## Version .04 January 2008 ## # # Date Created : 2007-02-06 # # # CHANGELOG: # - 2007-02-07: Finished Mapping existing STIG scripts to DCID 6/3 # Sections. [St. Laurent] # - 2007-12-xx: Initiated updates to reflect DCID PL4 Requirements # [Tresys] # - 2008-01-xx: Added/updated STIG scripts. Finalized kickstart # procedures. [Tresys] # # # Profile Name: dcid-6-3-PL4-ks.1.0.txt # Profile Label: dcid-6-3-PL4-ks.1.0.txt # # Details: This KickStart file lists out DCID 6/3 Policy at the PL4 # Confidentiality level. Security settings are applied and # mapped to each specific PL4 section in DCID 6/3. # # By setting these security features in a KickStart file # allows for an auditor to have a high degree of assurance # that a system is being setup meeting the security # requirements the same (correct way) every time. # # A SHA-1 should be created to ensure a degree of # resistance to unauthorized modification. # ## Version .02 February 2007 ## ## Version .03 December 2007 ## ## Version .04 January 2008 ## # The "install" command tells the system to install a fresh system # rather than upgrade an existing system. You must specify the type # of installation in the form of: cdrom, harddrive, nfs, url (ftp # http installation). The "install" command and the installation # method command must be on separate lines. Examples: # url --url http:/// # --url ftp://:@/ # Passwd is in CLEAR with ftp!!! Not to be used. # harddrive --partition=hda2--dir=/path/to/install-tree # nfs --server=nfsserver.example.com --dir=/path/to/install-tree install # Perform the kickstart install in Text Mode. Installs are # performed in graphical mode by default. text # Defaults to a CD based install - disable if using URL or someother media # Use the network option if installing from a remote installation tree. cdrom # Configure network information for the system. The "network" # option configures networking information for installations from an # installation tree on a remote server via NFS, FTP, or HTTP. DHCP # uses a DHCP server to get the network configuration information. #network --bootproto dhcp # Perform a remote install. # The network option is required if performing a remote install #url --url http:/// #url --ftp ftp://:@/ # The "lang" command sets the language to use during installation. lang en_US # The "langsupport" to install on the system. The --default switch # must be used if more than one language is specified. langsupport --default en_US en_US # The "keyboard" command is required to set the system keyboard type. keyboard us # The "mouse" command is required to configure the mouse type. # Giving no options will attempt to automatically detect the mouse. mouse ##### WARNING: THIS WILL ERASE YOUR SYSTEM ##### # A full backup should be performed before installation. zerombr yes clearpart --all # PARTITION NOTES # The following options are required under 'Disk Partition Information' # section in ks.cfg file, for creating the Logical Volume Manager (LVM) # partitions using kickstart. #Disk partitioning information #part pv. #volgroup #logvol --vgname= --size= --name= #EXAMPLE using LVM #part /boot --fstype ext3 --size=150 #part swap --size=1024 #part pv.01 --size=1 --grow #volgroup vg_root pv.01 #logvol / --vgname=vg_root --size=8192 --name=lv_root #logvol /var --vgname=vg_root --size=4096 --name=lv_var #logvol /tmp --vgname=vg_root --size=2048 --name=lv_tmp #logvol /spare --vgname=vg_root --size=1 --grow --name=lv_spare partition /boot --fstype "ext3" --size=128 partition pv.2 --size=0 --grow volgroup VolGroup00 pv.2 logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512 logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=1024 --grow logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=1024 --grow logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=256 --grow logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024 # Specifies how the GRUB bootloader should be installed. # Set a password to prevent any non-stadard boot options. # The password should be changed after installation. bootloader --location mbr --password 123)(*qweASD # Set the root password. # This should be changed after installation. rootpw 123)(*qweASD # Set the authentication options for the system. # Similar to the authconfig command. auth --enablemd5 --enableshadow # Set the timezone timezone --utc America/New_York # Enable selinux selinux --enforcing # Enable the firewall firewall --enabled --port=22:tcp --port=161:tcp --port=1002:tcp # Reboot after installation is complete reboot # Install Packages. This is site specific. %packages --resolvedeps @base policycoreutils-newrole aide sysstat setools audit ##################################### # Remove tcpdump per STIG gen003865 # ##################################### -tcpdump ##################################### # Remove Packages for PL4 compliance# ##################################### -xdelta -nmap -emacspeak -byacc -gimp-help -splint -perl-Crypt-SSLeay -units -perl-XML-Grove -perl-XML-LibXML-Common -perl-XML-SAX -perl-XML-Twig -valgrind -valgrind-callgrind -gimp-gap -cdecl -perl-XML-Dumper -kernel-smp-devel -blas -lapack -java-1.4.2-gcj-compat -kernel-hugemem-devel -kernel-devel -perl-XML-Encoding -gnome-games -isdn4k-utils -vnc -vnc-server #e2fsprogs #kernel-smp -tog-pegasus -tog-pegasus-devel -ethereal -ethereal-gnome -xchat -vino -gaim -gnome-pilot -bluez-utils -bluez-utils-cups -bluez-hcidump -bluez-gnome -yum-updatesd -wpa_supplicant -ypbind -NetworkManager -NetworkManagerDispatcher -setools -telnet -wireless-tools #@ office #@ admin-tools #@ editors #@ system-tools #@ gnome-desktop #@ dialup #@ base-x #@ printing #@ server-cfg #@ graphical-internet #kernel -python-ldap -httpd-suexec -system-config-httpd -psgml -emacs-leim -gimp-data-extras -xcdroast -perl-XML-LibXML -gimp-print-plugin -xsane-gimp -gimp #lvm2 -zsh #net-snmp-utils -rhythmbox -gcc-g77 #grub -texinfo -octave -dia -perl-LDAP -oprofile -emacs #system-config-printer-gui -doxygen -planner -tux -indent -cdparanoia -gcc-java -gnomemeeting #openoffice.org-i18n #openoffice.org-libs #openoffice.org #firefox -evolution -xsane -ctags -cscope -sane-frontends -perl-XML-Parser -php-mysql -rcs -perl-XML-NamespaceSupport #get rid of rlogin -rsh # needed to compile policy rpm-build gcc checkpolicy %pre ##### No changes should be made beyond this point ##### %post # Log %post errors ########################################################################## # The post section of this kickstart file takes care of the secure # configuraton of Red Hat according to DCID 6/3. # # Levels of Concern: # Confidentiality PL4 # [ PL4 ] ########################################################################## # The Red Hat provided GPG key Red Hat uses to sign all of our RPM packages rpm --import /usr/share/rhn/RPM-GPG-KEY ########################################################################## # UNIX STIG v5r1 ########################################################################## ## (GEN000020: CAT II) (Previously – G001) The IAO and SA will ensure, if ## configurable, the UNIX host is configured to require a password for access ## to single-user and maintenance modes. echo "" >> /etc/inittab echo "#Require password in single-user mode" >> /etc/inittab echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab ## (GEN000400: CAT II) (Previously – G010) The SA will ensure a logon-warning banner is ## displayed on all devices and sessions at the initial logon. cat <<-EOF > /etc/issue You are accessing a U.S. Government (USG) information system (IS) that is provided for USG-authorized use only. By using this IS, you consent to the following conditions: -The USG routinely monitors communications occurring on this IS, and any device attached to this IS, for purposes including, but not limited to, penetration testing, COMSEC monitoring, network defense, quality control, and employee misconduct, law enforcement, and counterintelligence investigations. -At any time, the USG may inspect and/or seize data stored on this IS and any device attached to this IS. -Communications occurring on or data stored on this IS, or any device attached to this IS, are not private. They are subject to routine monitoring and search. -Any communications occurring on or data stored on this IS, or any device attached to this IS, may be disclosed or used for any USG-authorized purpose. -Security protections may be utilized on this IS to protect certain interests that are important to the USG. For example, passwords, access cards, encryption or biometric access controls provide security for the benefit of the USG. These protections are not provided for your benefit or privacy and may be modified or elimiated at the USG's discretion. EOF sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config sed -i "s/^\(PATH=.*\)/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n sleep 10\n exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default ## (GEN000440: CAT II) (Previously – G012) The SA will ensure all logon attempts (both ## successful and unsuccessful) are logged to a system log file. echo "auth.* /var/log/authlog" >> /etc/syslog.conf ## (GEN000460: CAT II) (Previously – G013) The SA will ensure, after three consecutive ## failed logon attempts for an account, the account is locked for 15 minutes or until ## the SA unlocks the account. cat <<-EOF > /etc/pam.d/system-auth #%PAM-1.0 auth required pam_tally.so deny=3 onerr=fail unlock_time=900 quiet auth required pam_env.so auth required pam_unix.so nullok try_first_pass audit account required pam_unix.so account required pam_tally.so password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 password required pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12 session optional pam_keyinit.so revoke session required pam_limits.so session required pam_unix.so EOF chmod ugo-x /usr/sbin/authconfig ## (GEN000480: CAT II) (Previously – G015) The SA will ensure the logon delay between ## logon prompts after a failed logon is set to at least four seconds. echo "FAIL_DELAY 4" >> /etc/login.defs ## (GEN000500: CAT II) (Previously – G605) The SA will configure systems to log ## out interactive processes (i.e., terminal sessions, ssh sessions, etc.,) ## after 15 minutes of inactivity or ensure a password protected screen lock ## mechanism is used and is set to lock the screen after 15 minutes of ## inactivity. echo "TMOUT=900" >> /etc/profile ## (GEN000540: CAT II) (Previously – G004) The SA will ensure passwords are ## not changed more than once a day. sed -i '/^PASS_MIN_DAYS/ c\PASS_MIN_DAYS\t1' /etc/login.defs ## (GEN000560: CAT I) (Previously – G018) The SA will ensure each account in ## the /etc/passwd file has a password assigned or is disabled in the ## password, shadow, or equivalent, file by disabling the password and/or by ## assigning a false shell in the password file. for USERINFO in `cat /etc/shadow`; do if [ -z "`echo $USERINFO | cut -d: -f2`" ] then /usr/sbin/usermod -L -s /dev/null `echo $USERINFO | cut -d: -f1` fi done; ## (GEN000580: CAT II) (Previously – G019) The IAO will ensure all passwords contain a ## minimum of eight characters. sed -i "s/PASS_MIN_LEN[ \t]*[0-9]*/PASS_MIN_LEN\t8/" /etc/login.defs ## (GEN000600: CAT II) (Previously – G019) The IAO will ensure passwords include at ## least two alphabetic characters, one of which must be capitalized. # See GEN000460 ## (GEN000700: CAT II) (Previously – G020) The SA will ensure passwords are ## changed at least every 90 days. sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs ## (GEN000800: CAT II) (Previously – G606) The SA will ensure passwords will not be ## reused within the last ten changes. # See GEN000460 ## (GEN000920: CAT II) (Previously – G023) The SA will ensure the root account ## home directory (other than ‘/’) has permissions of 700. Do not change the ## permissions of the ‘/’ directory to anything other than 0755. chmod 700 /root ## (GEN000980: CAT II) (Previously – G026) The SA will ensure root can only log ## on as root from the system console, and then only when necessary to perform ## system maintenance. echo "console" > /etc/securetty ## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to ## log on to their personal account and invoke the /bin/su - command to switch ## user to root. # Configure sshd and login to consult pam_access.so sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/login cat <<-EOF >> /etc/security/access.conf #only access for root is cron +:root: cron crond -:ALL EXCEPT users :ALL EOF adduser -G users,wheel clipuser echo "123)(*qweASD" | passwd --stdin clipuser ## (GEN001080: CAT III) (Previously – G229) The SA will ensure the root shell ## is not located in /usr if /usr is partitioned. /usr/sbin/usermod -s /bin/bash root ## (GEN001120: CAT II) (Previously – G500) The SA will configure the ## encryption program for direct root access only from the system console. sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config ## (GEN001260: CAT II) (Previously – G037) The SA will ensure all system log ## files have permissions of 640, or more restrictive. find /var/log/ -type f -exec chmod 640 '{}' \; sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit ## (GEN001280: CAT III) (Previously – G042) The SA will ensure all manual page ## files (i.e.,files in the man and cat directories) have permissions of 644, ## or more restrictive. find /usr/share/man -type f -not -perm 644 -exec chmod 644 {} \; ## (GEN001380: CAT II) (Previously – G048) The SA will ensure the /etc/passwd ## file has permissions of 644, or more restrictive. chmod 644 /etc/passwd ## (GEN001400: CAT I) (Previously – G047) The SA will ensure the owner of the ## /etc/passwd and /etc/shadow files (or equivalent) is root. chown root /etc/passwd chown root /etc/shadow ## (GEN001420: CAT II) (Previously – G050) The SA will ensure the /etc/shadow ## file (or equivalent) has permissions of 400. chmod 400 /etc/shadow ## (GEN001460: CAT IV) (Previously – G052) The SA will ensure all home ## directories defined in the /etc/passwd file exist. for HOMEDIR in `cut -d: -f6 /etc/passwd`; do if [ ! -d $HOMEDIR ] then mkdir $HOMEDIR fi done; ## (GEN001560: CAT II) (Previously – G068) The user, application developers, ## and the SA will ensure user files and directories will have an initial ## permission no more permissive than 700, and never more permissive than 750. for BASEDIR in /home/* /root do find $BASEDIR -type f -exec chmod 600 '{}' \; find $BASEDIR -type d -exec chmod 700 '{}' \; done ## (GEN001580: CAT II) (Previously – G058) The SA will ensure run control ## scripts have permissions of 755, or more restrictive. chmod 755 /etc/rc.d/init.d/* ## (GEN001620: CAT II) (Previously – G061) The SA will ensure run control ## scripts files do not have the suid or sgid bit set. chmod ug-s /etc/rc.d/init.d/* ## (GEN001660: CAT II) (Previously – G611) The SA will ensure the owner of run ## control scripts is root. chown root /etc/rc.d/init.d/* ## (GEN001680: CAT II) (Previously – G612) The SA will ensure the group owner ## of run control scripts is root, sys, bin, other, or the system default. chgrp root /etc/rc.d/init.d/* ## (GEN001720: CAT II) The SA will ensure global initialization files have ## permissions of 644, or more restrictive. chmod 644 /etc/{profile,bashrc,environment} ## (GEN001740: CAT II) The SA will ensure the owner of global initialization ## files is root. chown root /etc/{profile,bashrc,environment} ## (GEN001760: CAT II) The SA will ensure the group owner of global ## initialization files is root, sys, bin, other, or the system default. chgrp root /etc/{profile,bashrc,environment} ## (GEN001780: CAT III) (Previously – G112) The SA will ensure global ## initialization files contain the command mesg –n. for FILE in /etc/{profile,bashrc,environment}; do echo "mesg n" >> $FILE done; ## (GEN001800: CAT II) (Previously – G038) The SA will ensure all ## default/skeleton dot files have permissions of 644, or more restrictive. find /etc/skel -type f -exec chmod 644 '{}' \; ## (GEN001820: CAT II) The SA will ensure the owner of all default/skeleton ## dot files is root or bin. find /etc/skel -type f -exec chown root '{}' \; ## (GEN002040: CAT I) The SA will ensure .rhosts, .shosts, hosts.equiv, nor ## shosts.equiv are used, unless justified and documented with the IAO. for file in /root/.rhosts /root/.shosts /etc/hosts.equiv do rm -f $file ln -s /dev/null $file done ## (GEN002120: CAT II) (Previously – G069) The SA will ensure the /etc/shells ## (or equivalent) file exits. cat <<-EOF > /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/tcsh /bin/csh /bin/ksh EOF ## (GEN002160: CAT I) (Previously – G072) The SA will ensure no shell has the ## suid bit set. for SHELL in `cat /etc/shells`; do chmod u-s $SHELL done ## (GEN002180: CAT II) (Previously – G073) The SA will ensure no shell has the ## sgid bit set. for SHELL in `cat /etc/shells`; do chmod g-s $SHELL done ## (GEN002200: CAT II) (Previously – G074) The SA will ensure the owner of all ## shells is root or bin. for SHELL in `cat /etc/shells`; do chown root $SHELL done ## (GEN002220: CAT II) (Previously – G075) The SA will ensure all shells ## (excluding /dev/null and sdshell) have permissions of 755, or more ## restrictive. for SHELL in `cat /etc/shells`; do chmod 755 $SHELL done ## (GEN002320: CAT II) (Previously – G501) The SA will ensure the audio devices ## have permissions of 644, or more restrictive. sed -i -r "/sound|snd|mixer/ d" /etc/security/console.perms.d/50-default.perms echo "SUBSYSTEM==\"sound|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"" > /etc/udev/rules.d/55-audio-perms.rules ## (GEN002340: CAT II) (Previously – G502) The SA will ensure the owner of ## audio devices is root. # see GEN002320 ## (GEN002360: CAT II) (Previously – G504) The SA will ensure the group owner ## of audio devices is root, sys, or bin. # see GEN002320 ## (GEN002420: CAT II) (Previously – G086) The SA will ensure user filesystems, ## removable media, and remote filesystems will be mounted with the nosuid ## option. FSTAB=/etc/fstab SED=/bin/sed #nosuid and acl on /home if [ $(grep " \/home " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/home.*${MNT_OPTS}\)/\1,nosuid,acl/" ${FSTAB} fi #nosuid and acl on /sys if [ $(grep " \/sys " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then MNT_OPTS=$(grep " \/sys " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/sys.*${MNT_OPTS}\)/\1,nosuid,acl/" ${FSTAB} fi #nosuid and acl on /boot if [ $(grep " \/boot " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nosuid,acl/" ${FSTAB} fi #nodev and acl on /usr if [ $(grep " \/usr " ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep " \/usr " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/usr.*${MNT_OPTS}\)/\1,nodev,acl/" ${FSTAB} fi #nodev and acl on /home if [ $(grep " \/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/home.*${MNT_OPTS}\)/\1,nodev,acl/" ${FSTAB} fi #nodev and acl on /usr/local if [ $(grep " \/usr\/local " ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/usr\/local.*${MNT_OPTS}\)/\1,nodev,acl/" ${FSTAB} fi ## (GEN002560: CAT II) (Previously – G089) The SA will ensure the system and ## user umask is 077. echo "umask 077" >> /etc/bashrc ## (GEN002640: CAT II) (Previously – G092) The SA will ensure logon capability ## to default system accounts (e.g., bin, lib, uucp, news, sys, guest, daemon, ## and any default account not normally logged onto) will be disabled by ## making the default shell /bin/false, /usr/bin/false, /sbin/false, ## /sbin/nologin, or /dev/null, and by locking the password. for NAME in `cut -d: -f1 /etc/passwd`; do NAMEID=`id -u $NAME` if [ $NAMEID -lt 500 -a $NAME != 'root' ]; then /usr/sbin/usermod -L -s /dev/null $NAME fi done ## (GEN002660: CAT II) (Previously – G093) The SA will configure and implement ## auditing. chkconfig auditd on cat <<-EOF > /etc/audit/audit.rules # Remove any existing rules -D # Enable auditing -e 1 # Increase buffer size to handle the increased number of messages. -b 8192 # Failure of auditd causes a kernel panic -f 2 EOF ## (GEN002680: CAT II) (Previously – G094) The SA will ensure audit data files ## and directories will be readable only by personnel authorized by the IAO. chmod 700 /var/log/audit ## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data files ## have permissions of 640, or more restrictive. touch /var/log/audit/audit.log chmod 640 /var/log/audit/* chmod 640 /etc/audit/audit.rules ## (GEN002720: CAT II) The SA will configure the auditing system to audit ## logon (unsuccessful and successful) and logout (successful) cat <<-EOF >> /etc/audit/audit.rules -w /bin/login -p x -w /bin/logout -p x EOF ## (GEN002740: CAT II) The SA will configure the auditing system to audit ## discretionary access control permission modification (unsuccessful and ## successful use of chown/chmod) cat <<-EOF >> /etc/audit/audit.rules # DAC permission changes -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32 EOF ## (GEN002760: CAT II) The SA will configure the auditing system to audit ## unauthorized access attempts to files (unsuccessful) cat <<-EOF >> /etc/audit/audit.rules # unauthorized file access attempts -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64 EOF ## (GEN002780: CAT II) The SA will configure the auditing system to audit ## use of privileged commands (unsuccessful and successful) cat <<-EOF >> /etc/audit/audit.rules # privileged commands -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill -w /usr/sbin/pwck -w /bin/chgrp -w /usr/bin/newgrp -w /usr/sbin/groupadd -w /usr/sbin/groupmod -w /usr/sbin/groupdel -w /usr/sbin/useradd -w /usr/sbin/userdel -w /usr/sbin/usermod -w /usr/bin/chage -w /usr/bin/setfacl -w /usr/bin/chacl EOF ## (GEN002800: CAT II) The SA will configure the auditing system to audit ## files and programs deleted by the user (successful and unsuccessful) cat <<-EOF >> /etc/audit/audit.rules # deleting files -a exit,always -S unlink -S rmdir EOF ## (GEN002820: CAT II) The SA will configure the auditing system to audit ## all system administration actions cat <<-EOF >> /etc/audit/audit.rules # system administration actions # these two lines could be the cause of problems with filling audit logs and preventing system usage after installation -w /var/log/audit/audit.log -w /var/log/audit/audit[1-4].log -w /var/log/messages -w /var/log/lastlog -w /var/log/faillog -w /etc/audit/auditd.conf -p wa -w /etc/audit/audit.rules -p wa -w /etc/selinux/config -p wa -w /etc/passwd -p wa -w /etc/shadow -p wa -w /etc/group -p wa -w /etc/ssh/sshd_config -w /etc/pam.d -w /etc/login.defs -w /etc/rc.d/init.d -w /etc/inittab -p wa -w /var/run/utmp -w /var/run/wtmp -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon EOF ## (GEN002840: CAT II) The SA will configure the auditing system to audit ## all security personnel actions cat <<-EOF >> /etc/audit/audit.rules # security personnel actions -a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -w /bin/su EOF ## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will ensure old ## audit logs are closed and new audit logs are started daily. cat <<-EOF > /etc/logrotate.d/audit /var/log/audit/audit.log { daily notifempty missingok postrotate /sbin/service auditd restart 2> /dev/null > /dev/null || true endscript } EOF ## (GEN002980: CAT II) The SA will ensure the cron.allow ## file has permissions of 600, or more restrictive. chmod 600 /etc/cron.allow ## (GEN003040: CAT II) The SA will ensure the owner of crontabs is root or the ## crontab creator. chown root /etc/cron.hourly/* chown root /etc/cron.daily/* chown root /etc/cron.weekly/* chown root /etc/cron.monthly/* chown root /etc/cron.d/* chown root /var/spool/cron/* ## (GEN003060: CAT II) The SA will ensure default system accounts (with the ## possible exception of root) will not be listed in the cron.allow file. If ## there is only a cron.deny file, the default accounts (with the possible ## exception of root) will be listed there. echo 'root' > /etc/cron.allow awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny ## (GEN003080: CAT II) (Previously – G205) The SA will ensure crontabs have ## permissions of 600, or more restrictive, (700 for some Linux crontabs, which ## is detailed in the UNIX Checklist). chmod -R 600 /etc/cron.daily chmod -R 600 /etc/cron.hourly chmod -R 600 /etc/cron.weekly chmod -R 600 /etc/cron.monthly chmod 600 /etc/crontab chmod -R 600 /etc/cron.d ## (GEN003100: CAT II) (Previously – G206) The SA will ensure cron and crontab ## directories have permissions of 755, or more restrictive. chmod 755 /etc/cron.hourly chmod 755 /etc/cron.daily chmod 755 /etc/cron.weekly chmod 755 /etc/cron.monthly chmod 755 /etc/cron.d chmod 755 /var/spool/cron ## (GEN003120: CAT II) (Previously – G207) The SA will ensure the owner of the ## cron and crontab directories is root or bin. chown root /etc/cron.hourly chown root /etc/cron.daily chown root /etc/cron.weekly chown root /etc/cron.monthly chown root /etc/cron.d chown root /var/spool/cron ## (GEN003140: CAT II) (Previously – G208) The SA will ensure the group owner ## of the cron and crontab directories is root, sys, or bin. chgrp root /etc/cron.hourly chgrp root /etc/cron.daily chgrp root /etc/cron.weekly chgrp root /etc/cron.monthly chgrp root /etc/cron.d chgrp root /var/spool/cron ## (GEN003180: CAT II) (Previously – G210) The SA will ensure cron logs have ## permissions of 600, or more restrictive. touch /var/log/cron chmod 600 /var/log/cron ## (GEN003200: CAT II) The SA will ensure the cron.deny ## file has permissions of 600, or more restrictive. chmod 600 /etc/cron.deny ## (GEN003240: CAT II) The SA will ensure the owner and ## group owner of the cron.allow file is root. chown root:root /etc/cron.allow ## (GEN003260: CAT II) The SA will ensure the owner and ## group owner of the cron.deny file is root. chown root:root /etc/cron.deny ## (GEN003300: CAT II) (Previously – G212) The SA will ensure the at.deny file ## is not empty. awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny ## (GEN003320: CAT II) (Previously – G213) The SA will ensure default system ## accounts (with the possible exception of root) are not listed in the ## at.allow file. If there is only an at.deny file, the default accounts ## (with the possible exception of root) will be listed there. echo "root" > /etc/at.allow ## (GEN003340: CAT II) (Previously – G214) The SA will ensure the at.allow and ## at.deny files have permissions of 600, or more restrictive. chmod 600 /etc/at.allow chmod 600 /etc/at.deny ## (GEN003400: CAT II) (Previously – G625) The SA will ensure the at (or ## equivalent) directory has permissions of 755, or more restrictive. chmod 755 /var/spool/at/spool ## (GEN003420: CAT II) (Previously – G626) The SA will ensure the owner and ## group owner of the at (or equivalent) directory is root, sys, bin, or daemon. chown root:root /var/spool/at/spool ## (GEN003460: CAT II) (Previously – G629) The SA will ensure the owner and ## group owner of the at.allow file is root. chown root:root /etc/at.allow ## (GEN003480: CAT II) (Previously – G630) The SA will ensure the owner and ## group owner of the at.deny file is root. chown root:root /etc/at.deny ## (GEN003500: CAT III) The SA will ensure core dumps are disabled or ## restricted. echo "* - core 0" >> /etc/security/limits.conf ## (GEN003520: CAT III) The SA will ensure the owner and group owner of the ## core dump data directory is root with permissions of 700, or more ## restrictive. chown root:root /var/crash chmod -R 700 /var/crash ## (GEN003600: CAT II) The SA will ensure network parameters are securely set. sed -i "/net\.ipv4\.conf\.default\.rp_filter/ c\net.ipv4.conf.default.rp_filter = 1" /etc/sysctl.conf sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf cat <<-EOF >> /etc/sysctl.conf net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_all = 1 EOF ## (GEN003660: CAT II) The SA will ensure the authentication notice and ## informational data is logged. echo "auth.notice /var/log/messages" >> /etc/syslog.conf ## (GEN003700: CAT II) The SA will ensure inetd (xinetd for Linux) is disabled ## if all inetd/xinetd based services are disabled. /sbin/chkconfig bluetooth off /sbin/chkconfig irda off /sbin/chkconfig lm_sensors off /sbin/chkconfig portmap off /sbin/chkconfig rawdevices off /sbin/chkconfig rpcgssd off /sbin/chkconfig rpcidmapd off /sbin/chkconfig rpcsvcgssd off /sbin/chkconfig sendmail off /sbin/chkconfig xinetd off /sbin/chkconfig cups off /sbin/chkconfig rhnsd off /sbin/chkconfig autofs off ## (GEN003740: CAT II) (Previously – G108) The SA will ensure the inetd.conf ## (xinetd.conf for Linux) file has permissions of 440, or more restrictive. ## The Linux xinetd.d directory will have permissions of 755, or more ## restrictive. This is to include any directories defined in the includedir ## parameter. chmod 755 /etc/xinetd.d chmod 440 /etc/xinetd.conf ## (GEN003760: CAT II) (Previously – G109) The SA will ensure the owner of the ## services file is root or bin. chown root /etc/services ## (GEN003780: CAT II) (Previously – G110) The SA will ensure the services ## file has permissions of 644, or more restrictive. chmod 644 /etc/services ## (GEN003860: CAT III) (Previously – V046) The SA will ensure finger is not ## enabled. /sbin/chkconfig finger off ## (GEN003960: CAT II) (Previously – G631) The SA will ensure the owner of ## the traceroute command is root. chown root /bin/traceroute ## (GEN003980: CAT II) (Previously – G632) The SA will ensure the group ## owner of the traceroute command is root, sys, or bin. chgrp root /bin/traceroute ## (GEN004000: CAT II) (Previously – G633) The SA will ensure the traceroute ## command has permissions of 700, or more restrictive. chmod 700 /bin/traceroute ## (GEN004360: CAT II) (Previously – G127) The SA will ensure the aliases file ## is owned by root. chown root /etc/aliases ## (GEN004380: CAT II) (Previously – G128) The SA will ensure the aliases file ## has permissions of 644, or more restrictive. chmod 644 /etc/aliases ## (GEN004440: CAT IV) (Previously – G133) The SA will ensure the sendmail ## logging level (the detail level of e-mail tracing and debugging ## information) in the sendmail.cf file is set to a value no lower than ## nine (9). sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf ## (GEN004480: CAT II) (Previously – G135) The SA will ensure the owner of the ## critical sendmail log file is root. chown root /var/log/maillog ## (GEN004500: CAT II) (Previously – G136) The SA will ensure the critical ## sendmail log file has permissions of 644, or more restrictive. chmod 644 /var/log/maillog ## (GEN004540: CAT II) The SA will ensure the help sendmail command is ## disabled. mv /etc/mail/helpfile /etc/mail/helpfile.bak echo "" > /etc/mail/helpfile ## (GEN004560: CAT II) (Previously – G646) To help mask the e-mail version, ## the SA will use the following in place of the original sendmail greeting ## message: ## O SmtpGreetingMessage= Mail Server Ready ; $b sed -i '/SmtpGreetingMessage/ c\O SmtpGreetingMessage= Mail Server Ready ; $b' /etc/mail/sendmail.cf ## (GEN004580: CAT I) (Previously – G647) The SA will ensure .forward files ## are not used. for HOMEDIR in `cut -d: -f6 /etc/passwd`; do if [ -f $HOMEDIR/.forward ] then rm $HOMEDIR/.forward fi done; ## (GEN004640: CAT I) (Previously – V126) The SA will ensure the decode entry ## is disabled (deleted or commented out) from the alias file. sed --in-place s/^decode\:/\#decode\:/ /etc/aliases /usr/bin/newaliases ## (GEN004880: CAT II) (Previously – G140) The SA will ensure the ftpusers ## file exists. touch /etc/ftpusers ## (GEN004900: CAT II) (Previously – G141) The SA will ensure the ftpusers ## file contains the usernames of users not allowed to use FTP, and contains, ## at a minimum, the system pseudo-users usernames and root. echo -n > /etc/ftpusers for NAME in `cut -d: -f1 /etc/passwd`; do NAMEID=`id -u $NAME` if [ $NAMEID -lt 500 ]; then echo $NAME >> /etc/ftpusers fi done; ## (GEN004920: CAT II) (Previously – G142) The SA will ensure the owner of the ## ftpusers file is root. chown root /etc/ftpusers ## (GEN004940: CAT II) (Previously – G143) The SA will ensure the ftpusers ## file has permissions of 640, or more restrictive. chmod 640 /etc/ftpusers ## (GEN005000: CAT I) (Previously – G649) The SA will implement the anonymous ## FTP account with a non-functional shell such as /bin/false. /usr/sbin/usermod -s /dev/null ftp ## (GEN005360: CAT II) The SA will ensure the owner of the snmpd.conf file is root with a group ## owner of sys and the owner of MIB files is root with a group owner of sys or the application. chown root:sys /etc/snmp/snmpd.conf ## (GEN005400: CAT II) (Previously – G656) The SA will ensure the owner of the ## /etc/syslog.conf file is root with permissions of 640, or more restrictive. chown root /etc/syslog.conf chmod 640 /etc/syslog.conf ## (GEN005420: CAT II) (Previously – G657) The SA will ensure the group owner ## of the /etc/syslog.conf file is root, sys, or bin. chgrp root /etc/syslog.conf ## (GEN005500: CAT I) (Previously – G701) The IAO and SA will ensure SSH ## Protocol version 1 is not used, nor will Protocol version 1 compatibility ## mode be used. if [ `grep -c "^Protocol" /etc/ssh/sshd_config` -gt 0 ] then sed -i "/^Protocol/ c\Protocol 2" /etc/ssh/sshd_config else echo "Protocol 2" >> /etc/ssh/sshd_config fi echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config ## (GEN005600: CAT II) The SA will ensure IP forwarding is disabled if the ## system is not dedicated as a router. sed -i "/net\.ipv4\.ip_forward/ c\net.ipv4.ip_forward = 0" /etc/sysctl.conf ## (GEN005740: CAT II) (Previously – G178) The SA will ensure the owner of the ## export configuration file is root. chown root /etc/exports ## (GEN005760: CAT III) (Previously – G179) The SA will ensure the export ## configuration file has permissions of 644, or more restrictive. chmod 644 /etc/exports ## (GEN006100: CAT II) (Previously – L050) The SA will ensure the owner of ## the/etc/samba/smb.conf file is root. chown root /etc/samba/smb.conf ## (GEN006120: CAT II) (Previously – L051) The SA will ensure the group owner ## of the /etc/samba/smb.conf file is root. chgrp root /etc/samba/smb.conf ## (GEN006140: CAT II) (Previously – L052) The SA will ensure the ## /etc/samba/smb.conf file has permissions of 644, or more restrictive. chmod 644 /etc/samba/smb.conf ## (GEN006160: CAT II) (Previously – L054) The SA will ensure the owner of ## smbpasswd is root. chown root /usr/bin/smbpasswd ## (GEN006180: CAT II) (Previously – L055) The SA will ensure group owner of ## smbpasswd is root. chgrp root /usr/bin/smbpasswd ## (GEN006200: CAT II) (Previously – L057) The SA will configure permissions ## for smbpasswd to 600, or more restrictive. chmod 600 /usr/bin/smbpasswd ## (GEN006260: CAT II) (Previously – L154) The SA will ensure the ## /etc/news/hosts.nntp file has permissions of 600, or more restrictive. chmod 600 /etc/news/hosts.nntp ## (GEN006300: CAT II) (Previously – L158) The SA will ensure the ## /etc/news/nnrp.access file has permissions of 600, or more restrictive. chmod 600 /etc/news/nnrp.access ## (GEN006320: CAT II) (Previously – L160) The SA will ensure the ## /etc/news/passwd.nntp file has permissions of 600, or more restrictive. chmod 600 /etc/news/passwd.nntp ## (GEN006340: CAT II) (Previously – L162) The SA will ensure the owner of all ## files under the /etc/news subdirectory is root or news. chown -R root /etc/news/* ## (GEN006360: CAT II) (Previously – L164) The SA will ensure the group owner ## of all files in /etc/news is root or news. chgrp -R root /etc/news/* ## (GEN006280: CAT II) (Previously – L156) The SA will ensure the ## /etc/news/hosts.nntp.nolimit file has permissions of 600, or more ## restrictive. chmod 600 /etc/news/hosts.nntp.nolimit ## (GEN006520: CAT II) (Previously – G189) The SA will ensure security tools ## and databases have permissions of 740, or more restrictive. chmod 740 /etc/rc.d/init.d/iptables chmod 740 /sbin/iptables chmod 740 /usr/share/logwatch/scripts/services/iptables ## (GEN006620: CAT II) The SA will ensure an access control program (e.g., ## TCP_WRAPPERS) hosts.deny and hosts.allow files (or equivalent) are used to ## grant or deny system access to specific hosts. echo "ALL: ALL" > /etc/hosts.deny ## (LNX00160: CAT II) (Previously – L074) The SA will ensure the grub.conf ## file has permissions of 600, or more restrictive. chmod 600 /boot/grub/grub.conf ## (LNX00220: CAT II) (Previously – L080) The SA will ensure the lilo.conf ## file has permissions of 600 or more restrictive. chmod 600 /etc/lilo.conf ## (LNX00320: CAT I) (Previously – L140) The SA will delete accounts that ## provide a special privilege such as shutdown and halt. /usr/sbin/userdel shutdown /usr/sbin/userdel halt /usr/sbin/userdel sync ## (LNX00340: CAT II) (Previously – L142) The SA will delete accounts that ## provide no operational purpose, such as games or operator, and will delete ## the associated software. /usr/sbin/userdel news /usr/sbin/userdel operator /usr/sbin/userdel games /usr/sbin/userdel gopher /usr/sbin/userdel nfsnobody ## (LNX00360: CAT II) (Previously – L032) The SA will enable the X server ## –audit (at level 4) and –s option (with 15 minutes as the timeout time) ## options. cat <<-EOF >> /etc/gdm/custom.conf [server-Standard] name=Standard server command=/usr/bin/Xorg -br -audit 4 -s 15 flexible=true EOF ## (LNX00400: CAT II) (Previously – L044) The SA will ensure the owner of the ## /etc/login.access or /etc/security/access.conf file is root. chown root /etc/security/access.conf ## (LNX00420: CAT II) (Previously – L045) The SA will ensure the group owner ## of the /etc/login.access or /etc/security/access.conf file is root. chgrp root /etc/security/access.conf ## (LNX00440: CAT II) (Previously – L046) The SA will ensure /etc/login.access ## or /etc/security/access.conf file will be 640, or more restrictive. chmod 640 /etc/security/access.conf ## (LNX00480: CAT II) (Previously – L204) The SA will ensure the owner of the ## /etc/sysctl.conf file is root. chown root /etc/sysctl.conf ## (LNX00500: CAT II) (Previously – L206) The SA will ensure the group owner ## of the /etc/sysctl.conf file is root. chgrp root /etc/sysctl.conf ## (LNX00520: CAT II) (Previously – L208) The SA will ensure the ## /etc/sysctl.conf file has permissions of 600, or more restrictive. chmod 600 /etc/sysctl.conf ## (LNX00580: CAT I) (Previously – L222) The SA will disable the ## Ctrl-Alt-Delete sequence unless the system is located in a controlled ## access area accessible only by SAs. sed -i "s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/" /etc/inittab ## (LNX00620: CAT II) The SA will ensure the group owner of the /etc/securetty ## file is root, sys, or bin. chgrp root /etc/securetty ## (LNX00640: CAT II) The SA will ensure the owner of the /etc/securetty file ## is root. chown root /etc/securetty ## (LNX00660: CAT II) The SA will ensure the /etc/securetty file has ## permissions of 640, or more restrictive. chmod 640 /etc/securetty ########################################################################## # DCID 6/3 PL4 ########################################################################## ## 4.B.4 Protection Level 4 # 4.B.4.a(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(1)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(1)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(2) # KickStart Actions: All ext3 file systmes have been mounted with the ACL # setting to allow for a finer granualrity of DAC. # (See: getfacl and setfacl man pages). # Create ACL and other security features during # the mounting of each file system (/etc/fstab). # Implemented in GEN002420 # 4.B.4.a(3) # KickStart Actions: None - CLIP policy specific # 4.B.4.a(4) # KickStart Actions: # 4.B.4.a(4)(a) # KickStart Actions: # 4.B.4.a(4)(b) # KickStart Actions: # 4.B.4.a(4)(c) # KickStart Actions: # 4.B.4.a(4)(d) # KickStart Actions: # 4.B.4.a(4)(e) # KickStart Actions: # 4.B.4.a(4)(e)1. # KickStart Actions: # 4.B.4.a(4)(e)2. # KickStart Actions: # 4.B.4.a(5) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(5)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(5)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(5)(c) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(5)(d) # KickStart Actions: None - PROCEDURAL REQUIREMENT #(FOUO) #4.B.4.a(5)(e) #KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(6) # KickStart Actions: None # 4.B.4.a(6)(a) # KickStart Actions: None # 4.B.4.a(6)(b) # KickStart Actions: Reset the permissions of /etc/syslog.conf to 640 and set # /var/{run,log}/{wtmp,utmp} files to 664. # Implemented in GEN001260 # Implemented in GEN005400 # Implemented in GEN005420 # Implemented in GEN004500 # Implemented in GEN004480 # Implemented in GEN003180 # 4.B.4.a(6)(c) # KickStart Actions: Log rotation to 90 days (12 weeks) and turn compression on. # This will have to up'd if system does not retain backups # for 5 years (e.g., tape backup). # Implemented in GEN002860 # 4.B.4.a(6)(d) # KickStart Actions: Turn on the Audit Daemon and set permissions # Implemented in GEN002660 # Implemented in GEN002680 # Implemented in GEN002700 # 4.B.4.a(6)(d)(1) # KickStart Actions: None, This is met with the /var/log/wtmp and # /var/log/utmp files. Permissions have been set # correctly above. # See Section 4.B.4.a(6)(d)(2) # 4.B.4.a(6)(d)(2) # KickStart Actions: This will require refinement. # Commented rules do not insert w/o an error. # Implemented in GEN002720 # Implemented in GEN002740 # Implemented in GEN002760 # Implemented in GEN002780 # Implemented in GEN002800 # Implemented in GEN002820 # Implemented in GEN002840 # 4.B.4.a(6)(d)(3) # KickStart Actions: All authentication attemps will be monitored # in /var/log/messages. # Implemented in GEN003660 # Implemented in GEN000440 # Implemented in GEN004440 # 4.B.4.a(7) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(8) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(8)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(8)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(9) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(9)(a) # KickStart Actions: # 4.B.4.a(9)(b) # KickStart Actions: POLICY # 4.B.4.a(9)(c) # KickStart Actions: # 4.B.4.a(9)(d) # KickStart Actions: # 4.B.4.a(10) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(10)(a) # KickStart Actions: # 4.B.4.a(10)(b) # KickStart Actions: # 4.B.4.a(11) # KickStart Actions: None # 4.B.4.a(11)(a) # KickStart Actions: None # 4.B.4.a(11)(b) # KickStart Actions: None # 4.B.4.a(11)(c) # KickStart Actions: The following item have been set to meet this policy. # Note: # Investigating using PAM for preventing 10 recent passwords- doesn't appear # to be easily done using pam_passwdqc # Implemented in GEN000580 # Implemented in GEN000600 # 4.B.4.a(11)(d) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(11)(e) # KickStart Actions: Change the password expiration time from undefined to 60 days. # Users cannot change passwords more than once a day. # Implemented in GEN000700 # Implemented in GEN000540 # 4.B.4.a(11)(f) # KickStart Actions: opasswd file creation in /etc/security/opasswd # for non-replication. # Implemented in GEN000800 # 4.B.4.a(11)(g) # KickStart Actions: Additional I&A Security. # Protection of authenticators to perserve confidentiality and # integrity. Red Hat encrypts authenticators using the MD5 # Message Digest. # Implemented in GEN001380 # Implemented in GEN001400 # Implemented in GEN001420 # Implemented in GEN000560 # 4.B.4.a(12) # KickStart Actions: See 4.B.4.a(9)(c); specifically passwdqc # 4.B.4.a(13) # KickStart Actions: By default ssh uses Triple DES. This script will edit # the /etc/ssh/ssh_config file to use stronger encryption. # AES with 256-bit key Cycpher Block Chaining # Implemented in GEN005500 # 4.B.4.a(14) # KickStart Actions: None # 4.B.4.a(14)(a) # KickStart Actions: # 4.B.4.a(14)(b) # KickStart Actions: # 4.B.4.a(15) # KickStart Actions: # 4.B.4.a(15)(a) # KickStart Actions: # 4.B.4.a(15)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(15)(c) # KickStart Actions: # 4.B.4.a(15)(d) # KickStart Actions: # 4.B.4.a(15)(e) # KickStart Actions: # 4.B.4.a(16) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.a(17) # KickStart Actions: Restrict Root Logins and Least Privilege Enhancements. # Implemented in GEN000020 # 4.B.4.a(18) # KickStart Actions: None # 4.B.4.a(19) # KickStart Actions: Centralized Time # 4.B.4.a(20) # KickStart Actions: None # 4.B.4.a(21) # KickStart Actions: None # 4.B.4.a(21)(a) # KickStart Actions: Interactive Shell setting here. # Gnome screen-saver line command tool --> needs to be tested. # gconftool-2 --direct \ # --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ # --type int \ # --set /apps/gnome-screensaver/idle_delay 15 # 4.B.4.a(21)(b) # KickStart Actions: None # 4.B.4.a(21)(c) # KickStart Actions: None # 4.B.4.a(22) # KickStart Actions: None # 4.B.4.a(23) # KickStart Actions: None # 4.B.4.a(23)(a) # KickStart Actions: See Section 4.B.4.a(23)(b) # 4.B.4.a(23)(b) # KickStart Actions: Banner Settings # Implemented in GEN000400 # 4.B.4.a(24) # KickStart Actions: None # 4.B.4.a(24)(a) # KickStart Actions: None # 4.B.4.a(24)(b) # KickStart Actions: Set an inactive shell timeout - likely going away in March STIG # Implemented in GEN000500 # 4.B.4.a(24)(c) # KickStart Actions: None # Implemented in GEN000460 # Implemented in GEN000480 # 4.B.4.a(24)(d) # KickStart Actions: None # 4.B.4.a(25) # KickStart Actions: None # 4.B.4.a(25)(a) # KickStart Actions: None # 4.B.4.a(25)(b) # KickStart Actions: None # 4.B.4.a(25)(c) # KickStart Actions: None # 4.B.4.a(25)(d) # KickStart Actions: None - Will need to down load an encryption package like "secret agent" # 4.B.4.a(26) # KickStart Actions: None # 4.B.4.a(26)(a) # KickStart Actions: None # 4.B.4.a(26)(a)(1) # KickStart Actions: None # 4.B.4.a(26)(a)(2) # KickStart Actions: None # 4.B.4.a(26)(a)(3) # KickStart Actions: # Implemented in GEN005500 # 4.B.4.a(26)(a)(4) # KickStart Actions: None # 4.B.4.a(26)(b) # KickStart Actions: None # 4.B.4.a(27) # KickStart Actions: ### DCID 6/3 PL4 # 4.B.4 Protection Level 4 # 4.B.4.b -- Requirements for system assurance at PL4 # KickStart Actions: None # 4.B.4.b(1) # KickStart Actions: # 4.B.4.b(2) # KickStart Actions: None # 4.B.4.b(2)(a) # KickStart Actions: None # 4.B.4.b(2)(b) # KickStart Actions: None # 4.B.4.b(3) # KickStart Actions: None # 4.B.4.b(4) # KickStart Actions: None # 4.B.4.b(4)(a) # KickStart Actions: None # 4.B.4.b(4)(b) # KickStart Actions: None # 4.B.4.b(4)(c) # KickStart Actions: None # 4.B.4.b(4)(d) # KickStart Actions: None # 4.B.4.b(5) # KickStart Actions: None # 4.B.4.b(5)(a) # KickStart Actions: Expected Operations # Implemented in GEN003600 # Implemented in GEN003700 # Implemented in GEN003740 # Implemented in GEN003860 # Implemented in GEN003960 # Implemented in GEN003980 # Implemented in GEN004000 # Implemented in GEN005600 # 4.B.4.b(5)(b) # KickStart Actions: Actions Listed Below # Implemented in GEN000920 # Implemented in GEN000980 # Implemented in GEN001020 # Implemented in GEN001080 # Implemented in GEN001120 # Implemented in GEN001280 # Implemented in GEN001460 # Implemented in GEN001560 # Implemented in GEN001580 # Implemented in GEN001620 # Implemented in GEN001660 # Implemented in GEN001680 # Implemented in GEN001720 # Implemented in GEN001740 # Implemented in GEN001760 # Implemented in GEN001780 # Implemented in GEN001800 # Implemented in GEN001820 # Implemented in GEN002040 # Implemented in GEN002120 # Implemented in GEN002160 # Implemented in GEN002180 # Implemented in GEN002200 # Implemented in GEN002220 # Implemented in GEN002320 # Implemented in GEN002340 # Implemented in GEN002360 # Implemented in GEN002560 # Implemented in GEN002640 # Implemented in GEN002980 # Implemented in GEN003040 # Implemented in GEN003060 # Implemented in GEN003080 # Implemented in GEN003100 # Implemented in GEN003120 # Implemented in GEN003140 # Implemented in GEN003200 # Implemented in GEN003240 # Implemented in GEN003260 # Implemented in GEN003300 # Implemented in GEN003320 # Implemented in GEN003340 # Implemented in GEN003400 # Implemented in GEN003420 # Implemented in GEN003460 # Implemented in GEN003480 # Implemented in GEN003500 # Implemented in GEN003520 # Implemented in GEN003760 # Implemented in GEN003780 # Implemented in GEN004360 # Implemented in GEN004380 # Implemented in GEN004540 # Implemented in GEN004560 # Implemented in GEN004580 # Implemented in GEN004640 # Implemented in GEN004880 # Implemented in GEN004900 # Implemented in GEN004920 # Implemented in GEN004940 # Implemented in GEN005000 # Implemented in GEN005360 # Implemented in GEN005740 # Implemented in GEN005760 # Implemented in GEN006100 # Implemented in GEN006120 # Implemented in GEN006140 # Implemented in GEN006160 # Implemented in GEN006180 # Implemented in GEN006200 # Implemented in GEN006260 # Implemented in GEN006280 # Implemented in GEN006300 # Implemented in GEN006320 # Implemented in GEN006340 # Implemented in GEN006360 # Implemented in GEN006520 # Implemented in GEN006620 # Implemented in LNX00160 # Implemented in LNX00220 # Implemented in LNX00320 # Implemented in LNX00340 # Implemented in LNX00360 # Implemented in LNX00400 # Implemented in LNX00420 # Implemented in LNX00440 # Implemented in LNX00480 # Implemented in LNX00500 # Implemented in LNX00520 # Implemented in LNX00580 # Implemented in LNX00620 # Implemented in LNX00640 # Implemented in LNX00660 # 4.B.4.b(6) # KickStart Actions: None # 4.B.4.b(6)(a) # KickStart Actions: None # 4.B.4.b(6)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(7) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(7)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(7)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(8) # KickStart Actions: # 4.B.4.b(9) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(10) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(10)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(10)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(10)(b)(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(10)(b)(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(10)(b)(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(11) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(11)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 4.B.4.b(11)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT ########################################################################## # Integrity System Security Features and Assurances (HIGH Integrity) # 5.B.3.a(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(1)(a) # KickStart Actions: None # 5.B.3.a(1)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(1)(c) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(1)(d) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(2)(a) # KickStart Actions: None # 5.B.3.a(2)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(2)(b)(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(2)(b)(2) # KickStart Actions: # 5.B.3.a(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(3)(a) # KickStart Actions: None # 5.B.3.a(3)(b) # KickStart Actions: None # 5.B.3.a(4) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(4)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(4)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(5) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(5)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(5)(a)(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(5)(a)(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(5)(a)(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(5)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(6) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(6)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(6)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(6)(c) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(7) # KickStart Actions: None # 5.B.3.a(8) # KickStart Actions: None # 5.B.3.a(9) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(10) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(11) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.a(11)(a) # KickStart Actions: None # 5.B.3.a(11)(b) # KickStart Actions: None # 5.B.3.b # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.b(1) # KickStart Actions: None # 5.B.3.b(2) # KickStart Actions: None # 5.B.3.b(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 5.B.3.b(4) # KickStart Actions: None - PROCEDURAL REQUIREMENT ############################################################################### # Availability System Security Features and Assurances (HIGH Availability) # 6.B.3.a(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(2)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(2)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(2)(c) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(2)(d) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(3)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(3)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(3)(c) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(3)(d) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(4) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(4)(a) # KickStart Actions: None # 6.B.3.a(4)(b) # KickStart Actions: None # 6.B.3.a(5) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(6) # KickStart Actions: None # 6.B.3.a(7) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(7)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(7)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(7)(c) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(8) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(9) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(10) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.a(11) # KickStart Actions: None # 6.B.3.a(12) # KickStart Actions: None # 6.B.3.b # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.b(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.b(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.b(2)(a) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.b(2)(b) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 6.B.3.b(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT ########################################################################## # Requirements for Interconnected Information Systems and Advanced Technologies # # 7.A.1.a # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.A.1.b # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.A.2 # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.A.3 # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.A.4 # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.1.a(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.1.a(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.1.a(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.a(1) # KickStart Actions: None # 7.B.2.a(2) # KickStart Actions: None # 7.B.2.a(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.b # KickStart Actions: None # 7.B.2.c # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.d # KickStart Actions: None # 7.B.2.e # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.f # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.g # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.h # KickStart Actions: None # Implemented in GEN000980 # Implemented in GEN002720 # Implemented in GEN002740 # Implemented in GEN002780 # Implemented in GEN003660 # 7.B.2.i(1) # KickStart Actions: None # Implemented in GEN006620 # 7.B.2.i(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.i(3)(a) # KickStart Actions: None - DEVELOPMENT Requirement # 7.B.2.i(3)(b) # KickStart Actions: None - DEVELOPMENT AND PROCEDURAL REQUIREMENTS # 7.B.2.i(4) # KickStart Actions: None # Implemented in GEN000980 # 7.B.2.i(5) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.2.i(6) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.a(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.a(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.b(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.b(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.c # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.d(1) # KickStart Actions: # 7.B.3.d(2) # KickStart Actions: # 7.B.3.d(3) # KickStart Actions: # 7.B.3.d(4) # KickStart Actions: # 7.B.3.d(5) # KickStart Actions: # 7.B.3.d(6) # KickStart Actions: # 7.B.3.e # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.f(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.f(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.3.g # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.4.a # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.B.4.b(1) # KickStart Actions: # 7.B.4.b(2) # KickStart Actions: # 7.B.4.b(3) # KickStart Actions: # 7.B.4.b(4) # KickStart Actions: # 7.B.4.b(5) # KickStart Actions: # 7.B.4.b(6) # KickStart Actions: # 7.B.4.b(7) # KickStart Actions: # 7.B.4.c # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.1.a # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.1.b # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.1.c # KickStart Actions: # 7.C.2.a # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.2.a(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.2.a(2) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.2.a(3) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.C.2.b # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.2.a # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.2.b # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.2.c # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.2.d # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.2.e # KickStart Actions: # 7.D.3.a # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.3.b(1) # KickStart Actions: None - PROCEDURAL REQUIREMENT # 7.D.3.b(2) # KickStart Actions: # 7.D.3.b(3) # KickStart Actions: ########################################################################## # CNSS-SCC ########################################################################## ################################### # Access Control # AC-1: Access Control Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-2: Account Management # Kickstart Actions: # AC-2(1) # Kickstart Actions: # AC-2(2) # Kickstart Actions: # AC-2(3) # Kickstart Actions: # AC-2(4) # Kickstart Actions: # AC-3: Access Enforcement # Kickstart Actions: # AC-3(1) # Kickstart Actions: # Implemented in GEN002420 # AC-3(2) # Kickstart Actions: # AC-3(3) # Kickstart Actions: # AC-3(4) # Kickstart Actions: # Implemented in GEN001260 # Implemented in GEN002980 # Implemented in GEN003200 # Implemented in GEN003240 # Implemented in GEN003260 # Implemented in GEN003960 # Implemented in GEN003980 # Implemented in GEN004000 # Implemented in GEN006520 # AC-4: Information Flow Enforcement # Kickstart Actions: # AC-4(1) # Kickstart Actions: # AC-4(2) # Kickstart Actions: # AC-4(3) # Kickstart Actions: # AC-5: Separation of Duties # Kickstart Actions: # AC-6: Least Privilege # Kickstart Actions: # AC-6(1) # Kickstart Actions: # AC-7: Unsuccessful Login Attempts # Kickstart Actions: # AC-7(1) # Kickstart Actions: # Implemented in GEN000460 # Implemented in GEN000480 # AC-7(2) # Kickstart Actions: # AC-8: System Use Notification # Kickstart Actions: # Implemented in GEN000400 # AC-9: Previous Logon Notification # Kickstart Actions: # AC-9(1) # Kickstart Actions: # AC-10: Concurrent Session Control # Kickstart Actions: # AC-11: Session Lock # Kickstart Actions: # AC-11(1) # Kickstart Actions: # Implemented in GEN000500 # AC-12: Session Termination # Kickstart Actions: # AC-12(1) # Kickstart Actions: # Implemented in GEN000500 # AC-12(2) # Kickstart Actions: # AC-13: Supervision and Review—Access Control # Kickstart Actions: # AC-13(1) # Kickstart Actions: # AC-14: Permitted Actions without Identification or Authentication # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-14(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-15: Automated Marking # Kickstart Actions: # AC-15(1) # Kickstart Actions: # AC-16: Automated Labeling # Kickstart Actions: None # AC-16(1) # Kickstart Actions: # AC-16(2) # Kickstart Actions: # AC-17: Remote Access # Kickstart Actions: # AC-17(1) # Kickstart Actions: # AC-17(2) # Kickstart Actions: # Implemented in GEN005500 # AC-17(3) # Kickstart Actions: # AC-17(4) # Kickstart Actions: # AC-17(5) # Kickstart Actions: # Implemented in GEN005500 # Implemented in GEN006620 # AC-17(6) # Kickstart Actions: # AC-17(7) # Kickstart Actions: # Implemented in GEN001020 # Implemented in GEN001120 # AC-18: Wireless Access Restrictions # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-18(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-18(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-18(3) # Kickstart Actions: # AC-18(4) # Kickstart Actions: # AC-19: Access Control for Portable and Mobile Devices # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-19(1) # Kickstart Actions: # AC-20: Use of External Information Systems # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-20(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AC-21: Confidentiality of Data at Rest # Kickstart Actions: # AC-21(1) # Kickstart Actions: # AC-21(2) # Kickstart Actions: # AC-21(3) # Kickstart Actions: # AC-22: Distinct Level of Access # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Awareness and Training # AT-1: Security Awareness and Training Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AT-2: Security Awareness # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AT-3: Security Training # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AT-4: Security Training Records # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AT-5: Contacts with Security Groups and Associations # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Audit and Accountability # AU-1: Audit and Accountability Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-1(1) # Kickstart Actions: # AU-2: Auditable Events # Kickstart Actions: # AU-2(1) # Kickstart Actions: # Implemented in GEN002660 # Implemented in GEN002680 # Implemented in GEN002700 # AU-2(2) # Kickstart Actions: # AU-2(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-2(4) # Kickstart Actions: # Implemented in GEN002720 # Implemented in GEN002740 # Implemented in GEN002760 # Implemented in GEN002780 # Implemented in GEN002800 # Implemented in GEN002820 # Implemented in GEN002840 # AU-2(5) # Kickstart Actions: # AU-2(6) # Kickstart Actions: # AU-2(7) # Kickstart Actions: # AU-2(8) # Kickstart Actions: # AU-2(9) # Kickstart Actions: # AU-3: Content of Audit Records # Kickstart Actions: # AU-3(1) # Kickstart Actions: # AU-3(2) # Kickstart Actions: # AU-3(3) # Kickstart Actions: # AU-3(4) # Kickstart Actions: # AU-3(5) # Kickstart Actions: # AU-4: Audit Storage Capacity # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-5: Response to Audit Processing Failures # Kickstart Actions: # AU-5(1) # Kickstart Actions: # AU-5(2) # Kickstart Actions: # AU-5(3) # Kickstart Actions: # AU-6: Audit Monitoring, Analysis, and Reporting # Kickstart Actions: # AU-6(1) # Kickstart Actions: # AU-6(2) # Kickstart Actions: # AU-6(3) # Kickstart Actions: # AU-6(4) # Kickstart Actions: # AU-6(5) # Kickstart Actions: # AU-7: Audit Reduction and Report Generation # Kickstart Actions: # AU-7(1) # Kickstart Actions: # AU-7(2) # Kickstart Actions: # AU-8: Time Stamps # Kickstart Actions: # AU-8(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-8(2) # Kickstart Actions: # AU-9: Protection of Audit Information # Kickstart Actions: # Implemented in GEN002680 # Implemented in GEN002700 # AU-9(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-9(2) # Kickstart Actions: # AU-10: Non-repudiation # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-10(1) # Kickstart Actions: # AU-10(2) # Kickstart Actions: # AU-10(3) # Kickstart Actions: # AU-10(4) # Kickstart Actions: # AU-11: Audit Record Retention # Kickstart Actions: None - PROCEDURAL REQUIREMENT # AU-11(1) # Kickstart Actions: # AU-11(2) # Kickstart Actions: # AU-11(3) # Kickstart Actions: # AU-11(4) # Kickstart Actions: # AU-12: Session Audit # Kickstart Actions: # AU-12(1) # Kickstart Actions: # AU-12(2) # Kickstart Actions: ################################### # Certification, Accreditation, and Security Assessments # CA-1: Certification, Accreditation, and Security Assessment Policies and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-2: Security Assessments # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-3: Information System Connections # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-4: Security Certification # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-4(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-5: Plan of Action and Milestones # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-6: Security Accreditation # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-7: Continuous Monitoring # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CA-7(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Configuration Management # CM-1: Configuration Management Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-2: Baseline Configuration # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-2(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-2(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-3: Configuration Change Control # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-3(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-3(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-4: Monitoring Configuration Changes # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-5: Access Restrictions for Change # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-5(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-5(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-5(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-6: Configuration Settings # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-6(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-6(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-7: Least Functionality # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-7(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-8: Information System Component Inventory # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-8(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CM-8(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Contingency Planning # CP-1: Contingency Planning Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-1(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2: Contingency Plan # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-2(7) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-3: Contingency Training # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-3(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-4: Contingency Plan Testing and Exercises # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-4(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-4(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-4(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-4(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-5: Contingency Plan Update # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6: Alternate Storage Site # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-6(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7: Alternate Processing Site # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-7(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-8: Telecommunications Services # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-8(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-8(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-8(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-8(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-9: Information System Backup # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-9(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-9(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-9(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-9(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-10: Information System Recovery and Reconstitution Identification and Authentication # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-10(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-10(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # CP-10(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Identification and Authentication # IA-1: Identification and Authentication Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IA-2: User Identification and Authentication # Kickstart Actions: # Implemented in GEN000540 # Implemented in GEN000560 # Implemented in GEN000580 # Implemented in GEN000600 # Implemented in GEN000700 # Implemented in GEN000800 # Implemented in GEN001380 # Implemented in GEN001400 # Implemented in GEN001420 # IA-2(1) # Kickstart Actions: # IA-2(2) # Kickstart Actions: # IA-2(3) # Kickstart Actions: # IA-2(4) # Kickstart Actions: # IA-2(5) # Kickstart Actions: # IA-2(6) # Kickstart Actions: # IA-2(7) # Kickstart Actions: # IA-2(8) # Kickstart Actions: # IA-3: Device Identification and Authentication # Kickstart Actions: # IA-3(1) # Kickstart Actions: # IA-3(2) # Kickstart Actions: # IA-4: Identifier Management # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IA-4(1) # Kickstart Actions: # IA-4(2) # Kickstart Actions: # IA-4(3) # Kickstart Actions: # IA-4(4) # Kickstart Actions: # IA-5: Authenticator Management # Kickstart Actions: # IA-5(1) # Kickstart Actions: # IA-5(2) # Kickstart Actions: # IA-5(3) # Kickstart Actions: # IA-5(4) # Kickstart Actions: # IA-5(5) # Kickstart Actions: # IA-6: Authenticator Feedback # Kickstart Actions: # IA-7: Cryptographic Module Authentication Incident Response # Kickstart Actions: ################################### # Incident Response # IR-1: Incident Response Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-1(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-2: Incident Response Training # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-2(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-2(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-3: Incident Response Testing and Exercises # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-3(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-4: Incident Handling # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-4(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-5: Incident Monitoring # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-6: Incident Reporting # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-6(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-7: Incident Response Assistance # Kickstart Actions: None - PROCEDURAL REQUIREMENT # IR-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Maintenance # MA-1: System Maintenance Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-2: Controlled Maintenance # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-2(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-2(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-3: Maintenance Tools # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-3(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-3(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-3(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-4: Remote Maintenance # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-4(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-4(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-4(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-5: Maintenance Personnel # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MA-6: Timely Maintenance # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Media Protection # MP-1: Media Protection Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-2: Media Access # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-2(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-3: Media Labeling # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-4: Media Storage # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-5: Media Transport # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-5(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-5(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-6: Media Sanitization and Disposal # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-6(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # MP-6(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Physical and Environmental Protection # PE-1: Physical and Environmental Protection Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-2: Physical Access Authorizations # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-3: Physical Access Control # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-4: Access Control for Transmission Medium # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-5: Access Control for Display Medium # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-6: Monitoring Physical Access # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-6(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-6(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-7: Visitor Control # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-8: Access Records # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-8(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-8(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-9: Power Equipment and Power Cabling # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-9(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-10: Emergency Shutoff # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-10(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-11: Emergency Power # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-11(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-11(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-12: Emergency Lighting # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-13: Fire Protection # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-13(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-13(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-13(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-14: Temperature and Humidity Controls # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-15: Water Damage Protection # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-15(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-16: Delivery and Removal # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-17: Alternate Work Site # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-18: Location of Information System Components # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-18(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PE-19: Information Leakage Planning # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Planning # PL-1: Security Planning Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PL-2: System Security Plan # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PL-3: System Security Plan Update # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PL-4: Rules of Behavior # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PL-5: Privacy Impact Assessment # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PL-6: Security-Related Activity Planning Personnel Security # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Personnel Security # PS-1: Personnel Security Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-2: Position Categorization # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-3: Personnel Screening # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-4: Personnel Termination # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-5: Personnel Transfer # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-6: Access Agreements # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-7: Third-Party Personnel Security # Kickstart Actions: None - PROCEDURAL REQUIREMENT # PS-8: Personnel Sanctions Risk Assessment # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # Risk Assessment # RA-1: Risk Assessment Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-2: Security Categorization # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-3: Risk Assessment # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-4: Risk Assessment Update # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-5: Vulnerability Scanning # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-5(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # RA-5(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # System and Services Acquisition # SA-1: System and Services Acquisition Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-2: Allocation of Resources # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-3: Life Cycle Support # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-4: Acquisitions # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-4(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-4(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-5: Information System Documentation # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-5(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-6: Software Usage Restrictions # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-7: User Installed Software # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-8: Security Engineering Principles # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-9: External Information System Services # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-10: Developer Configuration Management # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SA-11: Developer Security Testing # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # System and Communications Protection # SC-1: System and Communications Protection Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-1(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-2: Application Partitioning # Kickstart Actions: # SC-3: Security Function Isolation # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-3(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-3(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-3(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-3(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-4: Information Remnance # Kickstart Actions: # SC-5: Denial of Service Protection # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-5(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # Implemented in GEN003600 # Implemented in GEN005600 # SC-5(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-6: Resource Priority # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7: Boundary Protection # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # Implemented in GEN006620 # SC-7(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(7) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-7(8) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-8: Transmission Integrity # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-8(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-8(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-9: Transmission Confidentiality # Kickstart Actions: None - PROCEDURAL REQUIREMENT # Implemented in GEN005500 # SC-9(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-9(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-9(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-9(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-9(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-10: Network Disconnect # Kickstart Actions: # SC-11: Trusted Path # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-12: Cryptographic Key Establishment and Management # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-12(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-12(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-12(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-12(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-13: Use of Cryptography # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-14: Public Access Protections # Kickstart Actions: # SC-15: Collaborative Computing # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-15(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-15(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-15(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-16: Transmission of Security Parameters # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-16(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-16(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-17: Public Key Infrastructure Certificates # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-18: Mobile Code # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-18(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-18(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-19: Voice Over Internet Protocol # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-20: Secure Name /Address Resolution Service (Authoritative Source) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-20(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-21: Secure Name /Address Resolution Service (Recursive or Caching Resolver) # Kickstart Actions: # SC-21(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-22: Architecture and Provisioning for Name/Address Resolution Service # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SC-23: Session Authenticity # Kickstart Actions: None - PROCEDURAL REQUIREMENT ################################### # System and Information Integrity # SI-1: System and Information Integrity Policy and Procedures # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-2: Flaw Remediation # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-2(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-2(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-2(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3: Malicious Code Protection # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-3(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4: Information System Monitoring Tools and Techniques # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-4(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-5: Security Alerts and Advisories # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-5(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-6: Security Functionality Verification # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-6(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-6(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-7: Software and Information Integrity # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-7(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-7(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-7(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8: Spam Protection # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8(1) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8(2) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8(3) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8(4) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8(5) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-8(6) # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-9: Information Input Restrictions # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-10: Information Accuracy, Completeness, Validity, and Authenticity # Kickstart Actions: # SI-11: Error Handling # Kickstart Actions: None - PROCEDURAL REQUIREMENT # SI-12: Information Output Handling and Retention # Kickstart Actions: None - PROCEDURAL REQUIREMENT eject #END OF KICKSTART FILE POST SETTINGS