symantec enterprise security manager™ baseline policy ...€¦ · baseline policy manual for the...

Symantec Enterprise Security Manager™ Baseline Policy Manual for the Health Insurance Portability and Accountability Act

For AIX, HP-UX, Red Hat Linux, and Solaris

Baseline Policy Manual for HIPAAThe software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.040330

Copyright NoticeCopyright 2004 Symantec Corporation.All Rights Reserved.Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

TrademarksSymantec, the Symantec logo, Symantec Enterprise Security Manager, LiveUpdate, and Symantec Security Response are trademarks of Symantec Corporation.Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.Printed in the United States of America.

3

Technical support

As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group collaborates with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that gives you the flexibility to select the right amount of service for any size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registrationIf the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.htm, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical SupportCustomers with a current support agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/.

4

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer ServiceTo contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Symantec Software License AgreementSymantec Enterprise Security Manager

SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE “AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “I DO NOT AGREE” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.

1. License:The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License Module”) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows.

You may:A. use that number of copies of the Software as have been licensed to You by Symantec under a License Module. Permission to use the software to assess Desktop, Server or Network machines does not constitute permission to make additional copies of the Software. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software you are authorized to use on a single machine. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes;C. use the Software to assess no more than the number of Desktop machines set forth under a License Module.

“Desktop” means a desktop central processing unit for a single end user;D. use the Software to assess no more than the number of Server machines set forth under a License Module. “Server” means a central processing unit that acts as a server for other central processing units;E. use the Software to assess no more than the number of Network machines set forth under a License Module. “Network” means a system comprised of multiple machines, each of which can be assessed over the same network; F. use the Software in accordance with any written agreement between You and Symantec; andG. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees to the terms of this license.

You may not:A. copy the printed documentation which accompanies the Software; B. use the Software to assess a Desktop, Server or Network machine for which You have not been granted permission under a License Module;C. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; D. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;E. continue to use a previously issued license key if You have received a new license key for such license, such as with a disk replacement set or an upgraded version of the Software, or in any other instance;F. continue to use a previous version or copy of the Software after You have installed a disk replacement set, an upgraded version, or other authorized replacement. Upon such replacement, all copies of the prior version must be destroyed; G. use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;H. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received a permission in a License Module; nor I. use the Software in any manner not authorized by this license.

2. Content Updates:Certain Software utilize content that is updated from time to time (including but not limited to the following

Software: antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.

3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.

4. Disclaimer of Damages:SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW

LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.

5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items,” as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.

6. Export Regulation:Export or re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries. Export or re-export of the Software to any entity not authorized by, or that is specified by, the United States Federal Government is strictly prohibited.

7. General:If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the

laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Authorized Service Center, Postbus 1029, 3600 BA Maarssen, The Netherlands, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.

Contents

Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Introducing the policy ......................................................................................... 12

About the policy ........................................................................................... 12About the Health Insurance Portability and Accountability Act ......... 12

Appendix A to Subpart C of Part 164-Security Standards: Matrix ..........13Where to get more information about the standard .............................. 14

Installing the policy ............................................................................................. 15Before you install ......................................................................................... 15Installing the policy ..................................................................................... 15

LiveUpdate installation .............................................................................15Manual installation ...................................................................................16

Policy modules ..................................................................................................... 17Account Integrity ......................................................................................... 18

Shell template files ....................................................................................20File Access ..................................................................................................... 20File Attributes .............................................................................................. 20

File Attributes template files .....................................................................21File Find ......................................................................................................... 22File Watch ..................................................................................................... 23

File Watch template files ..........................................................................24Login Parameters ......................................................................................... 25Network Integrity ........................................................................................ 27OS Patches .................................................................................................... 28

Patch template files ...................................................................................28Password Strength ....................................................................................... 29Startup Files ................................................................................................. 31

Services template files ..............................................................................32System Auditing ........................................................................................... 32

Event auditing and System call mapping template files ...........................33System Mail .................................................................................................. 33User Files ....................................................................................................... 34

10 Contents

Symantec ESM Baseline Policy Manual for HIPAA (UNIX)

This document includes the following topics:

■ Introducing the policy

■ Installing the policy

■ Policy modules

12 Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Introducing the policy

Introducing the policyThe HIPAA Security and Privacy Standard defines administrative, physical, and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information (PHI).

The Symantec ESM baseline policy for HIPAA assesses compliance with many of the technical and some administrative elements of the law and the standard’s requirements. The policy addresses Title II, Subtitle F, Part C, section 1173, subsection (d) and 45 CFR Part 164.

About the policyThis policy can be installed on Symantec ESM 5.5. and 6.0 managers that are running Security Update 18 or later on the following operating systems:

■ AIX 4.x and 5.x

■ Solaris 2.x

■ Red Hat Linux 6.x and 7.x

■ HP-UX 10.x and 11.x

About the Health Insurance Portability and Accountability ActThe Health Insurance Portability and Accountability Act (HIPAA) has three major purposes:

■ To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information

■ To improve the quality of health care in the US by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals that are committed to the delivery of care

■ To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals

HIPAA is known as Public Law 104-191, that was enacted by the 104th congress on August 21st, 1996. Title II of the law, Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform contains Subtitle F Part C Administrative Simplification. Under this part, Section 1173, Standards for Information Transactions and Data Elements, subsection (d)

13Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Introducing the policy

describes the act’s high-level security standards and safeguards. The HIPAA Security and Privacy Standard was formally published as a Final Rule in the Federal Register as 45 CFR Parts 160, 162, and 164 on February 20, 2003.

Appendix A to Subpart C of Part 164-Security Standards: Matrix

Standards (Required) Sections Implementation Specifications(R)=Required, (A)=Addressable

Administrative safeguards (see 164.308)

Security management process 164.308(a)(1) Risk analysis (R)Risk management (R)Sanction policy (R)Information system activity review (R)

Assigned security responsibility 164.308(a)(2) N/A

Workforce security 164.308(a)(3) Authorization and/or supervision (A)Workforce clearance procedure (A)Termination procedures (A)

Information access management 164.308(a)(4) Isolating healthcare clearinghouse function (R)Access authorization (A)Access establishment and modification (A)

Security awareness and training 164.308(a)(5) Security reminders (A)Protection from malicious software (A)Login monitoring (A)Password management (A)

Security incident procedures 164.308(a)(6) Response and reporting (R)

Contingency plan 164.308(a)(7) Data backup plan (R)Disaster recovery plan (R)Emergency mode operation plan (R)Testing and revision procedure (A)Applications and data criticality analysis (A)

Evaluation 164.308(a)(8) N/A

Business associate contracts arrangement 164.308(b)(4) Written contract or other arrangement (R)

14 Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Introducing the policy

Where to get more information about the standardThe full text of these references is available on the US Department of Health and Human Services Centers for Medicare and Medicaid Services (CMS) Web site, http://cms.hhs.gov. The CMS is responsible for regulation and enforcement of the HIPAA Security and Privacy Standard.

Physical safeguards (see 164.310)

Facility access controls 164.310(a)(1) Contingency operations (A)Facility security plan (A)Access control and validation procedures (A)Maintenance records (A)

Workstation use 164.310(b) N/A

Workstation security 164.310(c) N/A

Device and media controls 164.310(d)(1) Disposal (R)Media re-use (R)Accountability (A)Data backup and storage (A)

Technical safeguards (see 164.312)

Access controls 164.312(a)(1) Unique user identification (R)Emergency access procedure (R)Automatic logoff (A)Encryption and decryption (A)

Audit controls 164.312(b) N/A

Integrity 164.312(c)(1) Mechanism to authenticate electronic protected health information (A)

Person or entity authentication 164.312(d) N/A

Transmission security 164.312(e)(1) Integrity controls (A)Encryption (A)

Standards (Required) Sections Implementation Specifications(R)=Required, (A)=Addressable

15Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Installing the policy

Installing the policy

Before you installDecide which Symantec ESM managers require the policy. (Policies run on managers—they do not need to be installed on agents. This policy runs only on Symantec ESM 6.0 and 5.5 managers and agents with Security Update 18 or later. Update any managers that do not meet these requirements.

Installing the policyThe standard installation method is to use the LiveUpdate feature in the Symantec ESM console. Another method is to use files from a CD or the Internet to install the policy manually.

LiveUpdate installationInstall the policy by using the LiveUpdate feature in the Symantec ESM console.

To install the policy

1 Connect the Symantec ESM Enterprise Console to managers where you want to install the policy.

2 Click the LiveUpdate icon to start the LiveUpdate wizard.

3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next.

4 In the Welcome to LiveUpdate dialog box, click Next.

5 Do one of the following:

■ To install all checked products and components, click Next.

■ To omit a product from the update, uncheck it, and then click Next.

■ To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next.

6 Click Next.

7 Click Finish.

8 Ensure that all managers that you want to update are checked.

9 Click Next.

10 Click OK.

11 Click Finish.

16 Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Installing the policy

Manual installationIf you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a CD or the Internet.

To obtain policy files

1 Connect the Symantec ESM Enterprise Console to managers that you want to update.

2 From the Security Response Web site(http://securityresponse.symantec.com),download the executable files for the following operating systems:

AIX 4.x and 5.x

Solaris 2.x

Red Hat Linux 6.x and 7.x

HP-UX 10.x and 11.x

Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files/Symantec/LiveUpdate.

To install the policy on a Symantec ESM manager

1 On a computer running Windows NT/2000/XP/Server 2003 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site.

2 Click Next to close the Welcome dialog box.

3 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes.

4 Click Yes to continue installation of the best practice policy.

5 Type the requested manager information.

6 Click Next.

If the manager’s modules have not been upgraded to Security Update 18 or later, the install program returns an error message and aborts the installation. Upgrade the manager to SU 18 or later, then rerun the install program.

7 Click Finish.

17Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Policy modules

Policy modulesThe HIPAA baseline policy includes the following modules to ensure compliance with many of the technical and some administrative aspects of the Health Insurance Portability and Accountability Act and associated standards. The enabled checks of each module are listed with the standards that they address and a brief rationale for enabling the check. Associated name lists and templates are also listed. Because the standard does not require specific values for anything, default values and templates have been provided. The policy is read-only but can be copied or renamed according to your company’s security policy needs. See the current Symantec Enterprise Security Manager Security Update User’s Guide for UNIX for check and message information.

In addition to the specific checks enumerated below, Part 164 contains the following requirement (164.308(a)(8)):

Standard: Evaluation.

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

Using the Symantec ESM HIPAA policy provides an efficient way to help fulfill the requirement above.

18 Symantec ESM Baseline Policy Manual for HIPAA (UNIX)Policy modules

Account Integrity The Account Integrity module creates and maintains user and group snapshot files on each agent where the module runs. The module reports new, changed, and deleted users and groups between snapshot updates as well as account privileges and other information.

Check HIPAA section Rationale

Illegal login shells 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

The presence of unauthorized login shells could indicate compromised access controls.

Setuid login shells 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setuid login shells could inadvertently allow access to unauthorized users.

Setgid login shells 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setgid login shells could inadvertently allow access to unauthorized users.

Login shell owners 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Login shells that are not owned by system accounts (root or bin) can be replaced with “Trojan” versions that are capable of a variety of unauthorized activity.

Login shell permissions

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Login shells that are writeable by group or world can be replaced with “Trojan” versions that are capable of a variety of unauthorized activity.

Home directories 164.308(a)(3)(ii)(C) Inconsistent home directory configurations usually indicate incomplete account termination, which could allow unauthorized access.

Group IDs 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Undefined groups may result in accidental inheritance of unauthorized access privileges.

Home directory permissions

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Home directories can contain not only PHI but also control files that may lead to unauthorized access to PHI if not properly protected. This policy ships with a default setting of 750.

New accounts 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.308(a)(4)(ii)(C) 164.312(a)(1)

All changes to the /etc/password and /etc/group files after the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.

Deleted accounts 164.306(a)(1) 164.308(a)(3)(i) 164.308(a)(4)(ii)(C)

All changes that were made to the /etc/password and /etc/group files after the last snapshot update should be reviewed to ensure that authorized access has not been removed.


Changed accounts 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.308(a)(4)(ii)(C) 164.312(a)(1)

All changes that were made to the /etc/password and /etc/group files after the last snapshot update should be reviewed to ensure that unauthorized access has not been granted or removed.

New groups 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.308(a)(4)(ii)(C) 164.312(a)(1)

All changes that were made to the /etc/password and /etc/group files after the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.

Deleted groups 164.306(a)(1) 164.308(a)(3)(i) 164.308(a)(4)(ii)(C)

All changes that were made to the /etc/password and /etc/group files after the last snapshot update should be reviewed to ensure that authorized access has not been removed.

Changed groups 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.308(a)(4)(ii)(C) 164.312(a)(1)

All changes that were made to the /etc/password and /etc/group files after the last snapshot update should be reviewed to ensure that unauthorized access has not been granted or removed.

Duplicate IDs 164.312(a)(2)(i) If each user does not have a unique ID, it could indicate unauthorized access.

Privileged users and groups

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Privileged access to system files may lead to unauthorized access.

Accounts should be disabled

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Allowing logins on these accounts could lead to unauthorized access.

Remote-only accounts 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

These accounts may provide a channel for unauthorized network access to the host.

Password in /etc/passwd

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

A common password guessing attack involves trying strings that are found in the /etc/passwd file.

User shell compliance 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

The presence of unauthorized login shells could indicate of compromised access controls.

Local disks only N/A This check is required for systems using NFS to serve home directories.

Local accounts only N/A This check is required for systems that use NIS for managing the passwd and group files.



Shell template filesYou can edit the template files by copying them into another directory and renaming them. However, Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

The Account Integrity module uses the Shell template files shown below for specific operating systems.

File AccessThe File Access module checks read, write, and execute permissions on specified files and reports user accounts that are allowed to access the files. It also examines Access Control Lists (ACLs) on AIX.

File AttributesThe File Attributes module reports changes to file creation and modification times, file sizes, and CRC/MD5 checksum signatures. It also reports violations of file permissions that are specified in template files.

OS File name Template name

AIX aix45shc.shc Shells

HP-UX hp1011shc.shc Shells

Red Hat lnx67shc.shc Shells

Solaris sol26shc.shc Shells


Write permission 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Giving write permissions to accounts other than root could allow unauthorized access.


User ownership 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Improper file ownership controls could allow unauthorized access.

Group ownership 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Improper group ownership controls could allow unauthorized access.


File Attributes template filesYou can edit the template files by copying them into another directory and renaming them. However, Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

File and directory permissions are compared with settings in New File templates. The module uses the following File Attributes template files for specific operating systems.

Permissions 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Improper file permissions could allow unauthorized access.

Changed file (creation time)

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Changes to file creation times could indicate unauthorized access.

Changed file (modification time)

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Changes to file modification times could indicate unauthorized access.

Changed file (size) 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Changes to file sizes could indicate unauthorized access.

Changed file (signature)

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Changes to file signatures could indicate unauthorized access.


Ignore symbolic links N/A Examining symbolic links may produce false positive alerts.



AIX 4, 5 aix4_5xh.aix New File

HP-UX 10 hpux1011.hpx New File

Red Hat7.x rhlnx70h.li New File

Red Hat6.2 rhlnx62h.li New File

Solaris 2.6-9 solar2xh.sol New File


File Find The File Find module reports weaknesses in file permissions and configuration files.


Setuid files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setuid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

Setgid files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setgid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

New setuid files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setuid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

New setgid files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setgid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

World-writeable directories without sticky bit

1173(d)(2)(A) 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

World-writeable directories without the sticky bit let any user delete files in the directory (intentionally or unintentionally).

Device files not in /dev 1173(d)(2)(B)(ii) 164.306(a)(1) 164.308(a)(3)(i) 164.312(a)(1)

Mislocated device files could indicate system compromise and may be used to gain unauthorized access to other system resources.

World-writeable files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

World-writeable files can be used to gain unauthorized access.

Uneven file permissions

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Uneven permissions may result in unauthorized access.

Unowned directories and files

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Access to unowned directories and files may be accidentally inherited by newly created accounts and groups.



File WatchThe File Watch module creates and maintains a snapshot file for each agent where you run the module that stores file information. The File Watch template specifies the files or directories to be checked, the depth of directory traversal, and the types of changes to be evaluated. Malicious File Watch templates identify known attack signatures for malicious files checks.


Changed files (ownership) 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Ownership changes could indicate unauthorized access.

Changed files (permissions)

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

File permissions changes could indicate unauthorized access.

Changed files (signature) 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

File signature changes to the listed files could indicate unauthorized access.

New files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Files added to the watched directories could indicate unauthorized access.

Removed files 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Files removed from the watched directories could indicate unauthorized access.

Malicious files 164.306(a)(2) 164.308(a)(5)(ii)(B)

The presence of known malware is a clear indication of system compromise. Malicious software may pose a threat to the confidentiality, integrity, and availability of PHI.



File Watch template filesYou can edit the template files by copying them into another directory and renaming them. However, Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Note: Do not edit Malicious File Watch files.


AIX aix4_5xh.fw File Watch

HP-UX hpux1011.fw File Watch

HP-UX unix.mfw Malicious File Watch

HP-UX unixhide.mfw Malicious File Watch

Red Hat lnxadore.mfw Malicious File Watch

Red Hat lnxlion.mfw Malicious File Watch

Red Hat lnxt0rn.mfw Malicious File Watch

Red Hat7.x rhlnx70h.fw File Watch

Red Hat6.2 rhlnx62h.fw File Watch

Solaris solar2xh.fw File Watch

UNIX unix.mfw Malicious File Watch

UNIX unixhide.mfw Malicious File Watch


Login Parameters The Login Parameters module reports:

■ Accounts that have never been used or have not been used within a specified number of days

■ Failed logins within a specified number of days

■ Accounts with expired passwords

■ Passwords that can be changed by others

■ Agents that do not log login attempts

■ Login attempts by superusers

■ Root accounts that can be accessed through rlogin or telnet

■ Devices that have reported failed logins on agents running in trusted or enhanced modes


Inactive accounts 164.308(a)(3)(ii)(C) 164.308(a)(5)(ii)(C)

Unused accounts that could allow unauthorized access should be removed. This policy ships with a default setting of 30 days of inactivity.

Login failures 164.306(a)(2) 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C)

Excessive login failures could indicate attempts to gain unauthorized access.

Password expired 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(C)

Expired passwords could indicate an unused account that has not been terminated, which could allow unauthorized access.

Successful login attempts not logged

164.308(a)(1)(ii)(D) 164.312(b)

Certain system activities, including logins, must be logged and audited to facilitate monitoring for abuse of privilege.

Unsuccessful login attempts not logged

164.306(a)(1) 164.308(a)(1)(ii)(D) 164.312(b)

Unsuccessful logins could indicate attempted unauthorized access, so this is another activity that must be logged and audited.

Successful su attempts not logged

164.308(a)(1)(ii)(D) 164.312(b)

Certain system activities, including privilege escalation, must be logged and audited, to facilitate monitoring for abuse of privilege.

Unsuccessful su attempts not logged

164.306(a)(1) 164.308(a)(1)(ii)(D) 164.312(b)

Unsuccessful privilege escalation could indicate attempted unauthorized access, so this is another activity that must be logged and audited.

Remote root logins 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Permitting remote root login on an untrusted channel could allow unauthorized access.


Locked accounts 164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C)

Accounts are usually locked due to excessive login failures, which could indicate attempts to gain unauthorized access.

Password changes failed 164.306(a)(2) 164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C)

Excessive password change failures could indicate an attempt to guess a password.

Devices with failed logins 164.306(a)(1) 164.308(a)(1)(ii)(D) 164.312(b)

Excessive login failures could indicate attempts to gain unauthorized access.

Login retries (AIX, HP-UX, Red Hat Linux)

164.306(a)(2) 164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C)

Allowing excessive retries to log in makes an account more vulnerable to a password guessing attack. This policy ships with a default setting of 5 tries.


Local accounts only N/A This check is required for systems that use NIS to manage passwd and group files.



Network Integrity The Network Integrity module reports:

■ Trusted hosts and users

■ Agents with FTP enabled

■ TFTP daemons that are running as privileged users or not running in secure mode

■ Listening TCP and UDP ports

■ Listening TCP and UDP ports that changed owners since the last snapshot update

■ TCP and UDP ports that started listening since the last snapshot update

■ Agents that are running xhost + in X Windows

■ Processes used to open TCP and UDP ports


Trusted hosts/users 164.306(a)(2) 164.306(d)

The Berkeley trust mechanism is one of the vulnerabilities most frequently exploited by attackers. The mechanism does not properly authenticate users. Other means, such as ssh, should be used to authenticate users.

FTP enabled 164.306(a)(2) FTP is another frequently exploited vulnerability. Other means, such as ssh, should be used to authenticate users.

TFTP 164.306(a)(2) 164.306(d)

TFTP is one of the vulnerabilities most frequently exploited by attackers. The mechanism does not properly authenticate users.

Listening TCP ports 164.306(a)(2) 164.308(a)(1)(i)

Unauthorized listening ports may not be properly protected against common threats.

New listening TCP ports

164.306(a)(2) 164.308(a)(1)(i)

New listening ports should be reviewed to ensure that they are authorized.

Modified listening TCP ports

164.306(a)(2) 164.308(a)(1)(i)

Modified listening ports should be reviewed to ensure that they still comply with policy and requirements.

Listening UDP ports 164.306(a)(2) 164.308(a)(1)(i)

Unauthorized listening ports may not be properly protected against common threats.

New listening UDP ports

164.306(a)(2) 164.308(a)(1)(i)

New listening ports should be reviewed to ensure that they are authorized.

Modified listening UDP ports

164.306(a)(2) 164.308(a)(1)(i)

Modified listening ports should be reviewed to ensure that they still comply with policy and requirements.


OS PatchesThe OS Patches (Patch) module reports patches that are defined in the UNIX patch template files for AIX, HP-UX, Solaris, and Linux but are not installed on the agent.

Patch template filesSymantec uses LiveUpdate every two weeks to overwrite the template files that are loaded on your system.

Note: Do not edit, move, or change your Patch template files in any way.

The Patch module uses the following template files.

Access control (xhost) 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Access to the X console should be explicitly controlled.


Check HIPAA Section Rationale

All module checks 1173(d)(2)(B)(i)164.306(a)(2)164.308(a)(5)(ii)(A)164.308(a)(6)(ii)

Unpatched systems are overwhelmingly the most common cause of technical security exploits. Known vulnerabilities that could be exploited are required by the HIPAA Security and Privacy Standard to be identified and mitigated.


AIX patch.pai Patch

HP-UX patch.ph1 Patch

Red Hat patch.plx Patch

Solaris patch.ps6 Patch


Password StrengthThe Password Strength module reports weak passwords with:

■ Passwords that match the user name

■ Passwords that are the same as any user name in the system

■ Passwords that are the same as any word in word list files

The Password Strength module also reports accounts with no passwords and accounts with a maximum password age greater than a specified value.


Password = username 164.308(a)(5)(ii)(D) Controls to authenticate and permit access only to authorized individuals require effective password management. Passwords that match the user name are easy to guess and may allow unauthorized access.

Password = any username

164.308(a)(5)(ii)(D) Controls to authenticate and permit access only to authorized individuals require effective password management. Passwords that match any user names on your network can result in unauthorized access.

Password within GECOS field

164.308(a)(5)(ii)(D) Passwords that match information in the GECOS field are easily guessed passwords and do not meet the GLBA requirement for adequate authentication and access controls.

Password = wordlist word

164.308(a)(5)(ii)(D) Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for commonly-used words to guess passwords and gain unauthorized access.

Reverse order 164.308(a)(5)(ii)(D) Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Attackers often look for variations of user names and wordlist words to guess passwords and gain unauthorized access.

Double occurrences 164.308(a)(5)(ii)(D) Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Attackers often look for double occurrences of user names and wordlist words to guess passwords and gain unauthorized access.

Plural forms 164.308(a)(5)(ii)(D) Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Attackers often look for plural forms of user names and wordlist words to guess passwords and gain unauthorized access.


Uppercase 164.308(a)(5)(ii)(D) Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Attackers look for upper and lowercase variations of user names and wordlist words to guess passwords and gain unauthorized access.

Lowercase 164.308(a)(5)(ii)(D) Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Attackers look for upper and lowercase variations of user names and wordlist words to guess passwords and gain unauthorized access.

Guessed password 164.308(a)(5)(ii)(D) Controls to authenticate and permit access only to authorized individuals require effective password management. If a password is easily guessed, it may permit unauthorized access.

Login requires password 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1) 164.312(d)

Controls to authenticate and permit access only to authorized individuals require effective password management. Accounts that do not require login may permit unauthorized access.

Accounts without passwords

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1) 164.312(d)

Controls to authenticate and permit access only to authorized individuals require effective password management. Accounts without passwords may permit unauthorized access.

Password length restrictions

164.308(a)(5)(ii)(D) Short passwords are easily guessed. This policy ships with a default setting of 8 characters.

Minimum password history

164.308(a)(5)(ii)(D) Limiting reuse of previously-used passwords reduces the risk of discovery. This policy ships with a default setting of 4 prior passwords.

Password age 164.308(a)(5)(ii)(D) Controls to authenticate and permit access only to authorized individuals require effective password management. Requiring passwords to be changed periodically reduces the risk of discovery. This policy ships with a default setting of 90 days.

Maximum password age 164.308(a)(5)(ii)(D) Controls to authenticate and permit access only to authorized individuals require effective password management. Default maximum password age settings on ESM agents should comply your company’s security policy.

Maximum repeated characters

164.308(a)(5)(ii)(D) Easily guessed passwords do not meet the HIPAA requirement for adequate authentication and access controls. Repeated characters make passwords easy to guess. This policy ships with a default setting of 2 characters.




Startup FilesThe Startup Files module reports:

■ Files referenced by rc scripts that do not exist on the agent

■ PATH variables that include the current directory

■ Changes to process configurations since the last snapshot update

■ Services that were added or deleted since the last snapshot update

■ Running services that are forbidden




System startup file contents 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

World-writeable files executed by system startup scripts could allow unauthorized access or privilege escalation.

Current directory in startup path

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Files writeable by users other than root could allow unauthorized access or privilege escalation.

Login/tty file contents 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Permitting remote root login on an untrusted channel could allow unauthorized access.

Enhanced security enabled N/A This setting is required to enable other checks in ESM.

Services 164.306(a)(2)164.308(a)(1)(i)164.312(b)

Services are a common source of malicious exploitation and must be periodically examined to protect PHI from reasonably anticipated threats or hazards.

Changed services 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Changes to an authorized service can indicate a system compromise.

New services 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Unauthorized services can be used to gain unauthorized access.

Services not in template 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Unauthorized services can be used to gain unauthorized access.


Services template filesMandatory, prohibited, and optional services for AIX, HP-UX, Solaris, and Linux are defined in Services template files. Symantec uses LiveUpdate every two weeks to overwrite the default template that are files loaded on your system.

System AuditingThe System Auditing module reports:

■ Unauthorized users (providing valuable tracking information during or after a break-in)

■ Security events that are audited for failure or success

■ Maximum log file size

Of the supported UNIX platforms on ESM, only Solaris and HP-UX natively support auditing functions. However, the following checks on AIX, HP-UX, and Solaris verify compliance with the corresponding HIPAA sections.


AIX aix4_5xb.sai Services

HP-UX hp10-11b.sh1 Services

Red Hat rhlnx67b.slx Services

Solaris solar2xh.ss6 Services


Auditing enabled 164.312(b) This setting lets you record and examine system activities.

Event auditing 164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.312(b)

Templates define the specific events and system calls to be audited to review system activity.

System call mapping 164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.312(b)

Templates define the specific events and system calls to be audited to review system activity.


Event auditing and System call mapping template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your system.

Event auditing and System call mapping template files include users, events, and system call auditing and mapping.

System Mail ESM provides checks for the sendmail program. However, systems that store and process protected health information (PHI) should not use sendmail because of sendmail’s history of security vulnerabilities.

Note: If SMTP is required, use a more secure and reliable substitute such as qmail or postfix.

The System Mail module reports:

■ Wizard passwords and decode aliases in mail configuration files

■ Mail aliases that are piped to a command or shell program

■ Agents that are not logging sendmail messages

■ Agents that do not have properly configured logs

■ Agents that are owned by root or contain invalid file permissions


AIX aix.aud Events

AIX aix.map Event Map

HP-UX hpevents.aud Events

HP-UX hpevtmap.map Event Map

Solaris solaris.aud Events

Solaris solaris.map Event Map


Wizard passwords 164.306(a)(2) 164.308(a)(1)(i)

Wizard passwords are frequently exploited, which may result in unauthorized access.

Decode aliases 164.306(a)(2) 164.308(a)(5)(ii)(B)

Decode aliases are a frequent vector for malicious code.


User FilesThe User Files module reports:

■ Files in the user’s directory that the user does not own

■ Files and directories that everyone can write to

■ Files that have set user ID or set group ID bits for their owners or other files

■ Users with PATH variables that include the current directory

■ Accounts with .rhost or .netrc files (and potential vulnerabilities associated with each)

■ Startup files with inadequate permissions or improper ownerships

Command aliases 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Command aliases may be used to gain unauthorized access and may be an indicator of system compromise.

Sendmail log 164.306(a)(2) 164.308(a)(1)(ii)(D)

Correctly configuring the sendmail log feature helps to detect and diagnose mail vulnerabilities.

Log level setting 164.308(a)(1)(ii)(D) 164.312(b)

This setting defines the minimum level of log information to be captured. This policy ships with a default setting of log level 9.

Sendmail configuration file

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

An improperly configured sendmail daemon may be used by attackers to obtain information about users, which may be used to compromise the security and integrity of PHI.



File ownership 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Improper file ownership controls may result in unauthorized access.

World-writeable files 1173(d)(2)(A) 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

World-writeable files may be used to gain unauthorized access.

Setuid or Setgid 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Setuid and setgid files should be examined to ensure that they are not a vehicle for unauthorized access.

Set PATH (using su) N/A This is the recommended method for checking the PATH variable, upon which other checks depend.


Current directory not allowed in PATH

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)


World-writeable directories in PATH

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)


Group writeable directories in PATH

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)


Umask (using su) N/A This is the recommended method for checking the umask value, upon which other checks depend.

Umask 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

Umask values that are set too low may result in unauthorized access or privilege escalation. This policy ships with a default setting of 027.

Check startup file contents 1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

World-writeable files executed by system startup scripts could allow unauthorized access or privilege escalation.

Check startup file protection

1173(d)(2)(B)(ii) 164.308(a)(3)(i) 164.312(a)(1)

If startup files are not properly protected, an attacker could change them and hijack the user’s account.


Ignore symbolic links N/A Examining symbolic links can produce false positive alerts.



symantec enterprise security manager™ baseline policy ...€¦ · baseline policy manual for the...

Documents