SYSLOG_ | Red Hat Enterprise Linux 5 | Syslog message action list | /var/log/messages |
MODPROBE_CONF_ | Red Hat Enterprise Linux 5 | File location of modprobe configuration. | /etc/modprobe.conf |
NETWORK_HOST_ | Red Hat Enterprise Linux 5 | Comma seprated network host access files | .rhosts,.shosts,.netrc |
NEWS_INCOMING_ | Red Hat Enterprise Linux 5 | Location of incoming news configuration file. | /etc/news/incoming.conf |
NFS_EXPORTS_ | Red Hat Enterprise Linux 5 | The NFS export configuration file path | /etc/exports |
NFS_EXPORTS_SQUASH_ | Red Hat Enterprise Linux 5 | The squash option to be used in NFS exports (usually /etc/exports) file. | root_squash |
NON_LOGIN_SHELLS | Red Hat Enterprise Linux 5 | Non login shells |
|
NON_APPROVED_ | Red Hat Enterprise Linux 5 | Semicolon separated list of Removable media, remote file systems, and any file system not containing approved device files. |
|
NSSWITCH_CONF_ | Red Hat Enterprise Linux 5 | Location of nsswitch configuration file. | /etc/nsswitch.conf |
NTP_AUTHORIZED_ | Windows Server 2003 DC, | NTP Authorized time server |
|
NTP_CONF_PATH | Red Hat Enterprise Linux 5 | File location of NTP configuration. | /etc/ntp.conf |
NTP_ENCLAVE | Red Hat Enterprise Linux 5 | Comma separated list of NTP enclave servers. | |
NOGROUP_FILE_ | Red Hat Enterprise Linux 5 | NOGROUP | root |
OS_LATEST_RELEASE | Red Hat Enterprise Linux 5 | OS Latest release | ON |
OPTIONAL_ | Windows Server 2003 DC, | V-4445 Optional Subsystems | Posix |
OTHER_SYSTEM_ | Red Hat Enterprise Linux 5 | The groups other than root, sys, bin, other, system. |
|
PAM_SYSTEM_AUTH_ | Red Hat Enterprise Linux 5 | The pam system-auth file path | /etc/pam.d/system-auth |
POSTFIX_ALIASES | Red Hat Enterprise Linux 5 | File location of Postfix - aliases | /etc/postfix/aliases |
POSTFIX_ALIASES_DB | Red Hat Enterprise Linux 5 | File location of Postfix - aliases.db | /etc/postfix/aliases.db |
POSTFIX_MAIN_CF | Red Hat Enterprise Linux 5 | Postfix main.cf configuration file | /etc/postfix/main.cf |
PRINTER_SERVICE_ | Red Hat Enterprise Linux 5 | Path for print service configuration file | /etc/cups/printers.conf |
REM_DIR_PREFIX | Red Hat Enterprise Linux 5 | Temporary directory internally used by system to keep remediation related files. | DISA |
REMEDIATE_SETTING_ | Windows Server 2003 DC, | Remediation setting for GPO | Default Domain Controller Default Domain Security Policy |
REMOTE_LOGGING_ | Red Hat Enterprise Linux 5 | Remote logging Server | test-server |
REMOVE_PACKAGES | Red Hat Enterprise Linux 5 | Remove Packages |
|
RESTRICTED_FTP_ | Red Hat Enterprise Linux 5 | The names of all accounts not authorized to use FTP. User names should be seperated by |(pipe). For reference we have added bin and root account. | bin|root |
RSYSLOG_CONF_ | Red Hat Enterprise Linux 5 | File location syslog configuration. | /etc/syslog.conf |
REQUIRED_ | Red Hat Enterprise Linux 5 | List of all required applcations for modprobe |
|
REQUIRED_SAMBA_ | Red Hat Enterprise Linux 5 | This property defines the name of samba swat package in use. Keep empty if no package is in use. | TRUE |
RPM_SIGNATURE_ | Red Hat Enterprise Linux 5 | files to verify RPM signature. Files are space seperated. | /etc/rpmrc |
SAMBA_AUTHORIZED_ | Red Hat Enterprise Linux 5 | This parameter is a comma delimited set of hosts which are permitted to access a samba service | 127 |
SAMBA_CONF_FILE | Red Hat Enterprise Linux 5 | Samba configuration file path | /etc/samba/smb.conf |
SAMBA_PASSWORD_ | Red Hat Enterprise Linux 5 | SAMBA_PASSWORD_FILES | /etc/samba/passdb.tdb |
SECURE_TERMINALS | Red Hat Enterprise Linux 5 | Comma separated list of valid terminals that may be logged in directly as root | console,tty |
SENDMAIL_ALIASES | Red Hat Enterprise Linux 5 | Location of aliases | /etc/aliases |
SENDMAIL_ALIASES_ | Red Hat Enterprise Linux 5 | File location of SendMail - aliases.db | /etc/aliases.db |
SENDMAIL_ALIASES_ | Red Hat Enterprise Linux 5 | SendMail Aliases DB Group | smmsp |
SENDMAIL-CONF-FILE | Red Hat Enterprise Linux 5 | The sendmail configuration file path | /etc/mail/sendmail.cf |
SERVICES_CHECK_ | Windows Server 2003 DC, | Specifies comma separated list of services whose startup type should be automatic | |
SERVICES_CHECK_ | Windows Server 2003 DC, | Specifies comma separated list of services whose startup type should be Automatic (delayed) | Diagnostic Policy Service, |
SERVICES_CHECK_ | Windows Server 2003 DC, | Specifies comma separated list of services whose startup type should be disabled | Alerter, |
Windows Server 2008 DC, |
| Computer Browser, | |
SERVICES_CHECK_ | Windows Server 2003 DC, | Specifies comma separated list of services whose startup type should be disabled. | Wireless Configuration, |
SERVICES_CHECK_ | Windows Server 2003 DC, | Specifies comma separated list of services whose startup type should be manual | |
SERVICES_CHECK_ | Windows Server 2008 DC | Specifies comma separated list of services whose startup type should be Manual | SL UI Notification Service, |
Windows Server 2003 DC, | Specifies comma separated list of services whose startup type should be Manual. | Windows Modules Installer, | |
TIME_SYNC_SOURCE | All versions | Specifies the type of time synchronization source to be used. | Possible values are: Nt5DS or |
TCP_BACKLOG | Red Hat Enterprise Linux 5 | TCP backlog queue size | 1280 |
TFTP_USER | Red Hat Enterprise Linux 5 | Dedicated TFTP user account | tftp |
SKELETON_ | Red Hat Enterprise Linux 5 | The skeleton directory that contain skeleton files | /etc/skel |
SMTP_VERSION | Red Hat Enterprise Linux 5 | The version of SMTP service | 8.13.8 |
SNMPD_CONF_FILE | Red Hat Enterprise Linux 5 | The default path for snmpd.conf file | /etc/snmp/snmpd.conf |
SPECIAL_PRIVILEGE_ | Red Hat Enterprise Linux 5 | The comma seperated list of accounts with special privileges such as shutdown, halt, reboot. | shutdown, halt, reboot |
SSHD_CONFIG_FILE | Red Hat Enterprise Linux 5 | sshd_config file path | /etc/ssh/sshd_config |
SUPPORTED_FS_TYPE | Red Hat Enterprise Linux 5 | Supported file system types for partitions like /home, etc | ext2, |
SYSCONFIG_NETWORK_ | Red Hat Enterprise Linux 5 | File location sysconfig - network. | /etc/sysconfig/network |
SYSCTL_CONF_PATH | Red Hat Enterprise Linux 5 | File location - sysctl configuration. | /etc/sysctl.conf |
SYSCTL_PATH | Red Hat Enterprise Linux 5 | Path of sysctl | /sbin/sysctl |
SYSLOG_CONF_PATH | Red Hat Enterprise Linux 5 | The syslog.conf configuration file path | /etc/syslog.conf |
SYSLOG_APPROVED_ | Red Hat Enterprise Linux 5 | Pipe separeted list of approved remote syslog servers |
|
SYSTEM_GROUP | Red Hat Enterprise Linux 5 | Group name for the public directory | root |
SYSTEM_USER | Red Hat Enterprise Linux 5 | System User | root |
UNIX_SYSTEM_ | Red Hat Enterprise Linux 5 | Unix System Accounts | root, bin, daemon, adm, |
UNIX_SYSTEM_ | Red Hat Enterprise Linux 5 | Comma separated list of Unix system groups. | root, bin, daemon, sys, |
UMASK_GLOBAL_ | Red Hat Enterprise Linux 5 | Specify global initialization files for the configured umask value | /etc/bashrc |
UNNECESSARY_ | Red Hat Enterprise Linux 5 | Comma seperated list of unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. |
|
UNOWNED_FILE_ | Red Hat Enterprise Linux 5 | UNOWNED FILE USER | root |
VSFTP_USER_FILE | Red Hat Enterprise Linux 5 | The path for ftpusers file used for vsftp service. | /etc/vsftpd.ftpusers |
VSFTPD_SERVICES_ | Red Hat Enterprise Linux 5 | TO CHECK IF VSFTPD SERVICES ARE ENCRYPTED OR NOT | N |
VSFTPD_CONF_ | Red Hat Enterprise Linux 5 | vsftpd.conf file path | /etc/vsftpd/vsftpd.conf |
XINETD_CONF_ | Red Hat Enterprise Linux 5 | Xinetd configuration file path (default value is /etc/xinetd.conf) | /etc/xinetd.conf |
X_SERVER_NC_ | Red Hat Enterprise Linux 5 | Pipe separated list of non compliant X server options. An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock. | -ac|-core|-nolock |
X_AUTHORIZED_ | Red Hat Enterprise Linux 5 | Specifies separated X authorized hosts. For example, a.b.c.d:0,p.q.r/unix:0,10.20.20.80:1 If empty, implies SA trusts the configured system. |
|
Default value for Banner-related properties
Default value for BANNER_MSG1, BANNER_LONG_PART1, BANNER_LONG_PART2, BANNER_LONG_PART3, BANNER_LONG_PART4, BANNER_LONG_PART5, BANNER_LONG_PART6, BANNER_LONG_PART7, DISA_LEGAL_NOTICE_TEXT_1, DISA_LEGAL_NOTICE_TEXT_2, DISA_LEGAL_NOTICE_TEXT_3, and DISA_LEGAL_NOTICE_TEXT_4, GNOME_BANNER_MESSAGE
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
At any time, the USG may inspect and seize data stored on this IS.
Communications using, or data stored on, this IS are not private, are subject toroutine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for detail
Default value for SERVICES_CHECK_STARTUP_AUTOMATIC
Base Filtering Engine,COM+ Event System,Cryptographic Services,DCOM Server Process Launcher,Desktop Window Manager Session Manager,DHCP Client,Distributed Link Tracking Client,DNS Client,Group Policy Client,IP Helper,Network Location Awareness,Network Store Interface Service,Plug and Play,Power,Print Spooler,Remote Procedure Call (RPC),Remote Registry,RPC Endpoint Mapper,Security Accounts Manager,Shell Hardware Detection,System Event Notification Service,Task Scheduler,TCP/IP NetBIOS Helper,User Profile Service,Windows Event Log,Windows Firewall,Windows Management Instrumentation,Windows Time,Workstation,Active Directory Certificate Services,Active Directory Domain Services,Active Directory Web Services,DFS Namespace,DFS Replication,DNS Server,Intersite Messaging,Kerberos Key Distribution Center,DHCP Server,DNS Server,Workstation,Hyper-V Image Management Service,Hyper-V Networking Management Service,Virtual Machine Management Service,Print Spooler,Remote Desktop Services,Application Host Helper Service,World Wide Web Publishing Services.
Default value for SERVICES_CHECK_STARTUP_MANUAL
Application Experience,Application Identity,Application Information,Application Layer Gateway Service,Application Management,Background Intelligent Transfer Service,Certificate Propagation,COM+ System Application,Credential Manager,Diagnostic Service Host,Diagnostic System Host,Disk Defragmenter,Encrypting File System (EFS),Extensible Authentication Protocol,Function Discovery Provider Host,Function Discovery Resource Publication,Health Key and Certificate Management,Human Interface Device Access,IKE and AuthIP IPsec Keying Modules,Interactive Services Detection,IPsec Policy Agent,KtmRm for Distributed Transaction Coordinator,Link-Layer Topology Discovery Mapper,Microsoft .NET Framework NGEN v2.0.50727_X64,Microsoft .NET Framework NGEN v2.0.50727_X86,Microsoft Fibre Channel Platform Registration Service,Microsoft iSCSI Initiator Service,Microsoft Software Shadow Copy Provider,Multimedia Class Scheduler,Netlogon,Network Access Protection Agent,Network Connections,Network List Service,Performance Counter DLL Host,Performance Logs & Alerts,Portable Device Enumerator Service,Problem Reports and Solutions Control Panel Support,Protected Storage,Remote Access Auto Connection Manager,Remote Access Connection Manager,Remote Desktop Configuration,Remote Desktop Services,Remote Desktop Services UserMode Port Redirector,Remote Procedure Call (RPC) Locator,Resultant Set of Policy Provider,Secondary Logon,Secure Socket Tunneling Protocol Service,Smart Card,SNMP Trap,Special Administration Console Helper,SPP Notification Service,Telephony,Thread Ordering Server,TP AutoConnect Service,TPM Base Services,Virtual Disk,Volume Shadow Copy,Windows Audio,Windows Audio Endpoint Builder,Windows Color System,Windows Driver Foundation - User-mode Driver Framework,Windows Error Reporting Service,Windows Event Collector,Windows Font Cache Service,Windows Installer
PCI properties in the local property class
The following PCIv3 properties are present in the local property class:
Property Name | Description | Default Value |
|---|---|---|
ACCESS_THIS_COMPUTER_ | Security Setting: Access this computer from network |
|
ACCOUNT_LOCKOUT_THRESHOLD |
| 15 |
ADD_WORKSTATION_TO_DOMAIN | This property defines which user is allowed to add computer workstations to a specific domain |
|
ALLOW_PKU2U_AUTHENTICATION_ |
| 0 |
ALLOW_UNDOCK_WITHOUT_LOG_ON |
| 0 |
ALWAYS_COMPLIANT |
| FALSE |
ANONYMOUS_ENUM_OF_SAM_ |
| 1 |
ANONYMOUS_ENUMERATION_OF_ |
| 1 |
ANONYMOUS_NAMED_PIPES | This properly defines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. |
|
AUDIT_ACCESS_OF_ | 0-disable, 1-Enable | 0 |
AUDIT_INCOMING_NTLM_TRAFFIC | Possible values : 0-Disable,1-Enable auditing for domain accounts,2-Enable auditing for all accounts | 0 |
AUDIT_NTLM_AUTHENTICATION_ | Possible values : 0-Disable,1-Enable for domain accounts to domain servers,3-Enable for domain accounts,5-Enable for domain servers,7-Enable all | 0 |
AUDIT_USE_OF_BACKUP_ |
| 0 |
AUTO_REBOOT_AFTER_ |
| 0 |
BYPASS-SERVER-CHECKING |
|
|
BYPASS-SERVER-CHECKING-2012 | Property for PCI windows 2012 |
|
COMPUTER_AND_USER_ | Property for PCI windows 2012 |
|
DCOM_MACHINE_ACCESS_ |
| O:BAG:BAD:(A;;CCDCLC;;;S-1-5-32-562) |
DCOM_MACHINE_LAUNCH_ |
| O:BAG:BAD:(A;;CCDCLCSWRP;;;S-1-5-32-562) |
DEBUG_PROGRAMS | User group for debug program |
|
DENY_LOG_ON_THROUGH_ | comma separated list of users and groups |
|
DIGITALLY_SIGN_COMMUNICATION_ |
| 0 |
DISABLE_DOMAIN_CREDENTIALS |
| 1 |
DISPLAY_USER_INFO_WHEN_ | Possible Values: 1-User display name, domain and user names,2-User display name only,3-Do not display user information | 1 |
DO_NOT_ALLOW_ANONYMOUS_ENUM_ |
| 1 |
ENABLE_ADMINISTRATIVE_SHARES |
| 0 |
ENABLE_ICMP_REDIRECT |
| 0 |
ENCRYPTION_LEVEL_TYPE |
| 3 |
ENCRYPTION_TYPE_FOR_KERBEROS | Possible Values: 1-DES_CBC_CRC,2-DES_CBC_MD5,4-RC4_HMAC_MD5,8-AES128_HMAC_SHA1,16-AES256_HMAC_SHA1,2147483616-Future encryption types. | 2147483644 |
FORCE_KEY_PROTECTION | Possible Values: 0-User input is not required when keys are stored and used,1-User is prompted when the key is first used,2-User must enter a password each time they use a key | 2 |
FORCE_LOGOFF_WHEN_LOGON_ |
| 1 |
FORCE_SHUTDOWN_FROM_ |
|
|
FORCE_STRONG_KEY_PROTECT |
|
|
GENERATE_SECURITY_AUDITS | Generate Security Audits |
|
HIDE_COMPUTER_FROM_ |
| 1 |
INCOMING_NTLM_TRAFFIC | Possible values : 0-Allow all,1-Deny all domain accounts,2-Deny all accounts | 0 |
INVALID_LOGON_ATTEMPTS | Defines limit for number of failed login attempts | 5 |
IS_DOMAIN | This property will be used in remediation script to check if target is domain controller |
|
IS_REM_SSLF | This property will be used in the remediation of auditpol rules |
|
KEEP_ALIVE_TIME | 150000- "150000 or 2.5 minutes" ,300000-"300000 or 5 minutes (recommended)" ,600000-"600000 or 10 minutes" ,"1200000-1200000 or 20 minutes", 2400000-"2400000 or 40 minutes", 3600000-"3600000 or 1 hour", 7200000-"7200000 or 2 hours (default value)" | 300000 |
LAN_MANAGER_AUTHENTICATION_ |
|
|
LOCK_PAGES_IN_MEMORY |
|
|
LOG_ON_AS_A_SERVICE | comma separated list of users and groups |
|
MANAGE_AUDITING_AND_ |
| Administrators |
MAX_USER_TICKET_LIFETIME | Maximum lifetime for user ticket renewal |
|
MIN_PASSWD_LENGTH | Defines Minimum password length | 14 |
MIN_PASSWORD_LENGTH |
| 8 |
MIN_SESSION_SECURITY_FOR_NTLM_SSP |
| 537395248 |
MIN_SESSION_SECURITY_FOR_ |
| 0 |
MNC_DIGITALLY_SIGN_ |
| 1 |
MODIFY_FIRMWARE_ENVIORNMENT_ |
|
|
NETWORK_ACCESS_DO_NOT_ | Do not allow anonymous enumeration of SAM accounts | 1 |
NW_ACCESS_ALLOW_ANONYMOUS_ | Network Access: Allow Anonymous SID/Name Translation | 0 |
NW_ACCESS_DO_NOT_ALLOW_ | network access: do not allow anonymous enumeration of SAM accounts | 1 |
NETWORK_LAN_MANAGER_ |
|
|
NO_DEFAULT_EXEMPT | 0="Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP", 1="Exempts multicast, broadcast, ISAKMP", 2="Exempts RSVP, Kerberos, ISAKMP", 3="Exempts ISAKMP only" | 3 |
NO_NAME_RELEASE_ |
| 1 |
NTLM_AUTHENTICATION_ | Possible values : 0-Disable,1-Deny for domain accounts to domain servers,3-Deny for domain accounts,5-Deny for domain servers,7-Deny all | 0 |
NULL_SESSION_SHARES | Network shares that can accessed by anonymous users. |
|
OPTIONAL_SUBSYSTEMS_TYPE |
| Posix |
OUTGOING_NTLM_TRAFFIC_ | Possible Values: 0-Allow all,1-Audit all,2-Deny all | 0 |
PERFORM_ROUTER_DISCOVERY |
| 0 |
PCI_LEGAL_NOTICE_TEXT |
| This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system or in the course of system maintenance the activities of authorized users may also be monitored. |
PCI_LEGAL_TITLE_TEXT |
| Computer logon (authorized users only) |
PERFORM_VOLUME_ | Perform Volume Maintenance Tasks |
|
PROFILE_SINGLE_PROCESS |
|
|
REMEDIATE_SETTING_FOR_GPO | Type of Domain setting used while remediation | Default Domain Controller Security Policy and Default Domain Security Policy |
REMOTE_SERVERS_FOR_ | Comma seperated list of Remote servers |
|
REMOTE_SERVERS_INDOMAIN_ | Comma seperated list of Remote servers |
|
REMOTELY_ACCESSIBLE_ |
|
|
REMOVE_COMPUTER_FROM_ |
| Administrators |
RENAME_ADMINISTRATOR_ACCOUNT |
| Administrator |
RENAME_GUEST_ACCOUNT |
| Guest |
REQUIRE_SMART_CARD |
| 1 |
RESTORE_FILES_DIRS |
| BUILTIN\Backup Operators |
RESTRICT_CDROM_ACCESS_ |
| 1 |
RESTRICT_FLOPPY_ACCESS_ |
| 1 |
SERVER_SPN_TARGET_NAME_ | Possible values : 0-off,1-Accept if provided by client,2-Requried from client | 0 |
SHUTDOWN_IF_UNABLE_TO_ | Security Options\Audit: Shut Down system immediately if unable to log security alerts | 1 |
STRONG_PROTECTION_USER_KEY | Force strong key protection for user keys stored on the computer |
|
TCP_MAX_DATA_RETRANSMISSIONS | How many times unacknowledged data is retransmitted | 3 |
TCP_MAX_DATA_RETRANSMISSIONS_IPV6 | How many times unacknowledged data is retransmitted for ipv6 | 3 |
Unix System Accounts | Unix System Accounts | root, rdsmon, rdsroot, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, nobody, rpm, dbus, avahi, nscd, mailnull, smmsp, vcsa, haldaemon, rpc, rpcuser, sshd, pcap, ntp, xfs, gdm, sabayon, squid, aaa, testappuser, apache, ldap, mailman, mysql, named, postgres, pegasus, tomcat, radvd, cyrus, amanda, privoxy, quagga, distcache |
Where to go from here