Symantec Enterprise Security Manager™

Baseline Policy Manual for Gramm-Leach-

Bliley Act

For AIX, HP-UX, Red Hat Linux, and Solaris

Baseline Policy Manual for GLBA
The software described in this book is furnished under a license agreement and may be
used only in accordance with the terms of the agreement.
040330

Copyright Notice
Copyright  2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is the
copyrighted work of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS and
Symantec Corporation makes no warranty as to its accuracy or use. Any use of the
technical documentation or the information contained therein is at the risk of the user.
Documentation may include technical or other inaccuracies or typographical errors.
Symantec reserves the right to make changes without prior notice.
No part of this publication may be copied without the express written permission of
Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks
Symantec, the Symantec logo, Symantec Enterprise Security Manager, LiveUpdate, and
Symantec Security Response are trademarks of Symantec Corporation.
Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft
Corporation.
Other product names mentioned in this manual may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Printed in the United States of America.
 3

Technical support

As part of Symantec Security Response, the Symantec Global Technical Support

group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product feature/
function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works in
collaboration with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■ A range of support options that gives you the flexibility to select the right
amount of service for any size organization
■ Telephone and Web support components that provide rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for virus definitions and security signatures that ensure
the highest level of protection
■ Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
■ Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, that offer enhanced response and proactive security
support
Please visit our Web site for current information on Support Programs. The
specific features that are available may vary based on the level of support
purchased and the specific product that you are using.

Licensing and registration

If the product that you are implementing requires registration and/or a license
key, the fastest and easiest way to register your service is to access the
Symantec licensing and registration site at www.symantec.com/certificate.
Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.htm,
select the product that you wish to register, and from the Product Home Page,
select the Licensing and Registration link.

Contacting Technical Support

Customers with a current support agreement may contact the Technical
Support group by phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical
Support by the Platinum Web site at www-secure.symantec.com/platinum/.
4

When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes

Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select
the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
 Symantec Software License Agreement
Symantec Enterprise Security Manager
SYMANTEC CORPORATION AND/OR ITS
SUBSIDIARIES (“SYMANTEC”) IS WILLING TO
LICENSE THE SOFTWARE TO YOU AS AN
INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY
THAT WILL BE UTILIZING THE SOFTWARE
(REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY
ON THE CONDITION THAT YOU ACCEPT ALL OF THE
TERMS OF THIS LICENSE AGREEMENT. READ THE
TERMS AND CONDITIONS OF THIS LICENSE
AGREEMENT CAREFULLY BEFORE USING THE
SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE
CONTRACT BETWEEN YOU AND THE LICENSOR. BY
OPENING THIS PACKAGE, BREAKING THE SEAL,
CLICKING THE “AGREE” OR “YES” BUTTON OR
OTHERWISE INDICATING ASSENT
ELECTRONICALLY, OR LOADING THE SOFTWARE,
YOU AGREE TO THE TERMS AND CONDITIONS OF
THIS AGREEMENT. IF YOU DO NOT AGREE TO
THESE TERMS AND CONDITIONS, CLICK THE “I DO
NOT AGREE” OR “NO” BUTTON OR OTHERWISE
INDICATE REFUSAL AND MAKE NO FURTHER USE
OF THE SOFTWARE.
1. License:
The software and documentation that accompanies
this license (collectively the “Software”) is the
proprietary property of Symantec or its licensors and
is protected by copyright law. While Symantec
continues to own the Software, You will have certain
rights to use the Software after Your acceptance of this
license. This license governs any releases, revisions, or
enhancements to the Software that the Licensor may
furnish to You. Except as may be modified by an
applicable Symantec license certificate, license
coupon, or license key (each a “License Module”) that
accompanies, precedes, or follows this license, and as
may be further defined in the user documentation
accompanying the Software, Your rights and
obligations with respect to the use of this Software are
as follows.
You may:
A. use that number of copies of the Software as have
been licensed to You by Symantec under a License
Module. Permission to use the software to assess
Desktop, Server or Network machines does not
constitute permission to make additional copies of the
Software. If no License Module accompanies, precedes,
or follows this license, You may make one copy of the
Software you are authorized to use on a single
machine.
B. make one copy of the Software for archival
purposes, or copy the Software onto the hard disk of
Your computer and retain the original for archival
purposes;
C. use the Software to assess no more than the number
of Desktop machines set forth under a License Module.
“Desktop” means a desktop central processing unit for
a single end user;
D. use the Software to assess no more than the number
of Server machines set forth under a License Module.
“Server” means a central processing unit that acts as a
server for other central processing units;
E. use the Software to assess no more than the number
of Network machines set forth under a License Module.
“Network” means a system comprised of multiple
machines, each of which can be assessed over the same
network;
F. use the Software in accordance with any written
agreement between You and Symantec; and
G. after written consent from Symantec, transfer the
Software on a permanent basis to another person or
entity, provided that You retain no copies of the
Software and the transferee agrees to the terms of this
license.
You may not:
A. copy the printed documentation which
accompanies the Software;
B. use the Software to assess a Desktop, Server or
Network machine for which You have not been granted
permission under a License Module;
C. sublicense, rent or lease any portion of the
Software; reverse engineer, decompile, disassemble,
modify, translate, make any attempt to discover the
source code of the Software, or create derivative works
from the Software;
D. use the Software as part of a facility management,
timesharing, service provider, or service bureau
arrangement;
E. continue to use a previously issued license key if
You have received a new license key for such license,
such as with a disk replacement set or an upgraded
version of the Software, or in any other instance;
F. continue to use a previous version or copy of the
Software after You have installed a disk replacement
set, an upgraded version, or other authorized
replacement. Upon such replacement, all copies of the
prior version must be destroyed;
G. use a later version of the Software than is provided
herewith unless you have purchased corresponding
maintenance and/or upgrade insurance or have
otherwise separately acquired the right to use such
later version;
H. use, if You received the software distributed on
media containing multiple Symantec products, any
Symantec software on the media for which You have
not received a permission in a License Module; nor
I. use the Software in any manner not authorized by
this license.
2. Content Updates:
Certain Software utilize content that is updated from
time to time (including but not limited to the following
Software: antivirus software utilize updated virus
definitions; content filtering software utilize updated
URL lists; some firewall software utilize updated
firewall rules; and vulnerability assessment products
utilize updated vulnerability data; these updates are
collectively referred to as “Content Updates”). You
shall have the right to obtain Content Updates for any
period for which You have purchased maintenance,
except for those Content Updates that Symantec elects
to make available by separate paid subscription, or for
any period for which You have otherwise separately
acquired the right to obtain Content Updates.
Symantec reserves the right to designate specified
Content Updates as requiring purchase of a separate
subscription at any time and without notice to You;
provided, however, that if You purchase maintenance
hereunder that includes particular Content Updates on
the date of purchase, You will not have to pay an
additional fee to continue receiving such Content
Updates through the term of such maintenance even if
Symantec designates such Content Updates as
requiring separate purchase. This License does not
otherwise permit the licensee to obtain and use
Content Updates.
3. Limited Warranty:
Symantec warrants that the media on which the
Software is distributed will be free from defects for a
period of sixty (60) days from the date of delivery of the
Software to You. Your sole remedy in the event of a
breach of this warranty will be that Symantec will, at
its option, replace any defective media returned to
Symantec within the warranty period or refund the
money You paid for the Software. Symantec does not
warrant that the Software will meet Your requirements
or that operation of the Software will be uninterrupted
or that the Software will be error-free.
TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW, THE ABOVE WARRANTY IS
EXCLUSIVE AND IN LIEU OF ALL OTHER
WARRANTIES, WHETHER EXPRESS OR IMPLIED,
INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, AND NONINFRINGEMENT OF
INTELLECTUAL PROPERTY RIGHTS. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS.
YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM
STATE TO STATE AND COUNTRY TO COUNTRY.
4. Disclaimer of Damages:
SOME STATES AND COUNTRIES, INCLUDING
MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC
AREA, DO NOT ALLOW THE LIMITATION OR
EXCLUSION OF LIABILITY FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES, SO THE BELOW
LIMITATION OR EXCLUSION MAY NOT APPLY TO
YOU.
TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW AND REGARDLESS OF WHETHER
ANY REMEDY SET FORTH HEREIN FAILS OF ITS
ESSENTIAL PURPOSE, IN NO EVENT WILL
SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL,
CONSEQUENTIAL, INDIRECT, OR SIMILAR
DAMAGES, INCLUDING ANY LOST PROFITS OR LOST
DATA ARISING OUT OF THE USE OR INABILITY TO
USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED
THE PURCHASE PRICE FOR THE SOFTWARE. The
disclaimers and limitations set forth above will apply
regardless of whether or not You accept the Software.
5. U.S. Government Restricted Rights:
RESTRICTED RIGHTS LEGEND. All Symantec products
and documentation are commercial in nature. The
software and software documentation are
“Commercial Items,” as that term is defined in 48
C.F.R. section 2.101, consisting of “Commercial
Computer Software” and “Commercial Computer
Software Documentation,” as such terms are defined in
48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R.
section 252.227-7014(a)(1), and used in 48 C.F.R.
section 12.212 and 48 C.F.R. section 227.7202, as
applicable. Consistent with 48 C.F.R. section 12.212, 48
C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202
through 227.7202-4, 48 C.F.R. section 52.227-14, and
other relevant sections of the Code of Federal
Regulations, as applicable, Symantec's computer
software and computer software documentation are
licensed to United States Government end users with
only those rights as granted to all other end users,
according to the terms and conditions contained in this
license agreement. Manufacturer is Symantec
Corporation, 20330 Stevens Creek Blvd., Cupertino, CA
95014, United States of America.
6. Export Regulation:
Export or re-export of this Software is governed by the
laws and regulations of the United States and import
laws and regulations of certain other countries.
Export or re-export of the Software to any entity not
authorized by, or that is specified by, the United States
Federal Government is strictly prohibited.
7. General:
If You are located in North America or Latin America,
this Agreement will be governed by the laws of the
State of California, United States of America.
Otherwise, this Agreement will be governed by the
laws of England and Wales. This Agreement and any
related License Module is the entire agreement
between You and Symantec relating to the Software
and: (i) supersedes all prior or contemporaneous oral
or written communications, proposals, and
representations with respect to its subject matter; and
(ii) prevails over any conflicting or additional terms of
any quote, order, acknowledgment, or similar
communications between the parties. This Agreement
shall terminate upon Your breach of any term
contained herein and You shall cease use of and
destroy all copies of the Software. The disclaimers of
warranties and damages and limitations on liability
shall survive termination. Software and
documentation is delivered Ex Works California,
U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS
2000). This Agreement may only be modified by a
License Module that accompanies this license or by a
written document that has been signed by both You
and Symantec. Should You have any questions
concerning this Agreement, or if You desire to contact
Symantec for any reason, please write to: (i) Symantec
Customer Service, 555 International Way, Springfield,
OR 97477, U.S.A., (ii) Symantec Authorized Service
Center, Postbus 1029, 3600 BA Maarssen, The
Netherlands, or (iii) Symantec Customer Service, 1
Julius Ave, North Ryde, NSW 2113, Australia.
8
 Contents

Symantec ESM Baseline Policy Manual for GLBA (UNIX)

Introducing the policy ......................................................................................... 12
About the policy ........................................................................................... 12
About the Gramm-Leach-Bliley Act .......................................................... 12
Where to get more information about the standard .............................. 13
Installing the policy ............................................................................................. 14
Before you install ......................................................................................... 14
Installing the policy ..................................................................................... 14
LiveUpdate installation .............................................................................14
Manual installation ...................................................................................15
Policy modules ..................................................................................................... 16
Account Integrity ......................................................................................... 17
Shell template files ....................................................................................19
File Access ..................................................................................................... 19
File Attributes .............................................................................................. 19
File Attributes template files .....................................................................20
File Find ......................................................................................................... 21
File Watch ..................................................................................................... 22
File Watch template files ..........................................................................23
Login Parameters ......................................................................................... 23
Network Integrity ........................................................................................ 25
OS Patches .................................................................................................... 26
Patch template files ...................................................................................26
Password Strength ....................................................................................... 27
Startup Files ................................................................................................. 29
Services template files ..............................................................................30
System Auditing ........................................................................................... 30
Event auditing and System call mapping template files ...........................31
System Mail .................................................................................................. 31
User Files ....................................................................................................... 32
10 Contents
Symantec ESM Baseline
Policy Manual for GLBA
(UNIX)
This document includes the following topics:

■ Introducing the policy

■ Installing the policy

■ Policy modules
12 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Introducing the policy

Introducing the policy

The Gramm-Leach-Bliley Act defines administrative, physical, and technical
safeguards to protect the confidentiality, integrity, and availability of electronic
personal non-public financial information (PFI).
The Symantec ESM baseline policy for GLBA assesses compliance with many of
the technical and some administrative elements of the law and the standard’s
requirements. The policy addresses elements of Title V, Subtitle A, Section 501
and 12 CFR Part 364.

About the policy

The Symantec ESM baseline policy for GLBA assesses compliance with the
standard’s minimum requirements. It runs on Symantec ESM 6.0 and 5.x
managers and agents with Security Update 18 or later on the following
operating systems:
■ AIX 4.x.x through 5.x.x
■ Solaris 2.6 through 2.9
■ Red Hat Linux 6.x and 7.x
■ HP-UX 10.x and 11.x

About the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) requires companies to give privacy notices
that explain the institutions’ information-sharing practices about individuals.
GLBA applies to financial institutions that offer financial products or services
such as loans, financial or investment advice, or insurance to individuals. The
Federal Trade Commission has authority to enforce the law with respect to
financial institutions that are not covered by the federal banking agencies, the
Securities and Exchange Commission, the Commodity Futures Trading
Commission, and state insurance authorities. Compliance is mandatory for all
non-bank mortgage lenders, loan brokers, financial or investment advisers, tax
preparers, debt collectors and providers of real estate settlement institutions.
The law requires that financial institutions protect information that is collected
about individuals; it does not apply to information that is collected in business
or commercial activities. Entities that are subject to the law include those
regulated by the following agencies:
■ Federal Reserve Board (FRB)
■ Federal Deposit Insurance Corporation (FDIC)
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 13
Introducing the policy

■ National Credit Union Administration (NCUA)

■ Office of the Comptroller of the Currency (OCC)
■ Office of Thrift Supervision (OTS)
■ Department of the Treasury
■ Securities and Exchange Commission (SEC)
■ Federal Trade Commission (FTC)
■ State Insurance Authorities that are designated by the National Association
of Insurance Commissioners (NAIC)
Title V of the Gramm-Leach-Bliley Act (GLBA) titled Privacy, contains Subtitle
A, Disclosure of Non-public Personal Information. Under this subtitle, Section
501, Protection of Non-public Personal Information contains the requirements
that are applicable to this policy.
The Federal Financial Institutions Examination Council (FFIEC) has published
more specific security standards (12 CFR Part 364) within GLBA for the
following agencies:
■ Office of the Comptroller of the Currency (OCC)
■ Office of Thrift Supervision (OTS)
■ Federal Deposit Insurance Corporation (FDIC)
■ National Credit Union Administration (NCUA)
■ Federal Reserve Board (FRB)
The applicable requirements are found in Appendix B, sections II and III.

Note: In this document, some of the references will be to GLBA, and others to the
more specific FFIEC standards.

Where to get more information about the standard

The full text of GLBA can be found at http://www.senate.gov/~banking/conf/
fintl5.pdf. The FFIEC standards are available at http://www.ffiec.gov/exam/
InfoBase/documents/02-joi-safeguard_customer_info_final_rule-010201.pdf.
Guidelines for FFIEC Examiners, who are charged with evaluating compliance
with the standards, can be found at http://www.ffiec.gov/exam/conference/
Presentations/2001-35a.pdf.
14 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Installing the policy

Installing the policy

Before you install
Decide which Symantec ESM managers require the policy. (Policies run on
managers—they do not need to be installed on agents.) The policy runs only on
Symantec ESM 5.5 or later, with Security Update 18 or later. Update any
managers that do not meet these requirements.

Installing the policy

The standard installation method is to use the LiveUpdate feature in the
Symantec ESM console. Another method is to use files from a CD or the Internet
to install the policy manually.

LiveUpdate installation
Install the policy by using the LiveUpdate feature in the Symantec ESM console.

To install the policy

1 Connect the Symantec ESM Enterprise Console to managers where you want
to install the policy.
2 Click the LiveUpdate icon to start the LiveUpdate wizard.
3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and
then click Next.
4 In the Welcome to LiveUpdate dialog box, click Next.
5 Do one of the following:
■ To install all checked products and components, click Next.
■ To omit a product from the update, uncheck it, and then click Next.
■ To omit a product component, expand the product node, uncheck the
component that you want to omit, and then click Next.
6 Click Next.
7 Click Finish.
8 Ensure that all managers that you want to update are checked.
9 Click Next.
10 Click OK.
11 Click Finish.
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 15
Installing the policy

Manual installation
If you cannot use LiveUpdate to install the policy directly from a Symantec
server, you can install the policy manually, using files from a CD or the Internet.

To obtain policy files

1 Connect the Symantec ESM Enterprise Console to managers that you want
to update.
2 From the Security Response Web site
(http://securityresponse.symantec.com),
download the executable files for the following operating systems:
AIX 4.x.x through 5.x.x
Solaris 2.6 through 2.9
Red Hat Linux 6.x and 7.x
HP-UX 10.x and 11.x

Note: To avoid conflicts with updates that are performed by standard

LiveUpdate installations, copy or extract the files into the LiveUpdate
folder, which is usually Program Files/Symantec/LiveUpdate.

To install the policy on a Symantec ESM manager

1 On a computer running Windows NT/2000/XP/Server 2003 that has
network access to the manager, run the executable that you downloaded
from the Symantec Security Response Web site.
2 Click Next to close the Welcome dialog box.
3 In the License Agreement dialog box, if you agree to the terms of the
agreement, click Yes.
4 Click Yes to continue installation of the best practice policy.
5 Type the requested manager information.
6 Click Next.
If the manager’s modules have not been upgraded to Security Update 18 or
later, the install program returns an error message and aborts the
installation. Upgrade the manager to SU 18 or later, then rerun the install
program.
7 Click Finish.
16 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Policy modules
The GLBA policy includes the following modules to ensure compliance with
many of the technical and some administrative aspects of the Gramm-Leach-
Bliley Act and associated standards from the FFIEC. The enabled checks of each
module are listed with the standards they address and a brief rationale for
enabling the check. Associated name lists and templates are also listed. Because
the standard does not require specific values for anything, default values and
templates have been provided. The policy is read-only but can be copied or
renamed according to your company’s security policy needs. See the current
Symantec Enterprise Security Manager Security Update User’s Guide for UNIX
for check and message information.
In addition to the specific checks that are listed below, Part 364 contains the
following requirement (364/III.C.3):
Regularly test the key controls, systems, and procedures of the
information security program.
Using the Symantec ESM GLBA policy provides an efficient way to help fulfill
the requirement above.
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 17
Policy modules

Account Integrity
The Account Integrity module creates and maintains user and group snapshot
files on each agent where the module runs. The module reports new, changed,
and deleted users and groups between snapshot updates as well as account
privileges and other information.

Check GLBA section Rationale

Illegal login shells 501(b)(3) The presence of unauthorized login shells could indicate compromised
364/II.B.3 access controls.
364/III.C.1.a

Setuid login shells 501(b)(3) Setuid login shells could inadvertently allow access to unauthorized
364/II.B.3 users.
364/III.C.1.a

Setgid login shells 501(b)(3) Setgid login shells could inadvertently allow access to unauthorized
364/II.B.3 users.
364/III.C.1.a

Login shell owners 501(b)(3) Login shells that are not owned by system accounts (root or bin) can be
364/II.B.3 replaced with “Trojan” versions that are capable of a variety of
364/III.C.1.a unauthorized activity.

Login shell 501(b)(3) Login shells that are writeable by group or world can be replaced with
permissions 364/II.B.3 “Trojan” versions that are capable of a variety of unauthorized activity.
364/III.C.1.a

Home directories 501(b)(3) Inconsistent home directory configurations usually indicate incomplete
364/II.B.3 account termination, which could allow unauthorized access.
364/III.C.1.a

Group IDs 501(b)(3) Undefined groups could allow accidental inheritance of unauthorized
364/II.B.3 access privileges.
364/III.C.1.a

Home directory 501(b)(3) Home directories can contain not only PFI but also control files that may
permissions 364/II.B.3 lead to unauthorized access to PFI if not properly protected. This policy
364/III.C.1.a ships with a default setting of 750.

New accounts 501(b)(3) All changes to the /etc/password and /etc/group files after the last
364/II.B.3 snapshot update should be reviewed to ensure that unauthorized access
364/III.C.1.a has not been granted.

Deleted accounts 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a authorized access has not been removed.
18 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Check GLBA section Rationale

Changed accounts 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a unauthorized access has not been granted or removed.

New groups 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a unauthorized access has not been granted.

Deleted groups 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a authorized access has not been removed.

Changed groups 501(b)(3) All changes that were made to the /etc/password and /etc/group files
364/II.B.3 after the last snapshot update should be reviewed to ensure that
364/III.C.1.a unauthorized access has not been granted or removed.

Duplicate IDs 501(b)(3) If each user does not have a unique ID, it could indicate unauthorized
364/II.B.3 access.
364/III.C.1.a

Privileged users and 501(b)(3) Privileged access to system files may lead to unauthorized access.
groups 364/II.B.3
364/III.C.1.a

Accounts should be 501(b)(3) Allowing logins on these accounts could lead to unauthorized access.
disabled 364/II.B.3
364/III.C.1.a

Remote-only 501(b)(3) These accounts may provide a channel for unauthorized network access
accounts 364/II.B.3 to the host.
364/III.C.1.a

Password in /etc/ 501(b)(2) A common password guessing attack involves trying strings that are
passwd found in the /etc/passwd file.

User shell 501(b)(3) The presence of unauthorized login shells could indicate compromised
compliance 364/II.B.3 access controls.
364/III.C.1.a.

Local Disks Only N/A This check is required for systems using NIS to serve home directories.

Local Accounts Only N/A This check is required for systems that use NIS for managing the passwd
and group files.
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 19
Policy modules

Shell template files

You can edit the template files by copying them into another directory and
renaming them. However, Symantec uses LiveUpdate every two weeks to
overwrite the default template files that are loaded on your computer.
The Account Integrity module uses the Shell template files shown below for
specific operating systems.

OS File name Template name

AIX aix45shc.shc Shells

HP-UX hp1011shc.shc Shells

Red Hat lnx67shc.shc Shells

Solaris sol26shc.shc Shells

File Access
The File Access module checks read, write, and execute permissions on specified
files and reports user accounts that are allowed to access the files. It also
examines access control lists (ACLs) on AIX.

Check GLBA section Rationale

Write permission 501(b)(3) Giving write permissions to accounts other than root for the
364/II.B.3 listed files could allow unauthorized access.
364/III.C.1.a.

File Attributes
The File Attributes module reports changes to file creation and modification
times, file sizes, and CRC/MD5 checksum signatures. It also reports violations of
file permissions that are specified in template files.

Check GLBA section Rationale

User ownership 501(b)(3) Improper file ownership controls could allow unauthorized access.
364/II.B.3
364/III.C.1.a.

Group ownership 501(b)(3) Improper group ownership controls could allow unauthorized access.
364/II.B.3
364/III.C.1.a.
20 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Check GLBA section Rationale

Permissions 501(b)(3) Improper file permissions could allow unauthorized access.

364/II.B.3
364/III.C.1.a.

Changed file (creation 501(b)(3) Changes to file creation times could indicate unauthorized access.
time) 364/II.B.3
364/III.C.1.a.

Changed file 501(b)(3) Changes to file modification times could indicate unauthorized access.
(modification time) 364/II.B.3
364/III.C.1.a.

Changed file (size) 501(b)(3) Changes to file sizes could indicate unauthorized access.
364/II.B.3
364/III.C.1.a.

Changed file (signature) 501(b)(3) Changes to file signatures could indicate unauthorized access.
364/II.B.3
364/III.C.1.a.

Local disks only N/A This check is required for systems using NFS to serve home
directories.

Ignore symbolic links N/A Examining symbolic links may produce false positive alerts.

File Attributes template files

You can edit the template files by copying them into another directory and
renaming them. However, Symantec uses LiveUpdate every two weeks to
overwrite the default template files that are loaded on your computer.
File and directory permissions are compared with settings in New File
templates. The module uses the following File Attributes template files for
specific operating systems.

OS File name Template name

AIX 4, 5 aix4_5xh.aix New File

HP-UX 10 hpux1011.hpx New File

Red Hat7.x rhlnx70h.li New File

Red Hat6.2 rhlnx62h.li New File

Solaris 2.6-9 solar2xh.sol New File

 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 21
Policy modules

File Find
The File Find module reports weaknesses in file permissions and configuration
files.

Check GLBA section Rationale

Setuid files 501(b)(3) Setuid files should be carefully examined to ensure that they are
364/II.B.3 not a vehicle for unauthorized access.
364/III.C.1.a.

Setgid files 501(b)(3) Setgid files should be carefully examined to ensure that they are
364/II.B.3, not a vehicle for unauthorized access.
364/III.C.1.a.

New setuid files 501(b)(3) New setuid files should be carefully examined to ensure that they
364/II.B.3, are not a vehicle for unauthorized access.
364/III.C.1.a.

New setgid files 501(b)(3) New setgid files should be carefully examined to ensure that they
364/II.B.3 are not a vehicle for unauthorized access.
364/III.C.1.a.

World-writeable 501(b)(2) World-writeable directories without the sticky bit let any user
directories without delete files in the directory (intentionally or unintentionally).
sticky bit

Device files not in /dev 501(b)(3) Mislocated device files could indicate system compromise and may
364/II.B.3 be used to gain unauthorized access to other system resources.
364/III.C.1.a.
364/III.C.1.f.

World-writeable files 501(b)(3) World-writeable files can be used to gain unauthorized access.
364/II.B.3
364/III.C.1.a.

Uneven file 501(b)(3) Uneven permissions could allow unauthorized access.

permissions 364/II.B.3
364/III.C.1.a.

Unowned directories 501(b)(3) Access to unowned directories and files may be accidentally
and files 364/II.B.3 inherited by newly created accounts and groups.
364/III.C.1.a.

Local disks only N/A This check is required for systems using NFS to serve home
directories.
22 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

File Watch
The File Watch module creates and maintains a snapshot file for each agent
where you run the module that stores file information. The File Watch template
specifies the files or directories to be checked, the depth of directory traversal,
and the types of changes to be evaluated. Malicious File Watch templates
identify known attack signatures for malicious files checks.

Check GLBA section Rationale

Changed files (ownership) 501(b)(3) Ownership changes could indicate unauthorized access.
364/II.B.3
364/III.C.1.a.

Changed files 501(b)(3) File permissions changes could indicate unauthorized access.
(permissions) 364/II.B.3
364/III.C.1.a.

Changed files (signature) 501(b)(3) File signature changes to the listed files could indicate unauthorized
364/II.B.3 access.
364/III.C.1.a.

New files 501(b)(3) Files that were added to the watched directories could indicate
364/II.B.3 unauthorized access.
364/III.C.1.a.

Removed files 501(b)(3) Files that were removed from the watched directories could indicate
364/II.B.3 unauthorized access.
364/III.C.1.a.

Malicious files 501(b)(2) The presence of known malware is a clear indication of system
364/III.C.1.f. compromise. Malicious software may pose a threat to the
confidentiality, integrity, and availability of PFI.

Local disks only N/A This check is required for systems using NFS to serve home
directories.
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 23
Policy modules

File Watch template files

You can edit the template files by copying them into another directory and
renaming them. However, Symantec uses LiveUpdate every two weeks to
overwrite the default template files that are loaded on your computer.

OS File name Template name

AIX aix4_5xh.fw File Watch

HP-UX hpux1011.fw File Watch

HP-UX unix.mfw Malicious File Watch

HP-UX unixhide.mfw Malicious File Watch

Red Hat lnxadore.mfw Malicious File Watch

Red Hat lnxlion.mfw Malicious File Watch

Red Hat lnxt0rn.mfw Malicious File Watch

Red Hat7.x rhlnx70h.fw File Watch

Red Hat6.2 rhlnx62h.fw File Watch

Solaris solar2xh.fw File Watch

UNIX unix.mfw Malicious File Watch

UNIX unixhide.mfw Malicious File Watch

Note: Do not edit Malicious File Watch files.

Login Parameters
The Login Parameters module reports:
■ Accounts that have never been used or have not been used within a specified
number of days
■ Failed logins within a specified number of days
■ Accounts with expired passwords
■ Passwords that can be changed by others
■ Agents that do not log login attempts
■ Login attempts by superusers
■ Root accounts that can be accessed through rlogin or telnet
24 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

■ Devices that have reported failed logins on agents that are running in
trusted or enhanced modes

Check GLBA section Rationale

Inactive accounts 501(b)(3) Unused accounts that could allow unauthorized access
364/II.B.3 should be removed. This policy ships with a default
364/III.C.1.a setting of 30 days of inactivity.

Login failures 501(b)(3) Excessive login failures could indicate attempts to gain
364/II.B.3 unauthorized access.
364/III.C.1.a

Password expired 501(b)(3) Expired passwords could indicate an unused account

364/II.B.3 that has not been terminated, which could allow
364/III.C.1.a unauthorized access.

Successful login attempts 364/III.C.1.a Certain system activities, including logins, must be
not logged 364/III.C.1.f logged and audited to facilitate monitoring for abuse of
privilege.

Unsuccessful login attempts 364/III.C.1.a Unsuccessful logins could indicate attempted

not logged 364/III.C.1.f unauthorized access, so this is another activity that
must be logged and audited.

Successful su attempts not 364/III.C.1.a Certain system activities, including privilege escalation,
logged 364/III.C.1.f must be logged and audited, to facilitate monitoring for
abuse of privilege.

Unsuccessful su attempts 364/III.C.1.a Unsuccessful privilege escalation could indicate

not logged 364/III.C.1.f attempted unauthorized access, so this is another
activity that must be logged and audited.

Remote root logins 501(b)(3) Permitting remote root login on an untrusted channel
364/II.B.3 could allow unauthorized access.
364/III.C.1.a

Locked accounts 501(b)(2) Accounts are usually locked due to excessive login
501(b)(3) failures, which could indicate attempts to gain
364/III.C.1.f unauthorized access.

Password changes failed 501(b)(2) Excessive password change failures could indicate an
501(b)(3) attempt to guess a password.
364/III.C.1.f

Devices with failed logins 501(b)(2) Excessive login failures could indicate attempts to gain
501(b)(3) unauthorized access.
364/III.C.1.f
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 25
Policy modules

Check GLBA section Rationale

Login retries (AIX, HP-UX, 501(b)(2) Allowing excessive retries to log in makes an account
Red Hat Linux) more vulnerable to a password guessing attack. This
policy ships with a default setting of 5 tries.

Local disks only N/A This check is required for systems using NFS to serve
home directories.

Local accounts only N/A This check is required for systems that use NIS to
manage passwd and group files.

Network Integrity
The Network Integrity module reports:
■ Trusted hosts and users
■ Agents with FTP enabled
■ TFTP daemons that are running as privileged users or not running in secure
mode
■ Listening TCP and UDP ports
■ Listening TCP and UDP ports that changed owners since the last snapshot
update
■ TCP and UDP ports that started listening since the last snapshot update
■ Agents that are running xhost + in X Windows
■ Processes that are used to open TCP and UDP ports

Check GLBA section Rationale

Trusted hosts/users 364/III.C.1.a The Berkeley trust mechanism is one of the vulnerabilities most
frequently exploited by attackers. The mechanism does not
properly authenticate users. Other means, such as ssh, should be
used to authenticate users.

FTP enabled 501(b)(2) FTP is another frequently exploited vulnerability. Other means,
such as ssh, should be used to authenticate users.

TFTP 501(b)(2) TFTP is one of the vulnerabilities most frequently exploited by

attackers. The mechanism does not properly authenticate users.

Listening TCP ports 501(b)(2) Unauthorized listening ports may not be properly protected
364/III.C.1.f against common threats.

New listening TCP 501(b)(2) New listening ports should be reviewed to ensure that they are
ports 364/III.C.1.f authorized.
26 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Check GLBA section Rationale

Modified listening TCP 501(b)(2) Modified listening ports should be reviewed to ensure that they
ports 364/III.C.1.f still comply with policy and requirements.

Listening UDP ports 501(b)(2) Unauthorized listening ports may not be properly protected
364/III.C.1.f against common threats.

New listening UDP 501(b)(2) New listening ports should be reviewed to ensure that they are
ports 364/III.C.1.f authorized.

Modified listening 501(b)(2) Modified listening ports should be reviewed to ensure that they
UDP ports 364/III.C.1.f still comply with policy and requirements.

Access control (xhost) 501(b)(2) Access to the X console should be explicitly controlled.
501(b)(3)
364/III.C.1.f

OS Patches
The OS Patches (Patch) module reports patches that are defined in the UNIX
patch template files for AIX, HP-UX, Solaris, and Linux but are not installed on
the agent.

Check GLBA section Rationale

All module checks 501(b)(2) Unpatched systems are overwhelmingly the most common cause of
364/II.B.2 technical security exploits. Patching known vulnerabilities
constitutes an effective protection against anticipated threats.

Patch template files

Symantec uses LiveUpdate every two weeks to overwrite the template files that
are loaded on your system.

Note: Do not edit, move, or change your Patch template files in any way.

The Patch module uses the following template files.

OS File name Template name

AIX patch.pai Patch

HP-UX patch.ph1 Patch

Red Hat patch.plx Patch

Solaris patch.ps6 Patch

 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 27
Policy modules

Password Strength
The Password Strength module reports the following weak passwords:
■ Passwords that match the user name
■ Passwords that are the same as any user name in the system
■ Passwords that are the same as any word in word list files
The Password Strength module also reports accounts with no passwords and
accounts with a maximum password age that is greater than a specified value

Check GLBA section Rationale

Password = username 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Passwords
364/III.C.1.a that match the user name are easy to guess and may allow
unauthorized access.

Password = any 501(b)(3) Controls to authenticate and permit access only to authorized
username 364/II.B.3 individuals require effective password management. Passwords
364/III.C.1.a that match any user names on your network can result in
unauthorized access.

Password within GECOS 501(b)(3) Passwords that match information in the GECOS field are easily
field 364/II.B.3 guessed passwords and do not meet the GLBA requirement for
364/III.C.1.a adequate authentication and access controls.

Password = wordlist 501(b)(3) Controls to authenticate and permit access only to authorized
word 364/II.B.3 individuals require effective password management. Attackers
364/III.C.1.a often look for commonly-used words to guess passwords and gain
unauthorized access.

Reverse order 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers often look
364/III.C.1.a for variations of user names and wordlist words to guess
passwords and gain unauthorized access.

Double occurrences 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers often look
364/III.C.1.a for double occurrences of user names and wordlist words to guess
passwords and gain unauthorized access.

Plural forms 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers often look
364/III.C.1.a for plural forms of user names and wordlist words to guess
passwords and gain unauthorized access.
28 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Check GLBA section Rationale

Uppercase 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers look for
364/III.C.1.a upper and lowercase variations of user names and wordlist words
to guess passwords and gain unauthorized access.

Lowercase 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
364/II.B.3 adequate authentication and access controls. Attackers look for
364/III.C.1.a upper and lowercase variations of user names and wordlist words
to guess passwords and gain unauthorized access.

Guessed password 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. If a password
364/III.C.1.a is easily guessed, it may permit unauthorized access.

Login requires password 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Accounts
364/III.C.1.a without passwords may permit unauthorized access.

Accounts without 501(b)(3) Controls to authenticate and permit access only to authorized
passwords 364/II.B.3 individuals require effective password management. Accounts that
364/III.C.1.a do no require login may permit unauthorized access.

Password length 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
restrictions 364/II.B.3 adequate authentication and access controls. Short passwords are
364/III.C.1.a easily guessed. This policy ships with a default setting of 8
characters.

Minimum password 501(b)(3) Limiting reuse of previously-used passwords reduces the risk of
history 364/II.B.3 discovery. This policy ships with a default setting of 4 prior
364/III.C.1.a passwords.

Password age 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Requiring
364/III.C.1.a passwords to be changed periodically reduces the risk of discovery.
This policy ships with a default setting of 90 days.

Maximum password age 501(b)(3) Controls to authenticate and permit access only to authorized
364/II.B.3 individuals require effective password management. Default
364/III.C.1.a maximum password age settings on ESM agents should comply
your company’s security policy.

Maximum repeated 501(b)(3) Easily guessed passwords do not meet the GLBA requirement for
characters 364/II.B.3 adequate authentication and access controls. Repeated characters
364/III.C.1.a make passwords easy to guess. This policy ships with a default
setting of 2 characters.

Local disks only N/A This check is required for systems using NFS to serve home
directories.
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 29
Policy modules

Check GLBA section Rationale

Local accounts only N/A This check is required for systems that use NIS for managing the
passwd and group files.

Startup Files
The Startup Files module reports:
■ Files referenced by rc scripts that do not exist on the agent
■ PATH variables that include the current directory
■ Changes to process configurations since the last snapshot update
■ Services that were added or deleted since the last snapshot update
■ Running services that are forbidden

Check GLBA section Rationale

System startup file contents 501(b)(3) World-writeable files executed by system startup scripts could
364/II.B.3 allow unauthorized access or privilige escalation.
364/III.C.1.a

Current directory in startup 501(b)(3) Files writeable by users other than root could allow
path 364/II.B.3 unauthorized access or privilege escalation.
364/III.C.1.a

Login/tty file contents 501(b)(3) Permitting remote root login on an untrusted channel could
364/II.B.3 allow unauthorized access.
364/III.C.1.a

Enhanced security enabled N/A This setting is required to enable other checks in ESM.

Services 501(b)(2) Services are a common source of malicious exploitation and

364/II.B.2. must be periodically examined to protect PFI from reasonably
anticipated threats or hazards.

Changed services 501(b)(2) Changes to an authorized service can indicate a system

364/III.C.1.f compromise.

New services 501(b)(3) Unauthorized services can be used to gain unauthorized

364/II.B.3 access.
364/III.C.1.a

Services not in template 501(b)(3) Unauthorized services can be used to gain unauthorized
364/II.B.3 access.
364/III.C.1.a
30 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Services template files

Mandatory, prohibited, and optional services for AIX, HP-UX, Solaris, and Linux
are defined in Services template files. Symantec uses LiveUpdate every two
weeks to overwrite the default template files that are loaded on your system.

OS File name Template name

AIX aix4_5xb.sai Services

HP-UX hp10-11b.sh1 Services

Red Hat rhlnx67b.slx Services

Solaris solar2xh.ss6 Services

System Auditing
The System Auditing module reports the following:
■ Unauthorized users (providing valuable tracking information during or
after a break-in)
■ Security events that are audited for failure or success
■ Maximum log file size
Of the supported UNIX platforms on ESM, only Solaris and HP-UX natively
support auditing functions. However, the following checks on AIX, HP-UX, and
Solaris verify compliance with the corresponding GLBA sections.

Check GLBA section Rationale

Auditing enabled (AIX, 364/III.B.3 This setting lets you record and examine system activities.
HP-UX, Solaris) 364/III.C.1.f

Event auditing (HP-UX, 364/III.B.3 Templates define the specific events and system calls to be
Solaris) 364/III.C.1.f audited to review system activity.

System call mapping (HP- 364/III.B.3 Templates define the specific events and system calls to be
UX, Solaris) 364/III.C.1.f audited to review system activity.
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 31
Policy modules

Event auditing and System call mapping template files

Symantec uses LiveUpdate every two weeks to overwrite the template files that
are loaded on your system.
Event auditing and System call mapping template files include users, events,
and system call auditing and mapping.

OS File name Template name

AIX aix.aud Events

AIX aix.map Event Map

HP-UX hpevents.aud Events

HP-UX hpevtmap.map Event Map

Solaris solaris.aud Events

Solaris solaris.map Event Map

System Mail
ESM provides checks for the sendmail program. However, systems that store
and process personal non-public financial information (PFI) should not use
sendmail because of sendmail’s history of security vulnerabilities.

Note: If SMTP is required, use a more secure and reliable substitute such as
qmail or postfix.

The System Mail module reports the following:

■ Wizard passwords and decode aliases in mail configuration files
■ Mail aliases that are piped to a command or shell program
■ Agents that are not logging sendmail messages
■ Agents that do not have properly configured logs
■ Agents that are owned by root or contain invalid file permissions

Check GLBA section Rationale

Wizard passwords 501(b)(3) Wizard passwords are frequently exploited, which could allow
364/II.B.3 unauthorized access.
364/III.C.1.a

Decode aliases 501(b)(2) Decode aliases are a frequent vector for malicious code.
32 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules

Check GLBA section Rationale

Command aliases 501(b)(3) Command aliases may be used to gain unauthorized access and
364/II.B.3 could indicate system compromise.
364/III.C.1.a
364/III.C.1.f

Sendmail log 501(b)(2) Correctly configuring the sendmail log feature helps to detect
364/II.B.2 and diagnose mail vulnerabilities.
364/III.C.1.f

Log level setting 501(b)(2) This setting defines the minimum level of log information to
364/II.B.2 be captured. This policy ships with a default setting of log level
364/III.C.1.f 9.

Sendmail 501(b)(2) An improperly configured sendmail daemon may be used by

configuration file 364/II.B.2 attackers to obtain information about users, which may be
used to compromise the security and integrity of PFI.

User Files
The User Files module reports the following:
■ Files in the user’s directory that the user does not own
■ Files and directories that everyone can write to
■ Files that have set user ID or set group ID bits for their owners or other files
■ Users with PATH variables that include the current directory
■ Accounts with .rhost or .netrc files (and potential vulnerabilities that are
associated with each)
■ Startup files with inadequate permissions or improper ownerships

Check GLBA section Rationale

File ownership 501(b)(3) Improper file ownership controls could allow unauthorized
364/II.B.3 access.
364/III.C.1.a

World-writeable files 501(b)(3) World-writeable files may be used to gain unauthorized access.
364/II.B.3
364/III.C.1.a

Setuid or Setgid 501(b)(3) Setuid and setgid files should be examined to ensure that they
364/II.B.3 are not a vehicle for unauthorized access.
364/III.C.1.a
 Symantec ESM Baseline Policy Manual for GLBA (UNIX) 33
Policy modules

Check GLBA section Rationale

Set PATH (using su) N/A This is the recommended method for checking the PATH
variable, upon which other checks depend.

Current directory not 501(b)(3) Files writeable by users other than root could allow unauthorized
allowed in PATH 364/II.B.3 access or privilege escalation.
364/III.C.1.a

World-writeable 501(b)(3) Files writeable by users other than root could allow unauthorized
directories in PATH 364/II.B.3 access or privilege escalation.
364/III.C.1.a

Group writeable 501(b)(3) Files writeable by users other than root could allow unauthorized
directories in PATH 364/II.B.3 access or privilege escalation.
364/III.C.1.a

Umask (using su) N/A This is the recommended method for checking the umask value,
upon which other checks depend.

Umask 501(b)(3) Umask values that are set too low could allow unauthorized
364/II.B.3 access or privilege escalation. This policy ships with a default
364/III.C.1.a setting of 027.

Check startup file contents 501(b)(3) World-writeable files executed by system startup scripts could
364/II.B.3 allow unauthorized access or privilege escalation.
364/III.C.1.a

Check startup file 501(b)(3) If startup files are not properly protected, an attacker can be able
protection 364/II.B.3 to change them and hijack the user’s account.
364/III.C.1.a

Local disks only N/A This check is required for systems using NFS to serve home
directories.

Ignore symbolic links N/A Examining symbolic links may produce false positive alerts.

Local accounts only N/A This check is required for systems that use NIS for managing the
passwd and group files.
34 Symantec ESM Baseline Policy Manual for GLBA (UNIX)
Policy modules