Professional Documents
Culture Documents
Copyright Notice
Copyright 2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is the
copyrighted work of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS and
Symantec Corporation makes no warranty as to its accuracy or use. Any use of the
technical documentation or the information contained therein is at the risk of the user.
Documentation may include technical or other inaccuracies or typographical errors.
Symantec reserves the right to make changes without prior notice.
No part of this publication may be copied without the express written permission of
Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, Symantec Enterprise Security Manager, LiveUpdate, and
Symantec Security Response are trademarks of Symantec Corporation.
Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft
Corporation.
Other product names mentioned in this manual may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Printed in the United States of America.
3
Technical support
When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select
the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Symantec Software License Agreement
Symantec Enterprise Security Manager
SYMANTEC CORPORATION AND/OR ITS “Desktop” means a desktop central processing unit for
SUBSIDIARIES (“SYMANTEC”) IS WILLING TO a single end user;
LICENSE THE SOFTWARE TO YOU AS AN D. use the Software to assess no more than the number
INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY of Server machines set forth under a License Module.
THAT WILL BE UTILIZING THE SOFTWARE “Server” means a central processing unit that acts as a
(REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY server for other central processing units;
ON THE CONDITION THAT YOU ACCEPT ALL OF THE E. use the Software to assess no more than the number
TERMS OF THIS LICENSE AGREEMENT. READ THE of Network machines set forth under a License Module.
TERMS AND CONDITIONS OF THIS LICENSE “Network” means a system comprised of multiple
AGREEMENT CAREFULLY BEFORE USING THE machines, each of which can be assessed over the same
SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE network;
CONTRACT BETWEEN YOU AND THE LICENSOR. BY F. use the Software in accordance with any written
OPENING THIS PACKAGE, BREAKING THE SEAL, agreement between You and Symantec; and
CLICKING THE “AGREE” OR “YES” BUTTON OR G. after written consent from Symantec, transfer the
OTHERWISE INDICATING ASSENT Software on a permanent basis to another person or
ELECTRONICALLY, OR LOADING THE SOFTWARE, entity, provided that You retain no copies of the
YOU AGREE TO THE TERMS AND CONDITIONS OF Software and the transferee agrees to the terms of this
THIS AGREEMENT. IF YOU DO NOT AGREE TO license.
THESE TERMS AND CONDITIONS, CLICK THE “I DO
NOT AGREE” OR “NO” BUTTON OR OTHERWISE You may not:
INDICATE REFUSAL AND MAKE NO FURTHER USE
A. copy the printed documentation which
OF THE SOFTWARE.
accompanies the Software;
B. use the Software to assess a Desktop, Server or
1. License: Network machine for which You have not been granted
The software and documentation that accompanies permission under a License Module;
this license (collectively the “Software”) is the C. sublicense, rent or lease any portion of the
proprietary property of Symantec or its licensors and Software; reverse engineer, decompile, disassemble,
is protected by copyright law. While Symantec modify, translate, make any attempt to discover the
continues to own the Software, You will have certain source code of the Software, or create derivative works
rights to use the Software after Your acceptance of this from the Software;
license. This license governs any releases, revisions, or D. use the Software as part of a facility management,
enhancements to the Software that the Licensor may timesharing, service provider, or service bureau
furnish to You. Except as may be modified by an arrangement;
applicable Symantec license certificate, license E. continue to use a previously issued license key if
coupon, or license key (each a “License Module”) that You have received a new license key for such license,
accompanies, precedes, or follows this license, and as such as with a disk replacement set or an upgraded
may be further defined in the user documentation version of the Software, or in any other instance;
accompanying the Software, Your rights and F. continue to use a previous version or copy of the
obligations with respect to the use of this Software are Software after You have installed a disk replacement
as follows. set, an upgraded version, or other authorized
replacement. Upon such replacement, all copies of the
You may: prior version must be destroyed;
G. use a later version of the Software than is provided
A. use that number of copies of the Software as have
herewith unless you have purchased corresponding
been licensed to You by Symantec under a License
maintenance and/or upgrade insurance or have
Module. Permission to use the software to assess
otherwise separately acquired the right to use such
Desktop, Server or Network machines does not
later version;
constitute permission to make additional copies of the
H. use, if You received the software distributed on
Software. If no License Module accompanies, precedes,
media containing multiple Symantec products, any
or follows this license, You may make one copy of the
Symantec software on the media for which You have
Software you are authorized to use on a single
not received a permission in a License Module; nor
machine.
I. use the Software in any manner not authorized by
B. make one copy of the Software for archival
this license.
purposes, or copy the Software onto the hard disk of
Your computer and retain the original for archival
purposes; 2. Content Updates:
C. use the Software to assess no more than the number Certain Software utilize content that is updated from
of Desktop machines set forth under a License Module. time to time (including but not limited to the following
Software: antivirus software utilize updated virus LIMITATION OR EXCLUSION MAY NOT APPLY TO
definitions; content filtering software utilize updated YOU.
URL lists; some firewall software utilize updated
firewall rules; and vulnerability assessment products TO THE MAXIMUM EXTENT PERMITTED BY
utilize updated vulnerability data; these updates are APPLICABLE LAW AND REGARDLESS OF WHETHER
collectively referred to as “Content Updates”). You ANY REMEDY SET FORTH HEREIN FAILS OF ITS
shall have the right to obtain Content Updates for any ESSENTIAL PURPOSE, IN NO EVENT WILL
period for which You have purchased maintenance, SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL,
except for those Content Updates that Symantec elects CONSEQUENTIAL, INDIRECT, OR SIMILAR
to make available by separate paid subscription, or for DAMAGES, INCLUDING ANY LOST PROFITS OR LOST
any period for which You have otherwise separately DATA ARISING OUT OF THE USE OR INABILITY TO
acquired the right to obtain Content Updates. USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN
Symantec reserves the right to designate specified ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Content Updates as requiring purchase of a separate
subscription at any time and without notice to You; IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED
provided, however, that if You purchase maintenance THE PURCHASE PRICE FOR THE SOFTWARE. The
hereunder that includes particular Content Updates on disclaimers and limitations set forth above will apply
the date of purchase, You will not have to pay an regardless of whether or not You accept the Software.
additional fee to continue receiving such Content
Updates through the term of such maintenance even if 5. U.S. Government Restricted Rights:
Symantec designates such Content Updates as
RESTRICTED RIGHTS LEGEND. All Symantec products
requiring separate purchase. This License does not
and documentation are commercial in nature. The
otherwise permit the licensee to obtain and use
software and software documentation are
Content Updates.
“Commercial Items,” as that term is defined in 48
C.F.R. section 2.101, consisting of “Commercial
3. Limited Warranty: Computer Software” and “Commercial Computer
Symantec warrants that the media on which the Software Documentation,” as such terms are defined in
Software is distributed will be free from defects for a 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R.
period of sixty (60) days from the date of delivery of the section 252.227-7014(a)(1), and used in 48 C.F.R.
Software to You. Your sole remedy in the event of a section 12.212 and 48 C.F.R. section 227.7202, as
breach of this warranty will be that Symantec will, at applicable. Consistent with 48 C.F.R. section 12.212, 48
its option, replace any defective media returned to C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202
Symantec within the warranty period or refund the through 227.7202-4, 48 C.F.R. section 52.227-14, and
money You paid for the Software. Symantec does not other relevant sections of the Code of Federal
warrant that the Software will meet Your requirements Regulations, as applicable, Symantec's computer
or that operation of the Software will be uninterrupted software and computer software documentation are
or that the Software will be error-free. licensed to United States Government end users with
only those rights as granted to all other end users,
TO THE MAXIMUM EXTENT PERMITTED BY according to the terms and conditions contained in this
APPLICABLE LAW, THE ABOVE WARRANTY IS license agreement. Manufacturer is Symantec
EXCLUSIVE AND IN LIEU OF ALL OTHER Corporation, 20330 Stevens Creek Blvd., Cupertino, CA
WARRANTIES, WHETHER EXPRESS OR IMPLIED, 95014, United States of America.
INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR 6. Export Regulation:
PURPOSE, AND NONINFRINGEMENT OF
Export or re-export of this Software is governed by the
INTELLECTUAL PROPERTY RIGHTS. THIS
laws and regulations of the United States and import
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS.
laws and regulations of certain other countries.
YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM
Export or re-export of the Software to any entity not
STATE TO STATE AND COUNTRY TO COUNTRY.
authorized by, or that is specified by, the United States
Federal Government is strictly prohibited.
4. Disclaimer of Damages:
SOME STATES AND COUNTRIES, INCLUDING 7. General:
MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC
If You are located in North America or Latin America,
AREA, DO NOT ALLOW THE LIMITATION OR
this Agreement will be governed by the laws of the
EXCLUSION OF LIABILITY FOR INCIDENTAL OR
State of California, United States of America.
CONSEQUENTIAL DAMAGES, SO THE BELOW
Otherwise, this Agreement will be governed by the
laws of England and Wales. This Agreement and any
related License Module is the entire agreement
between You and Symantec relating to the Software
and: (i) supersedes all prior or contemporaneous oral
or written communications, proposals, and
representations with respect to its subject matter; and
(ii) prevails over any conflicting or additional terms of
any quote, order, acknowledgment, or similar
communications between the parties. This Agreement
shall terminate upon Your breach of any term
contained herein and You shall cease use of and
destroy all copies of the Software. The disclaimers of
warranties and damages and limitations on liability
shall survive termination. Software and
documentation is delivered Ex Works California,
U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS
2000). This Agreement may only be modified by a
License Module that accompanies this license or by a
written document that has been signed by both You
and Symantec. Should You have any questions
concerning this Agreement, or if You desire to contact
Symantec for any reason, please write to: (i) Symantec
Customer Service, 555 International Way, Springfield,
OR 97477, U.S.A., (ii) Symantec Authorized Service
Center, Postbus 1029, 3600 BA Maarssen, The
Netherlands, or (iii) Symantec Customer Service, 1
Julius Ave, North Ryde, NSW 2113, Australia.
8
Contents
■ Policy modules
12 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Introducing the policy
Note: In this document, some of the references will be to GLBA, and others to the
more specific FFIEC standards.
LiveUpdate installation
Install the policy by using the LiveUpdate feature in the Symantec ESM console.
Manual installation
If you cannot use LiveUpdate to install the policy directly from a Symantec
server, you can install the policy manually, using files from a CD or the Internet.
Policy modules
The GLBA policy includes the following modules to ensure compliance with
many of the technical and some administrative aspects of the Gramm-Leach-
Bliley Act and associated standards from the FFIEC. The enabled checks of each
module are listed with the standards they address and a brief rationale for
enabling the check. Associated name lists and templates are also listed. Because
the standard does not require specific values for anything, default values and
templates have been provided. The policy is read-only but can be copied or
renamed according to your company’s security policy needs. See the current
Symantec Enterprise Security Manager Security Update User’s Guide for UNIX
for check and message information.
In addition to the specific checks that are listed below, Part 364 contains the
following requirement (364/III.C.3):
Regularly test the key controls, systems, and procedures of the
information security program.
Using the Symantec ESM GLBA policy provides an efficient way to help fulfill
the requirement above.
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 17
Policy modules
Account Integrity
The Account Integrity module creates and maintains user and group snapshot
files on each agent where the module runs. The module reports new, changed,
and deleted users and groups between snapshot updates as well as account
privileges and other information.
Illegal login shells 501(b)(3) The presence of unauthorized login shells could indicate compromised
364/II.B.3 access controls.
364/III.C.1.a
Setuid login shells 501(b)(3) Setuid login shells could inadvertently allow access to unauthorized
364/II.B.3 users.
364/III.C.1.a
Setgid login shells 501(b)(3) Setgid login shells could inadvertently allow access to unauthorized
364/II.B.3 users.
364/III.C.1.a
Login shell owners 501(b)(3) Login shells that are not owned by system accounts (root or bin) can be
364/II.B.3 replaced with “Trojan” versions that are capable of a variety of
364/III.C.1.a unauthorized activity.
Login shell 501(b)(3) Login shells that are writeable by group or world can be replaced with
permissions 364/II.B.3 “Trojan” versions that are capable of a variety of unauthorized activity.
364/III.C.1.a
Home directories 501(b)(3) Inconsistent home directory configurations usually indicate incomplete
364/II.B.3 account termination, which could allow unauthorized access.
364/III.C.1.a
Group IDs 501(b)(3) Undefined groups could allow accidental inheritance of unauthorized
364/II.B.3 access privileges.
364/III.C.1.a
Home directory 501(b)(3) Home directories can contain not only PFI but also control files that may
permissions 364/II.B.3 lead to unauthorized access to PFI if not properly protected. This policy
364/III.C.1.a ships with a default setting of 750.
New accounts 501(b)(3) All changes to the /etc/password and /etc/group files after the last
364/II.B.3 snapshot update should be reviewed to ensure that unauthorized access
364/III.C.1.a has not been granted.
Deleted accounts 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a authorized access has not been removed.
18 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
Changed accounts 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a unauthorized access has not been granted or removed.
New groups 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a unauthorized access has not been granted.
Deleted groups 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a authorized access has not been removed.
Changed groups 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a unauthorized access has not been granted or removed.
Duplicate IDs 501(b)(3) If each user does not have a unique ID, it could indicate unauthorized
364/II.B.3 access.
364/III.C.1.a
Privileged users and 501(b)(3) Privileged access to system files may lead to unauthorized access.
groups 364/II.B.3
364/III.C.1.a
Accounts should be 501(b)(3) Allowing logins on these accounts could lead to unauthorized access.
disabled 364/II.B.3
364/III.C.1.a
Remote-only 501(b)(3) These accounts may provide a channel for unauthorized network access
accounts 364/II.B.3 to the host.
364/III.C.1.a
Password in /etc/ 501(b)(2) A common password guessing attack involves trying strings that are
passwd found in the /etc/passwd file.
User shell 501(b)(3) The presence of unauthorized login shells could indicate compromised
compliance 364/II.B.3 access controls.
364/III.C.1.a.
Local Disks Only N/A This check is required for systems using NIS to serve home directories.
Local Accounts Only N/A This check is required for systems that use NIS for managing the passwd
and group files.
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 19
Policy modules
File Access
The File Access module checks read, write, and execute permissions on specified
files and reports user accounts that are allowed to access the files. It also
examines access control lists (ACLs) on AIX.
Write permission 501(b)(3) Giving write permissions to accounts other than root for the
364/II.B.3 listed files could allow unauthorized access.
364/III.C.1.a.
File Attributes
The File Attributes module reports changes to file creation and modification
times, file sizes, and CRC/MD5 checksum signatures. It also reports violations of
file permissions that are specified in template files.
User ownership 501(b)(3) Improper file ownership controls could allow unauthorized access.
364/II.B.3
364/III.C.1.a.
Group ownership 501(b)(3) Improper group ownership controls could allow unauthorized access.
364/II.B.3
364/III.C.1.a.
20 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
Changed file (creation 501(b)(3) Changes to file creation times could indicate unauthorized access.
time) 364/II.B.3
364/III.C.1.a.
Changed file 501(b)(3) Changes to file modification times could indicate unauthorized access.
(modification time) 364/II.B.3
364/III.C.1.a.
Changed file (size) 501(b)(3) Changes to file sizes could indicate unauthorized access.
364/II.B.3
364/III.C.1.a.
Changed file (signature) 501(b)(3) Changes to file signatures could indicate unauthorized access.
364/II.B.3
364/III.C.1.a.
Local disks only N/A This check is required for systems using NFS to serve home
directories.
Ignore symbolic links N/A Examining symbolic links may produce false positive alerts.
File Find
The File Find module reports weaknesses in file permissions and configuration
files.
Setuid files 501(b)(3) Setuid files should be carefully examined to ensure that they are
364/II.B.3 not a vehicle for unauthorized access.
364/III.C.1.a.
Setgid files 501(b)(3) Setgid files should be carefully examined to ensure that they are
364/II.B.3, not a vehicle for unauthorized access.
364/III.C.1.a.
New setuid files 501(b)(3) New setuid files should be carefully examined to ensure that they
364/II.B.3, are not a vehicle for unauthorized access.
364/III.C.1.a.
New setgid files 501(b)(3) New setgid files should be carefully examined to ensure that they
364/II.B.3 are not a vehicle for unauthorized access.
364/III.C.1.a.
World-writeable 501(b)(2) World-writeable directories without the sticky bit let any user
directories without delete files in the directory (intentionally or unintentionally).
sticky bit
Device files not in /dev 501(b)(3) Mislocated device files could indicate system compromise and may
364/II.B.3 be used to gain unauthorized access to other system resources.
364/III.C.1.a.
364/III.C.1.f.
World-writeable files 501(b)(3) World-writeable files can be used to gain unauthorized access.
364/II.B.3
364/III.C.1.a.
Unowned directories 501(b)(3) Access to unowned directories and files may be accidentally
and files 364/II.B.3 inherited by newly created accounts and groups.
364/III.C.1.a.
Local disks only N/A This check is required for systems using NFS to serve home
directories.
22 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
File Watch
The File Watch module creates and maintains a snapshot file for each agent
where you run the module that stores file information. The File Watch template
specifies the files or directories to be checked, the depth of directory traversal,
and the types of changes to be evaluated. Malicious File Watch templates
identify known attack signatures for malicious files checks.
Changed files (ownership) 501(b)(3) Ownership changes could indicate unauthorized access.
364/II.B.3
364/III.C.1.a.
Changed files 501(b)(3) File permissions changes could indicate unauthorized access.
(permissions) 364/II.B.3
364/III.C.1.a.
Changed files (signature) 501(b)(3) File signature changes to the listed files could indicate unauthorized
364/II.B.3 access.
364/III.C.1.a.
New files 501(b)(3) Files that were added to the watched directories could indicate
364/II.B.3 unauthorized access.
364/III.C.1.a.
Removed files 501(b)(3) Files that were removed from the watched directories could indicate
364/II.B.3 unauthorized access.
364/III.C.1.a.
Malicious files 501(b)(2) The presence of known malware is a clear indication of system
364/III.C.1.f. compromise. Malicious software may pose a threat to the
confidentiality, integrity, and availability of PFI.
Local disks only N/A This check is required for systems using NFS to serve home
directories.
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 23
Policy modules
Login Parameters
The Login Parameters module reports:
■ Accounts that have never been used or have not been used within a specified
number of days
■ Failed logins within a specified number of days
■ Accounts with expired passwords
■ Passwords that can be changed by others
■ Agents that do not log login attempts
■ Login attempts by superusers
■ Root accounts that can be accessed through rlogin or telnet
24 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
■ Devices that have reported failed logins on agents that are running in
trusted or enhanced modes
Inactive accounts 501(b)(3) Unused accounts that could allow unauthorized access
364/II.B.3 should be removed. This policy ships with a default
364/III.C.1.a setting of 30 days of inactivity.
Login failures 501(b)(3) Excessive login failures could indicate attempts to gain
364/II.B.3 unauthorized access.
364/III.C.1.a
Successful login attempts 364/III.C.1.a Certain system activities, including logins, must be
not logged 364/III.C.1.f logged and audited to facilitate monitoring for abuse of
privilege.
Successful su attempts not 364/III.C.1.a Certain system activities, including privilege escalation,
logged 364/III.C.1.f must be logged and audited, to facilitate monitoring for
abuse of privilege.
Remote root logins 501(b)(3) Permitting remote root login on an untrusted channel
364/II.B.3 could allow unauthorized access.
364/III.C.1.a
Locked accounts 501(b)(2) Accounts are usually locked due to excessive login
501(b)(3) failures, which could indicate attempts to gain
364/III.C.1.f unauthorized access.
Password changes failed 501(b)(2) Excessive password change failures could indicate an
501(b)(3) attempt to guess a password.
364/III.C.1.f
Devices with failed logins 501(b)(2) Excessive login failures could indicate attempts to gain
501(b)(3) unauthorized access.
364/III.C.1.f
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 25
Policy modules
Login retries (AIX, HP-UX, 501(b)(2) Allowing excessive retries to log in makes an account
Red Hat Linux) more vulnerable to a password guessing attack. This
policy ships with a default setting of 5 tries.
Local disks only N/A This check is required for systems using NFS to serve
home directories.
Local accounts only N/A This check is required for systems that use NIS to
manage passwd and group files.
Network Integrity
The Network Integrity module reports:
■ Trusted hosts and users
■ Agents with FTP enabled
■ TFTP daemons that are running as privileged users or not running in secure
mode
■ Listening TCP and UDP ports
■ Listening TCP and UDP ports that changed owners since the last snapshot
update
■ TCP and UDP ports that started listening since the last snapshot update
■ Agents that are running xhost + in X Windows
■ Processes that are used to open TCP and UDP ports
Trusted hosts/users 364/III.C.1.a The Berkeley trust mechanism is one of the vulnerabilities most
frequently exploited by attackers. The mechanism does not
properly authenticate users. Other means, such as ssh, should be
used to authenticate users.
FTP enabled 501(b)(2) FTP is another frequently exploited vulnerability. Other means,
such as ssh, should be used to authenticate users.
Listening TCP ports 501(b)(2) Unauthorized listening ports may not be properly protected
364/III.C.1.f against common threats.
New listening TCP 501(b)(2) New listening ports should be reviewed to ensure that they are
ports 364/III.C.1.f authorized.
26 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
Modified listening TCP 501(b)(2) Modified listening ports should be reviewed to ensure that they
ports 364/III.C.1.f still comply with policy and requirements.
Listening UDP ports 501(b)(2) Unauthorized listening ports may not be properly protected
364/III.C.1.f against common threats.
New listening UDP 501(b)(2) New listening ports should be reviewed to ensure that they are
ports 364/III.C.1.f authorized.
Modified listening 501(b)(2) Modified listening ports should be reviewed to ensure that they
UDP ports 364/III.C.1.f still comply with policy and requirements.
Access control (xhost) 501(b)(2) Access to the X console should be explicitly controlled.
501(b)(3)
364/III.C.1.f
OS Patches
The OS Patches (Patch) module reports patches that are defined in the UNIX
patch template files for AIX, HP-UX, Solaris, and Linux but are not installed on
the agent.
All module checks 501(b)(2) Unpatched systems are overwhelmingly the most common cause of
364/II.B.2 technical security exploits. Patching known vulnerabilities
constitutes an effective protection against anticipated threats.
Note: Do not edit, move, or change your Patch template files in any way.
Password Strength
The Password Strength module reports the following weak passwords:
■ Passwords that match the user name
■ Passwords that are the same as any user name in the system
■ Passwords that are the same as any word in word list files
The Password Strength module also reports accounts with no passwords and
accounts with a maximum password age that is greater than a specified value
Password = username 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Passwords
364/III.C.1.a that match the user name are easy to guess and may allow
unauthorized access.
Password = any 501(b)(3) Controls to authenticate and permit access only to authorized
username 364/II.B.3 individuals require effective password management. Passwords
364/III.C.1.a that match any user names on your network can result in
unauthorized access.
Password within GECOS 501(b)(3) Passwords that match information in the GECOS field are easily
field 364/II.B.3 guessed passwords and do not meet the GLBA requirement for
364/III.C.1.a adequate authentication and access controls.
Password = wordlist 501(b)(3) Controls to authenticate and permit access only to authorized
word 364/II.B.3 individuals require effective password management. Attackers
364/III.C.1.a often look for commonly-used words to guess passwords and gain
unauthorized access.
Reverse order 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers often look
364/III.C.1.a for variations of user names and wordlist words to guess
passwords and gain unauthorized access.
Double occurrences 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers often look
364/III.C.1.a for double occurrences of user names and wordlist words to guess
passwords and gain unauthorized access.
Plural forms 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers often look
364/III.C.1.a for plural forms of user names and wordlist words to guess
passwords and gain unauthorized access.
28 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
Uppercase 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers look for
364/III.C.1.a upper and lowercase variations of user names and wordlist words
to guess passwords and gain unauthorized access.
Lowercase 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers look for
364/III.C.1.a upper and lowercase variations of user names and wordlist words
to guess passwords and gain unauthorized access.
Guessed password 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. If a password
364/III.C.1.a is easily guessed, it may permit unauthorized access.
Login requires password 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Accounts
364/III.C.1.a without passwords may permit unauthorized access.
Accounts without 501(b)(3) Controls to authenticate and permit access only to authorized
passwords 364/II.B.3 individuals require effective password management. Accounts that
364/III.C.1.a do no require login may permit unauthorized access.
Password length 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
restrictions 364/II.B.3 adequate authentication and access controls. Short passwords are
364/III.C.1.a easily guessed. This policy ships with a default setting of 8
characters.
Minimum password 501(b)(3) Limiting reuse of previously-used passwords reduces the risk of
history 364/II.B.3 discovery. This policy ships with a default setting of 4 prior
364/III.C.1.a passwords.
Password age 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Requiring
364/III.C.1.a passwords to be changed periodically reduces the risk of discovery.
This policy ships with a default setting of 90 days.
Maximum password age 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Default
364/III.C.1.a maximum password age settings on ESM agents should comply
your company’s security policy.
Maximum repeated 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
characters 364/II.B.3 adequate authentication and access controls. Repeated characters
364/III.C.1.a make passwords easy to guess. This policy ships with a default
setting of 2 characters.
Local disks only N/A This check is required for systems using NFS to serve home
directories.
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 29
Policy modules
Local accounts only N/A This check is required for systems that use NIS for managing the
passwd and group files.
Startup Files
The Startup Files module reports:
■ Files referenced by rc scripts that do not exist on the agent
■ PATH variables that include the current directory
■ Changes to process configurations since the last snapshot update
■ Services that were added or deleted since the last snapshot update
■ Running services that are forbidden
System startup file contents 501(b)(3) World-writeable files executed by system startup scripts could
364/II.B.3 allow unauthorized access or privilige escalation.
364/III.C.1.a
Current directory in startup 501(b)(3) Files writeable by users other than root could allow
path 364/II.B.3 unauthorized access or privilege escalation.
364/III.C.1.a
Login/tty file contents 501(b)(3) Permitting remote root login on an untrusted channel could
364/II.B.3 allow unauthorized access.
364/III.C.1.a
Enhanced security enabled N/A This setting is required to enable other checks in ESM.
Services not in template 501(b)(3) Unauthorized services can be used to gain unauthorized
364/II.B.3 access.
364/III.C.1.a
30 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
System Auditing
The System Auditing module reports the following:
■ Unauthorized users (providing valuable tracking information during or
after a break-in)
■ Security events that are audited for failure or success
■ Maximum log file size
Of the supported UNIX platforms on ESM, only Solaris and HP-UX natively
support auditing functions. However, the following checks on AIX, HP-UX, and
Solaris verify compliance with the corresponding GLBA sections.
Auditing enabled (AIX, 364/III.B.3 This setting lets you record and examine system activities.
HP-UX, Solaris) 364/III.C.1.f
Event auditing (HP-UX, 364/III.B.3 Templates define the specific events and system calls to be
Solaris) 364/III.C.1.f audited to review system activity.
System call mapping (HP- 364/III.B.3 Templates define the specific events and system calls to be
UX, Solaris) 364/III.C.1.f audited to review system activity.
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 31
Policy modules
System Mail
ESM provides checks for the sendmail program. However, systems that store
and process personal non-public financial information (PFI) should not use
sendmail because of sendmail’s history of security vulnerabilities.
Note: If SMTP is required, use a more secure and reliable substitute such as
qmail or postfix.
Wizard passwords 501(b)(3) Wizard passwords are frequently exploited, which could allow
364/II.B.3 unauthorized access.
364/III.C.1.a
Decode aliases 501(b)(2) Decode aliases are a frequent vector for malicious code.
32 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules
Command aliases 501(b)(3) Command aliases may be used to gain unauthorized access and
364/II.B.3 could indicate system compromise.
364/III.C.1.a
364/III.C.1.f
Sendmail log 501(b)(2) Correctly configuring the sendmail log feature helps to detect
364/II.B.2 and diagnose mail vulnerabilities.
364/III.C.1.f
Log level setting 501(b)(2) This setting defines the minimum level of log information to
364/II.B.2 be captured. This policy ships with a default setting of log level
364/III.C.1.f 9.
User Files
The User Files module reports the following:
■ Files in the user’s directory that the user does not own
■ Files and directories that everyone can write to
■ Files that have set user ID or set group ID bits for their owners or other files
■ Users with PATH variables that include the current directory
■ Accounts with .rhost or .netrc files (and potential vulnerabilities that are
associated with each)
■ Startup files with inadequate permissions or improper ownerships
File ownership 501(b)(3) Improper file ownership controls could allow unauthorized
364/II.B.3 access.
364/III.C.1.a
World-writeable files 501(b)(3) World-writeable files may be used to gain unauthorized access.
364/II.B.3
364/III.C.1.a
Setuid or Setgid 501(b)(3) Setuid and setgid files should be examined to ensure that they
364/II.B.3 are not a vehicle for unauthorized access.
364/III.C.1.a
Symantec ESM Baseline Policy Manual for GLBA (UNIX) 33
Policy modules
Set PATH (using su) N/A This is the recommended method for checking the PATH
variable, upon which other checks depend.
Current directory not 501(b)(3) Files writeable by users other than root could allow unauthorized
allowed in PATH 364/II.B.3 access or privilege escalation.
364/III.C.1.a
World-writeable 501(b)(3) Files writeable by users other than root could allow unauthorized
directories in PATH 364/II.B.3 access or privilege escalation.
364/III.C.1.a
Group writeable 501(b)(3) Files writeable by users other than root could allow unauthorized
directories in PATH 364/II.B.3 access or privilege escalation.
364/III.C.1.a
Umask (using su) N/A This is the recommended method for checking the umask value,
upon which other checks depend.
Umask 501(b)(3) Umask values that are set too low could allow unauthorized
364/II.B.3 access or privilege escalation. This policy ships with a default
364/III.C.1.a setting of 027.
Check startup file contents 501(b)(3) World-writeable files executed by system startup scripts could
364/II.B.3 allow unauthorized access or privilege escalation.
364/III.C.1.a
Check startup file 501(b)(3) If startup files are not properly protected, an attacker can be able
protection 364/II.B.3 to change them and hijack the user’s account.
364/III.C.1.a
Local disks only N/A This check is required for systems using NFS to serve home
directories.
Ignore symbolic links N/A Examining symbolic links may produce false positive alerts.
Local accounts only N/A This check is required for systems that use NIS for managing the
passwd and group files.
34 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules