symantec enterprise security manager™ policy …no part of this publication may be copied without...

Symantec Enterprise Security Manager™ Policy Manual for the Sarbanes-Oxley Act

For UNIX

Policy Manual for the Sarbanes-Oxley ActThe software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.041104

Copyright NoticeCopyright 2004 Symantec Corporation.All Rights Reserved.Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

TrademarksSymantec, the Symantec logo, Symantec Enterprise Security Manager, LiveUpdate, and Symantec Security Response are trademarks of Symantec Corporation.Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.Printed in the United States of America.

3

Technical support

As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works in collaboration with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that gives you the flexibility to select the right amount of service for any size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registrationIf the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.htm, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical SupportCustomers with a current support agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/.

4

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer ServiceTo contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Symantec Software License AgreementSymantec Enterprise Security Manager

SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE “AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “I DO NOT AGREE” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.

1. License:The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License Module”) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows.

You may:A. use that number of copies of the Software as have been licensed to You by Symantec under a License Module. Permission to use the software to assess Desktop, Server or Network machines does not constitute permission to make additional copies of the Software. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software you are authorized to use on a single machine. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes;C. use the Software to assess no more than the number of Desktop machines set forth under a License Module.

“Desktop” means a desktop central processing unit for a single end user;D. use the Software to assess no more than the number of Server machines set forth under a License Module. “Server” means a central processing unit that acts as a server for other central processing units;E. use the Software to assess no more than the number of Network machines set forth under a License Module. “Network” means a system comprised of multiple machines, each of which can be assessed over the same network; F. use the Software in accordance with any written agreement between You and Symantec; andG. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees to the terms of this license.

You may not:A. copy the printed documentation which accompanies the Software; B. use the Software to assess a Desktop, Server or Network machine for which You have not been granted permission under a License Module;C. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; D. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;E. continue to use a previously issued license key if You have received a new license key for such license, such as with a disk replacement set or an upgraded version of the Software, or in any other instance;F. continue to use a previous version or copy of the Software after You have installed a disk replacement set, an upgraded version, or other authorized replacement. Upon such replacement, all copies of the prior version must be destroyed; G. use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;H. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received a permission in a License Module; nor I. use the Software in any manner not authorized by this license.

2. Content Updates:Certain Software utilize content that is updated from time to time (including but not limited to the following

Software: antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.

3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.

4. Disclaimer of Damages:SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW

LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.

5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items,” as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.

6. Export Regulation:Export or re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries. Export or re-export of the Software to any entity not authorized by, or that is specified by, the United States Federal Government is strictly prohibited.

7. General:If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the

laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Authorized Service Center, Postbus 1029, 3600 BA Maarssen, The Netherlands, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.

Contents

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Introducing the policies ...................................................................................... 12

About the Sarbanes-Oxley Act ................................................................... 13SEC Final Rule .............................................................................................. 14

About COSO and CobiT ....................................................................................... 15Components of Internal Control for COSO .............................................. 16Control Objectives for CobiT ...................................................................... 16Where to get more information ................................................................. 17

Installing the policies .......................................................................................... 17Before you install ......................................................................................... 17Installing the regulatory policies .............................................................. 17

Mappings to PoliciesChange Notification policy ................................................................................. 22

Account Integrity module .......................................................................... 22File Attributes module ................................................................................ 23

File Attributes template files .....................................................................24File Find module ........................................................................................... 24File Watch module ....................................................................................... 24

File Watch template files ..........................................................................25Network Integrity module .......................................................................... 26Object Integrity module .............................................................................. 27Oracle Accounts module ............................................................................. 27Oracle Auditing module .............................................................................. 28Oracle Configuration module ..................................................................... 29Oracle Profiles module ................................................................................ 30Oracle Roles module .................................................................................... 30Oracle Tablespace module .......................................................................... 30Startup Files module ................................................................................... 31

Resource Review policy ...................................................................................... 32Account Integrity module .......................................................................... 32File Access module ....................................................................................... 34File Attributes module ................................................................................ 34

File Attributes template files .....................................................................34File Find module ........................................................................................... 35

10 Contents

File Watch module ....................................................................................... 36File Watch template files ..........................................................................36

Login Parameters module .......................................................................... 37Network Integrity module .......................................................................... 38Object Integrity module .............................................................................. 38Oracle Accounts module ............................................................................. 39Oracle Auditing module .............................................................................. 40Oracle Networks module ............................................................................ 41Oracle Objects module ................................................................................ 41Oracle Passwords module ........................................................................... 42Oracle Profiles module ................................................................................ 43Oracle Roles module .................................................................................... 43Oracle Tablespace module .......................................................................... 44Password Strength module ........................................................................ 45Startup Files modules ................................................................................. 47

Services template files ..............................................................................47System Queues module ............................................................................... 48User Files module ........................................................................................ 48

Controls Compliance policy ............................................................................... 50Account Integrity module .......................................................................... 50

Shells template files ..................................................................................51Login Parameters module .......................................................................... 51Network Integrity module .......................................................................... 52Oracle Accounts module ............................................................................. 53Oracle Auditing module .............................................................................. 53Oracle Configuration module ..................................................................... 53Oracle Patches module ................................................................................ 54

Oracle patch template file .........................................................................54Oracle Roles module .................................................................................... 55Oracle Tablespace module .......................................................................... 55OS Patches module ...................................................................................... 55

Patch template files ...................................................................................56Password Strength module ........................................................................ 56Startup Files module ................................................................................... 57

Services template files ..............................................................................58System Auditing module ............................................................................ 58

Event auditing and System call mapping template files ...........................59System Mail module .................................................................................... 60

Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)

This chapter includes the following topics:

■ Introducing the policies

■ About COSO and CobiT

■ Installing the policies

12 Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Introducing the policies

Introducing the policiesEach Symantec ESM policy addresses different aspects of the IT process that relates to compliance with the Sarbanes-Oxley Act. You should run the policies at the specified time intervals, which are based on operational efficiencies.

Policy name Description and scheduling

Change Notification

Run the Change Notification policy daily. This policy identifies changes to system resources such as system files, services, network connections, registry entries, and other parameters that are related to the “effectiveness of internal controls” that are critical to sustaining the integrity of information that is used for financial reporting:

■ Monitors and detects changes to controls that could have a material impact on financial reporting

■ Provides management with sufficient, timely, and accurate reports about changes to meet real-time issuer disclosure requirements

Resource Review

Run the Resource Review policy weekly. This policy provides information about critical system resources that support the “effectiveness of internal controls” that are critical to sustaining the integrity of information that is used for financial reporting:

■ Continuously monitors and records the state of critical system resources that require manual review, which could have an impact on the integrity of the financial reporting process

■ Validates and mitigates risks identified in the manual review

■ Assists your company with periodic assessment and monitoring of administrative and technical controls that are needed for compliance with the Act

Controls Compliance

Run the Controls Compliance policy at least twice per month. This policy checks system-wide configuration settings that are related to the “effectiveness of internal controls” that are critical to sustaining the integrity of information that is used for financial reporting:

■ Determines if the actual environment is in compliance with the desired state of control

■ Monitors the state of control for compliance with the desired state of control

■ Records the results of the monitoring

■ Provides management with sufficient, timely, and accurate reports on which to base the quarterly and annual certifications

13Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Introducing the policies

About the Sarbanes-Oxley ActThe Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act, was introduced as House Resolution 3763, passed by the 107th Congress, and signed into law by President George W. Bush on July 30th, 2002.

The Sarbanes-Oxley Act is unlike other recently introduced regulations and standards that contain explicit security requirements relating to confidentiality, integrity and availability. The purpose of the law is to ensure accountability and integrity of the financial reporting process for public companies.

Title IV, section 404 and Title III, section 302 of the Act require annual and quarterly management reporting and certification of the adequacy of controls. In addition, material changes must be reported in accordance with Title IV, section 409, “Real Time Issuer Disclosures.”

The following fundamental activities comply with the Sarbanes-Oxley Act:

■ Achieving and maintaining compliance as an ongoing process

■ Reporting on the current state of compliance; for example, for an audit or examination

Symantec ESM policies for the Sarbanes-Oxley Act assess compliance with many of the components of internal control in COSO and control objectives in CobiT that may be reviewed by your public auditor during your annual attestation of compliance required by the Sarbanes-Oxley Act.

There are two regulatory bodies responsible for overseeing compliance with the Act:

Securities and Exchange Commission (SEC)

The SEC is the regulatory body responsible for enforcing the Act.

Public Company Accounting Oversight Board (PCAOB)

Title I section 101 of the Act established the Public Company Accounting Oversight Board (PCAOB) "to oversee the audit of public companies that are subject to the securities laws.” The only assigned duties of the Board with direct relevance to public company compliance with Sarbanes-Oxley is to "establish or adopt, or both, by rule, auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers, in accordance with section 103.”

14 Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Introducing the policies

SEC Final RuleThe SEC Final Rule is published as:

Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274).

As directed by section 404 of the Act, the SEC has adopted a rule (the Final Rule) requiring companies that are subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report from management on the company's internal control over financial reporting. The internal control report must include the following:

■ A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company

■ Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year

■ A statement identifying the framework that is used by management to evaluate the effectiveness of the company's internal control over financial reporting

■ A statement that the registered public accounting firm that audited the company's financial statements (included in the annual report) has issued an attestation report on management's assessment of the company's internal control over financial reporting

As directed by section 302 of the Act, the SEC requires a company's management (with the participation of the principal executive and financial officers) to do the following:

■ Evaluate any change in the company's internal control over financial reporting

■ that occurred during a fiscal quarter

■ that has materially affected the company’s internal control over financial reporting

■ that is reasonably likely to materially affect the company's internal control over financial reporting

15Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)About COSO and CobiT

As required by the Sarbanes-Oxley Act, the quarterly certification regarding disclosure that is provided to the company's auditors and audit committee is quoted as:

The company's certifying officer(s) have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company's auditors and the audit committee of the company's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting.

Under the SEC Final Rule, a company is required to file the registered public accounting firm's attestation report as part of the annual report. The SEC has adopted amendments to their rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the section 302 certification requirements and to require issuers to provide the certifications that are required by section 302 and Title IX section 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports.

The SEC has stated in the SEC Final Rule:

We recognize that our definition of the term ‘internal control over financial reporting’ reflected in the final rules encompasses the subset of internal Under controls addressed in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (Internal Control Framework report) that pertains to financial reporting objectives.

About COSO and COBITThe SEC requires organizations to select and implement an internal control framework. COSO has become the most commonly adopted framework.

SEC registrants and others found that additional details regarding IT control considerations were needed beyond those provided in COSO. The Public Company Accounting Oversight Board (PCAOB) indicates the importance of IT controls but does not provide further detail. As a result, COBIT (Control Objectives for Information and related Technology), which is published by the IT Governance Institute, was used as the basis to access further IT control detail to produce and document these Symantec ESM policies.

16 Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)About COSO and CobiT

Components of Internal Control for COSOThe Institute of Internal Auditors (IIA) identifies five relevant components of internal control within the COSO framework:

Control Objectives for CobiTThe Information Technology Governance Institute (ITGI) defines four domains within COBIT:

Control environment (CE) Creates the foundation for effective internal control, establishes the “tone at the top,” and represents the apex of the corporate governance structure.

Risk assessment (RA) Involves the identification and analysis by management of relevant risks, to achieve predetermined objectives that form the basis for determining control activities.

Control activities (CA) Activities that make up the policies, procedures and practices that are adopted to ensure that business objectives are achieved and risk mitigation strategies are followed.

Information and communication (IC)

Information that is needed at all levels of the organization to run the business and achieve control objectives.

Monitoring (M) The oversight of internal control by management through continuous and point-in-time assessment processes.

Planning and Organization (PO)

Covers strategy and tactics. PO identifies the way IT can best achieve the business objectives. Twelve control objectives from five processes are addressed by these policies.

Acquisition and Implementation (AI)

Describes identification, development or acquisition, implementation, and integration of IT solutions into the business process. Three control objectives from one process are addressed by these policies.

Delivery and Support ((DS)

Covers the actual delivery of required services. Services can range from traditional operations with security and continuity aspects to training. Thirteen control objectives from four processes are addressed by these policies

Monitoring (M) Addresses management’s oversight of the organization’s control process. Monitoring covers independent assurance that is provided by either an internal or external audit or through alternative resources. Four control objectives from two processes are addressed by these policies.

17Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Installing the policies

Where to get more informationThe Securities and Exchange Commission (SEC) is the regulatory body that is responsible for enforcing the Act. For more information, go to the following web sites:

Installing the policiesThe Change Notification, Resource Review, and Controls Compliance policies can be installed on Symantec ESM 5.5. and 6.0 managers that are running Security Update 18 or later.

Before you installDecide which Symantec ESM managers require the policy. Policies run on managers and do not need to be installed on agents. The policies can be installed on the following operating systems:

■ IBM AIX 5.1 and 5.2

■ Hewlett-Packard HP-UX 10.x and 11.x

■ Red Hat Linux Enterprise Server 2.1 and 3.0

■ Sun Solaris 8 and 9

■ SUSE Linux Standard Server version 8

Installing the regulatory policiesThe standard installation method is to use the LiveUpdate feature in the Symantec ESM console. Another method is to use files from a Symantec ESM CD or the Internet to install the policies manually.

Sarbanes-Oxley Act (full text) http://www.law.uc.edu/CCL/SOact/soact.pdf

SEC Final Rule http://www.sec.gov

PCAOB Auditing Standard #2 http://www.pcaob.com

COSO framework http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/PDF_Manuscript/$file/COSO_Manuscript.pdf

CobiT control objectives http://www.isaca.org/cobit.htm

18 Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Installing the policies

To install the policies through LiveUpdate

1 Connect the Symantec ESM Enterprise Console to managers that you want to update.

2 Click the LiveUpdate icon to start the LiveUpdate wizard.

3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next.

4 In the Welcome to LiveUpdate dialog box, click Next.

5 Do one of the following:

■ To install all checked products and components, click Next.

■ To exclude a product from the update, uncheck it, and then click Next.

■ To exclude a product component, expand the product node, uncheck the component that you want to exclude, and then click Next.

6 Click Next.

7 Click Finish.

8 Ensure that all managers that you want to update are checked.

9 Click Next.

10 Click OK.

To obtain files for a manual installation

1 Connect the Symantec ESM Enterprise Console to managers that you want to update.

2 Go to the Security Response Web site at:http://securityresponse.symantec.com

3 Download the executable files for the following operating systems:

■ IBM AIX versions 5.1 and 5.2

■ Hewlett-Packard HP-UX versions 10.x and 11.x

■ Red Hat Linux Enterprise Server versions 2.1 and 3.0

■ Sun Solaris versions 8 and 9

■ SUSE Linux Standard Server 8

Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder (usually Program Files/Symantec/LiveUpdate).

19Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Installing the policies

To manually install the policies

1 On a computer that is running Windows NT/2000/XP/Server 2003 that has network access to the UNIX manager, run the executable that you downloaded from the Symantec Security Response Web site.

2 Click Next to close the Welcome dialog box.

3 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes.

4 Click Yes to continue installation of the best practice policy.

5 Type the requested manager information.

6 Click Next.

If the manager’s modules have not been upgraded to Security Update 18 or later, the install program returns an error message and aborts the installation. Upgrade the manager to SU 18 or later, and then rerun the install program.

7 Click Finish.

20 Symantec ESM Policy Manual for the Sarbanes-Oxley Act (UNIX)Installing the policies

Mappings to Policies

This chapter includes the following topics:

■ Change Notification policy

■ Resource Review policy

■ Controls Compliance policy

22 Mappings to PoliciesChange Notification policy

Change Notification policyThe modules that are included in this policy are described below with information about the checks that are enabled in each module. The following details are provided for individual security checks:

■ References to the COSO components of internal control

■ References to the COBIT control objectives

■ Brief rationale for enabling the check

■ Associated templates (if applicable)

■ Associated name lists (if applicable)

■ Keyword lists (if applicable)

■ Word lists (if applicable)

This policy is read-only. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.

Note: Default values for specific security checks are based on industry best practices. Control objectives do not identify specific values.

Account Integrity moduleThe Account Integrity module reports account and account privilege information.

Check COSO COBIT Rationale

New accounts CECAICM

PO4.9DS5.4DS5.5

All additions to the /etc/password files since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.

Changed accounts CECAICM

PO4.9DS5.4DS5.5

All changes to the /etc/password files since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted or authorized access removed.

New groups CECAICM

PO4.9DS5.4DS5.5

All additions to the /etc/group files since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.

23Mappings to PoliciesChange Notification policy

File Attributes moduleThe File Attributes module reports changes to system software file creation and modification times, file sizes, and CRC and MD5 checksum signatures.

Changed groups CECAICM

PO4.9DS5.4DS5.5

All changes to the /etc/group files since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted or authorized access removed.

Local Disks Only N/A N/A This option is enabled for systems that use Network File System (NFS) to serve home directories.

Local Accounts Only

N/A N/A This option is enabled for systems that use Network Information System (NIS) for managing the password and group files.



Changed file (creation time)

CAM

AI3.6M2.4

Changes to file creation times could indicate unauthorized access.

Changed file (modification time)

CAM

AI3.6M2.4

Changes to file modification times could indicate unauthorized access.

Changed file (size) CAM

AI3.6M2.4

Changes to file sizes could indicate unauthorized access.

Changed file (signature) CAM

AI3.6M2.4

Changes to file signatures could indicate unauthorized access.

Local disks only N/A N/A This option is enabled for systems that use NFS to serve home directories.

Ignore symbolic links N/A N/A Examining symbolic links could produce false positive alerts.

Automatically update snapshots

N/A N/A Enabling this option automatically updates snapshots with current information. All changes are still reported. This option is set by default in the policy.


File Attributes template filesFile and directory permissions are compared with settings in New File templates. The module uses the following New File templates for specific operating systems.

You can add New File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.

File Find moduleThe File Find module reports new setuid and setgid files since the last snapshot update.

File Watch moduleThe File Watch module creates and maintains a snapshot file for each agent on which you run the module. The File Watch template specifies the files or directories to be checked, the depth of directory traversal, and the types of changes to be evaluated. Malicious File Watch templates identify known attack signatures for malicious files checks.

OS File name Template name

AIX 4, 5 fileatt.aix New File - AIX

HP-UX 10-11 fileatt.hpx New File - HP-UX 10-11

Red Hat Linux fileatt.li New File - Linux

Solaris 2.6-9 fileatt.sol New File - Solaris 2.6

SUSE Linux fileatt.sl New File - SUSE Linux


New setuid files RAM

PO9.3M2.4

New setuid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

New setgid files RAM

PO9.3M2.4

New setgid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.



The Malicious files check is also activated in the Change Notification policy. This is because in the Change Notification policy, which is recommended to be run daily, the check only examines the most likely directories to find malicious files. In the Resource Review policy, the entire directory tree is searched. Symantec believes this is a reasonable compromise between the risks associated with malicious files and the resources required to scan for them.

File Watch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.


Changed files (ownership) CECAM

PO4.9 Ownership changes could indicate unauthorized access.

Changed files (permissions) CECAM

PO4.9 File permissions changes could indicate unauthorized access.

Changed files (signature) CAM

AI3.6M2.4

File signature changes could indicate unauthorized access.

New files CAM

DS5.19 Files that were added to the watched directories could indicate denial of service.

Removed files CAM

DS5.17 Files that were removed from the watched directories could indicate unauthorized access.

Malicious files CAICM

DS5.7DS5.19DS9.5

The presence of known malware is a clear indication of system compromise. Malicious software could pose a threat to the confidentiality, integrity, and availability of information that is used for financial reporting.


Automatically update snapshots

N/A N/A Enabling this option automatically updates snapshots with current information. All changes are still reported. This option is set by default in the policy.


All UNIX, Linux unix.fw File Watch - all

All UNIX, Linux unixsysroot.mfwunixhidesysroot.mfw

Malicious File Watch - all


Note: Do not edit Malicious File Watch files.

You can add New File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.

Network Integrity moduleThe Network Integrity module reports:

■ Listening TCP and UDP ports

■ Listening TCP and UDP ports that changed owners since the last snapshot update

■ TCP and UDP ports that started listening since the last snapshot update


New listening TCP ports

CAM

DS5.2DS5.17M2.4

New listening ports should be reviewed to ensure that they are authorized.

Modified listening TCP ports

CAM

DS5.2DS5.17M2.4

Modified listening ports should be reviewed to ensure that they still comply with policy and requirements.

New listening UDP ports

CAM

DS5.2DS5.17M2.4

New listening ports should be reviewed to ensure that they are authorized.

Modified listening UDP ports

CAM

DS5.2DS5.17M2.4

Modified listening ports should be reviewed to ensure that they still comply with policy and requirements.


Object Integrity moduleThe UNIX Object Integrity module reports new devices, deleted devices, and device changes

The module also creates and maintains the sifdev.dat device snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect changes.

Oracle Accounts module

Note: Symantec ships the Oracle modules in separate policy files. On machines running one or more Oracle servers, you must install the Oracle policies separately.

The Oracle Accounts module reports on new accounts, privileges and roles, as well as recreated accounts.


New devices CEICCA

PO4.9AI3.6

Since devices can only be installed, deleted or changed by a user with privileges, new devices should be examined to ensure they were authorized.

Deleted devices CEICCA

PO4.9AI3.6

Since devices can only be installed, deleted or changed by a user with privileges, deleted devices should be examined to ensure they were authorized.

Changed devices CEICCA

PO4.9AI3.6

Since devices can only be installed, deleted or changed by a user with privileges, changed devices should be examined to ensure changes were authorized.


New directly granted roles CECAICM

PO4.9DS5.4DS5.5

All new directly granted roles since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.

New directly granted privileges CECAICM

PO4.9DS5.4DS5.5

All new directly granted privileges since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.


Oracle Auditing moduleThe Oracle Auditing module reports on changes to audit system settings.

New database accounts CECAICM

PO4.9DS5.4DS5.5

All new database accounts since the last snapshot update should be reviewed to ensure that unauthorized access has not been granted.

Database account creation date changed

CECAICM

PO4.9DS5.4DS5.5

Accounts that have been recreated since the last snapshot update should be reviewed to ensure unauthorized access has not been granted.



New statement auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10

Changes to auditing parameters should be reviewed to ensure they are authorized.

Deleted statement auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10


Changed statement auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10


New object auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10


Deleted object auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10


Changed object auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10



Oracle Configuration moduleThe Oracle Configuration module reports on new and deleted redo log files and control files.

New privilege auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10


Deleted privilege auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10


Changed privilege auditing CEICCAM

PO4.9AI3.7DS5.7DS5.10




New redo log files CAICM

DS5.3 New redo log files could be an indication of tampering.

Deleted redo log files CAICM

DS5.3DS5.17

Deleted redo log files could be an indication of tampering.

New control files CAICM

AI3.3DS5.3

New control files could be an indication of tampering.

Deleted control files CAICM

AI3.3DS5.3DS5.17

Deleted control files could be an indication of tampering.


Oracle Profiles moduleThe Oracle Profiles module reports on new profiles created since the last snapshot.

Oracle Roles moduleThe Oracle Roles module reports on new roles, nested roles and privileges created since the last snapshot.

Oracle Tablespace moduleThe Oracle Tablespace module reports on new and deleted tablespaces.


New profiles CEIC

PO4.9 New profiles should be reviewed to ensure the privileges specified are in accordance with policy.


New roles CEICRACAM

PO4.9PO9.3PO9.7AI3.6DS5.5

Review new roles to ensure compliance with policy and business needs.

New privileges CEICRACAM


Review new privileges to ensure compliance with policy and business needs.

New nested roles CEICRACAM


Review new nested roles to ensure compliance with policy and business needs. Nested roles can be confusing and should be used only when necessary.


New tablespaces RACAICM

PO9.7DS5.3DS5.17M2.1

Review new tablespaces to ensure no unauthorized access has been granted.


Startup Files moduleThe Startup Files module reports services that were added or deleted since the last snapshot update.

Deleted tablespaces RACAICM

PO9.7DS5.3DS5.17M2.1

Review deleted tablespaces to ensure no needed authorizations have been removed.

New tablespace datafiles RACAICM

PO9.7DS5.3DS5.17M2.1

Review new tablespace datafiles to ensure they are authorized.

Deleted tablespace datafiles RACAICM

PO9.7DS5.3DS5.17M2.1

Review deleted tablespace datafiles to ensure no reportable data has been removed.



Changed services

CAM

AI3.3DS5.19M2.4

Changes to an authorized service can indicate a system compromise.

New services CAM

AI3.3DS5.19M2.4

Unauthorized services can be used to gain unauthorized access.

Deleted services CAM

AI3.3DS5.19M2.4

Some services are essential for proper security operation of the system. Deleted services could indicate the compromise of the integrity of information that is used for financial reporting.

32 Mappings to PoliciesResource Review policy

Resource Review policyThe modules that are included in this policy are described below, with information about the checks that are enabled in each module. The following details are provided for individual security checks:







■ Word lists (if applicable)



Account Integrity moduleThe Account Integrity module reports account and account privileges information.


Deleted accounts CECAICM

PO4.9DS5.4DS5.5

All deletions to the /etc/password files since the last snapshot update should be reviewed to ensure that authorized access has not been removed.

Deleted groups CECAICM

PO4.9DS5.4DS5.5

All deletions from the /etc/group files since the last snapshot update should be reviewed to ensure that authorized access has not been removed.

Illegal login shells CAICM

DS5.17 The presence of unauthorized login shells could indicate compromised access controls.

33Mappings to PoliciesResource Review policy

Setuid login shells CAICM

PO9.7DS5.6

Setuid login shells could inadvertently allow access to unauthorized users.

Setgid login shells CAICM

PO9.7DS5.6

Setgid login shells could inadvertently allow access to unauthorized users.

Login shell owners CAICM

DS5.19 Login shells that are not owned by system accounts (root or bin) can be replaced with Trojan horses that are capable of unauthorized activities.

Login shell permissions

CAICM

DS5.19 Login shells that are writeable by group or world can be replaced with Trojan horses that are capable of unauthorized activities.

Home directories CECAICM

PO7.8DS5.4

Inconsistent home directory configurations usually indicate incomplete account termination, which could allow unauthorized access.

Home directory permissions

CECAICM

PO4.9DS5.3

Home directories can contain not only information that is used for financial reporting but also control files that could lead to unauthorized access. This policy ships with a default setting of 750.

Duplicate IDs CECAIC

PO4.9AI3.3

If each user does not have a unique ID, it could indicate unauthorized access.

Reserved UID/GID CECAICM

PO4.9DS5.7

Privileged access to system files could lead to unauthorized access.

Remote-only accounts

CAICM

DS13.8 These accounts could provide a channel for unauthorized network access to the host.

Password in /etc/passwd

CAICRAM

PO9.3DS5.2

A common password guessing attack involves trying strings that are stored in the /etc/passwd file.


Local accounts only

N/A N/A This option is enabled for systems that use NIS for managing the passwd and group files.



File Access moduleThe File Access module reports user accounts with write permission on specified files.

File Attributes moduleThe File Attributes module reports violations of file permissions that are specified in new templates.

File Attributes template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Each default File Attributes template is for a specific operating system. The default File Attributes template files have the following names and extensions.


Write permission CARA

PO9.3AI3.3

Giving write permissions to accounts other than root for the listed files could allow unauthorized access.


User ownership CERA

PO4.9PO9.7DS5.3

Improper file ownership controls could allow unauthorized access.

Group ownership CERA

PO4.9PO9.7DS5.3

Improper group ownership controls could allow unauthorized access.

Permissions CERA

PO4.9PO9.7DS5.3

Improper file permissions could allow unauthorized access.

Exclude decreased permissions

N/A N/A This check is enabled to reduce irrelevant information in the report.




AIX 4, 5 fileatt.aix New File - AIX

HP-UX 10 fileatt.hpx New File - HP-UX 10-11


You can add new File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.

File Find moduleThe File Find module reports weaknesses in file permissions and configuration files.

Red Hat ES fileatt.li New File - Linux

Solaris 2.6-9 fileatt.sol New File - Solaris 2.6

SUSE Linux fileatt.sl New File - SuSE Linux



Setuid files RAM

PO9.3M2.4

Setuid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

Setgid files RAM

PO9.3M2.4

Setgid files should be carefully examined to ensure that they are not a vehicle for unauthorized access.

World-writeable directories without sticky bit

RAM

PO9.3M2.4

World-writeable directories without the sticky bit let any user delete files in the directory (intentionally or unintentionally).

Device files not in /dev CAICM

AI3.3DS5.17

Mislocated device files could indicate system compromise and could be used to gain unauthorized access to other system resources.

World-writeable files RAM

PO9.3M2.4

World-writeable files can be used to gain unauthorized access.

Uneven file permissions

RAM

PO9.3M2.4

Uneven permissions could allow unauthorized access.

Unowned directories and files

CECAICM

PO7.8DS5.3

Access to unowned directories and files could be inherited by newly created accounts and groups.



File Watch moduleThe File Watch module creates and maintains a snapshot file for each agent on which you run the module. The File Watch template specifies the files or directories to be checked, the depth of directory traversal, and the types of changes to be evaluated. Malicious File Watch templates identify known attack signatures for malicious files checks.

The Malicious files check is also activated in the Resource Review policy. This is because in the Change Notification policy, which is recommended to be run daily, the check only examines the most likely directories to find malicious files. In the Resource Review policy, the entire directory tree is searched. Symantec believes this is a reasonable compromise between the risks associated with malicious files and the resources required to scan for them.

File Watch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Note: Do not edit Malicious File Watch files.

You can add new File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.


Malicious files CAICM

DS5.7DS5.19DS9.5

The presence of known malware is a clear indication of system compromise. Malicious software could pose a threat to the confidentiality, integrity, and availability of information that is used for financial reporting.



All UNIX, Linux unixroot.mfwunixhideroot.mfw

Malicious File Watch - all


Login Parameters moduleThe Login Parameters module reports:

■ Accounts that have never been used or have not used within a specified number of days

■ Failed logins within a specified number of days

■ Accounts with expired passwords

■ Locked accounts

■ Accounts with failed password changes

■ Devices that have reported failed logins on agents that are running in trusted or enhanced mode.


Inactive accounts CECAICM

PO7.8DS5.4DS5.17

Unused accounts that could allow unauthorized access should be removed. This policy ships with a default setting of 30 days of inactivity.

Login failures CECAICM

PO6.8DS5.7

Excessive login failures could indicate attempts to gain unauthorized access.

Password expired CECAICM

PO7.8DS5.17

Expired passwords could indicate an unused account that has not been terminated, which could allow unauthorized access.

Locked accounts CECAICM

PO6.8DS5.7M2.4

Accounts are usually locked due to excessive login failures, which could indicate attempts to gain unauthorized access.

Password changes failed

CECAICM

PO6.8DS5.7

Excessive password change failures could indicate an attempt to guess a password.

Devices with failed logins

CECAICM

PO6.8DS5.7

Excessive login failures could indicate attempts to gain unauthorized access.

Local disks only N/A N/A This option is enabled for systems using NFS to serve home directories.


Network Integrity moduleThe Network Integrity module reports listening TCP and UDP ports.

Object Integrity moduleThe UNIX Object Integrity module reports:

■ Changes in ownership, permissions, and device IDs in special device files that are located in your computer’s device directory

■ New devices, deleted devices, and device changes

The module also creates and maintains the sifdev.dat device snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect changes.

Note: When checking UNIX file permissions, this module examines only the basic user/group/other and read/write/execute permissions. It does not consider extended permissions such as access control lists (ACLs), which are available on some UNIX platforms and some third-party extensions.

Local accounts only

N/A N/A This option is enabled for systems that use NIS to manage passwd and group files.



Listening TCP ports CAM

DS5.2DS5.17

Unauthorized listening ports can not be properly protected against common threats that can be used to compromise the integrity of information that is used for financial reporting.

Listening UDP ports CAM

DS5.2DS5.17

Unauthorized listening ports can not be properly protected against common threats that can be used to compromise the integrity of information that is used for financial reporting.


Disk and memory access RACA

PO9.3PO9.7AI3.3

Access to the raw disk and memory devices must be restricted to privileged users.


Oracle Accounts moduleThe Oracle Accounts module reports on a variety of privileges that should be monitored to ensure proper authorizations are granted, revoked, and maintained over time.


Users in OS DBA groups (include dba, oper, osdba, osoper)

CECAICM

PO4.9DS5.4DS5.5

Users with privileges should be periodically reviewed to ensure authority is current.

Grantable roles (excludes DBSNMP, SYS, SYSTEM)

CECAICM

PO4.9PO4.10DS5.4DS5.5

Users with roles that they can grant to other users should be periodically reviewed to ensure their authority is current, and that collusion is not violating proper separation of duties.

Directly granted roles (excludes DBSNMP, SYS, SYSTEM)

CECAICM

PO4.9PO4.10DS5.4DS5.5

Ensure roles are assigned for proper user authorization and proper segregation of duties.

Deleted directly granted roles CECAICM

PO4.9DS5.4DS5.5

All deletions of directly granted roles since the last snapshot update should be reviewed to ensure that authorized access has not been removed.

Grantable privileges (excludes DBA, DBSNMP, ESMDBA, SYS, SYSTEM)

CECAICM

PO4.9PO4.10DS5.4DS5.5

Users with privileges that they can grant to other users should be periodically reviewed to ensure their authority is current, and that collusion is not violating proper separation of duties.

Directly granted privileges (excludes DBA, DBSNMP, ESMDBA, SYS, SYSTEM)

CECAICM

PO4.9PO4.10DS5.4DS5.5

Generally, privileges should be assigned through roles. Ensure directly granted privileges do not violate proper segregation of duties, or provide access privileges that are higher than needed.

Deleted directly granted privileges

CECAICM

PO4.9DS5.4DS5.5

All deletions of directly granted privileges since the last snapshot update should be reviewed to ensure that authorized access has not been removed.

Database accounts (excludes DBA, DBSNMP, SYS, SYSTEM)

CECAICM

PO4.9PO4.10DS5.4DS5.5

Ensure proper user authorization based on roles and responsibilities and proper segregation of duties.


Oracle Auditing moduleThe Oracle Auditing module reports on audit system settings that should be periodically reviewed for policy compliance.

Deleted database accounts CECAICM

PO4.9DS5.4DS5.5

All deletions of database accounts since the last snapshot update should be reviewed to ensure that authorized access has not been removed.

Password protected default role CECAICM

PO4.9DS5.4DS5.5

Password protected roles are assumed to be sensitive. If a password protected role is assigned as the default role for a user, the password protection is bypassed, and may provide unintended access privileges for that user.

Users to check (exclude SYS, SYSTEM)

N/A N/A These users are excluded from the Granted prohibited roles check.

Granted prohibited roles (include CONNECT, DBA, RESOURCE)

CECAICM

PO4.9DS5.4DS5.5

These system level roles should not be granted to standard users.



Audit trail protection CA DS5.10 Only administrators should have the ability to manipulate audit logs.

Statement auditing CAICM

AI3.7DS5.10

Review audit settings to ensure compliance with policy.

Object auditing CAICM

AI3.7DS5.10


Privilege auditing CAICM

AI3.7DS5.10



Oracle Networks moduleThe Oracle Networks module contains two administrative options to ensure ESM coverage on all Oracle instances.

Oracle Objects moduleThe Oracle Objects module reports on object privileges that should be periodically reviewed for appropriateness and authorization.


SID configuration N/A N/A Ensure that ESM is configured to examine all needed instances of Oracle.

Oracle system identifiers (SIDs) N/A N/A Ensure that ESM is configured to examine all needed instances of Oracle.


Access to SYS.ALL_SOURCE (excludes SYS, SYSTEM)

CEICCAM

PO4.9AI3.7DS5.3

Review the access list to ensure that unauthorized users do not have access to the SYS.ALL_SOURCE system table.

Table privileges N/A N/A Customer experience will indicate what specific tables to include or exclude in this check.

Object name N/A N/A Customer experience will indicate what specific objects to include or exclude in this check.

Grantors N/A N/A Customer experience will indicate what specific accounts to include or exclude in this check.

Grantable privilege (excludes SYS, SYSTEM)

CEICCAM

PO4.9DS5.3

Review this report to ensure compliance with policy and business needs.

Directly granted privilege (excludes SYS, SYSTEM)

CEICCAM

PO4.9DS5.3

Review this report to ensure compliance with policy and business needs.


Oracle Passwords moduleThe Oracle Passwords module reports on accounts with obviously weak passwords.


Password = wordlist word

RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for variations of wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Password = username RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Passwords that match the user name are easy to guess and could compromise the integrity of information that is used for financial reporting.

Password = any username

RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Passwords that match any user name are easy to guess and could compromise the integrity of information that is used for financial reporting.

Reverse order RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for variations of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Double occurrences RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for double occurrences of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Plural RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for reverse spellings of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Well known passwords

RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access onlyto authorized individuals require effective password management. Attackers often look for well-known passwords to guess passwords and compromise the integrity of information that is used for financial reporting.

Password display N/A N/A This check reports guessed passwords.


Oracle Profiles moduleThe Oracle Profiles module reports on a variety of profile, login and password controls.

Oracle Roles moduleThe Oracle Roles module reports on changes to and attributes of roles and privileges that should be periodically reviewed.


Profile enforcement CEIC

PO4.9 SIDs that are not compliant with a profile could be an indication of unauthorized access.

Profiles CEIC

PO4.9 Profile definitions should be reviewed to ensure currency and compliance with policy.

Deleted profiles CEIC

PO4.9 Deleted profiles should be reviewed to ensure compliance with policy.

Failed logins CECAICM

PO6.8DS5.7

Multiple consecutive failed logins can be an indication of intrusion attempts. By default, this check is set to 3.

Password duration CARAM

PO9.7DS5.2DS5.17

Passwords should be changed often to make guessing passwords more difficult. This policy ships with a default setting of 60 days.

Password lock time CARAM

PO9.7DS5.2DS5.17

Passwords are locked after multiple failed login attempts. This policy ships with a default setting 365 days to emulate a setting that would require administrator intervention with locked accounts.

Password reuse maximum CARAM

PO9.7DS5.2DS5.17

Limiting reuse of previously-used passwords reduces the risk of discovery. This policy ships with a default setting of 4 prior passwords.

Password reuse time N/A N/A It is necessary to set this parameter to UNLIMITED for proper ESM operation.


Roles CEICCAM

PO4.9PO4.10DS5.3

Review all roles for compliance with policy and business needs.


Oracle Tablespace moduleThe Oracle Tablespace module reports on tablespace data files with inadequate file system access permissions.

Deleted roles CEIC

PO4.9 Review deleted roles to ensure needed authorizations have not been removed.

Privileges CEICCAM

PO4.9PO4.10DS5.3

Review all privileges for compliance with policy and business needs.

Deleted privileges CEIC

PO4.9 Review deleted privileges to ensure needed authorizations have not been removed.

Grantable privileges CAICM

DS5.17 Grantable privileges are a potential risk. Review to ensure any roles with grantable privileges are authorized.

Nested roles CEICCAM

PO4.9PO4.10DS5.3

Review nested roles to ensure the privileges they convey are clearly understood and justified by business need.

Deleted nested roles CEIC

PO4.9 Review deleted nested roles to ensure no needed authorizations have been removed.

Grantable nested roles CAICM

DS5.17 Grantable nested roles are a potential risk. Review to ensure any roles with grantable privileges are authorized.

DBA equivalent roles (DBA, IMP_FULL_DATABASE)

CAICM

DS5.3DS5.17

Review highly privileged accounts to confirm they are needed and authorized. Customers should add any other DBA equivalent roles used in their environment to the name list.

Granted Oracle DBA role CAICM

DS5.3DS5.17

Review highly privileged accounts to confirm they are needed and authorized.



Tablespace data files CAICM

DS5.3 This policy ships with a default setting of 700. Tablespace data files that have access rights less restrictive than the setting could be at risk for tampering or deletion.


Password Strength moduleThe Password Strength module reports the following weak passwords:

■ Passwords that match the user name

■ Passwords that match any user name on the system.

■ Passwords that match any word in word list files

The Password Strength module also reports accounts with no passwords


Password = username RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Passwords that match the user name are easy to guess and could compromise the integrity of information that is used for financial reporting.

Password = any username

RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Passwords that match any user name are easy to guess and could compromise the integrity of information that is used for financial reporting.

Password within GECOS field

CAICRAM

PO9.3DS5.2

Passwords that match information in the GECOS field are easily guessed passwords and do not meet the COBIT/COSO requirement for adequate authentication and access controls.

Password = wordlist word

RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for variations of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Reverse order RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for reverse spellings of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Double occurrences RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for repetition of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.


Plural forms RACAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Attackers often look for plural forms of user names and wordlist words to guess passwords and compromise the integrity of information that is used for financial reporting.

Uppercase CAICRAM

PO9.3DS5.2

Easily guessed passwords do not meet the COBIT/COSO requirement for adequate authentication and access controls. Attackers look for uppercase variations of user names and wordlist words to guess passwords and gain unauthorized access.

Lowercase CAICRAM

PO9.3DS5.2

Easily guessed passwords do not meet the COBIT/COSO requirement for adequate authentication and access controls. Attackers look for lowercase variations of user names and wordlist words to guess passwords and gain unauthorized access.

Guessed password CAICRAM

PO9.3DS5.2

Reports guessed passwords.

Accounts without passwords

CAICRAM

PO9.3DS5.2

Controls to authenticate and permit access only to authorized individuals require effective password management. Accounts that do not require logons could permit unauthorized access.


Users without system password strength (AIX, HP-UX)

CAICRAM

PO9.3DS5.2

When available, system controls on password strength should be used in addition to the ESM checks.

Accounts can be used without a password (HP-UX)

CAICRAM

PO9.3DS5.2

Controls to authenticate and permit access only to authorized individuals require effective password management. Accounts that do not require logons could permit unauthorized access.

Local accounts only N/A N/A This option is enabled for systems that use NIS for managing the passwd and group files.



Startup Files modulesThe Startup Files module checks the services (daemons) currently running on the system against the Services template.

Services template filesMandatory, prohibited, and optional services for AIX, HP-UX, Solaris, and Linux are defined in Services template files.

Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your system.

You can add new Services templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.


Services CAICM

AI3.7DS5.17

Services are a common source of malicious exploitation and must be periodically examined to protect the integrity of information that is used for financial reporting from reasonably anticipated threats or hazards.


AIX basic.sairemote.sai

Services

HP-UX basic.sh1remote.sh1

Services

Red Hat basic.slxremote.slx

Services

Solaris basic.ss6remote.ss6

Services

SUSE Linux basic.sslremote.ssl

Services


System Queues moduleThe System Queues module reports messages that let you modify crontab file owners and permissions on the agent computer. This module lets you create the following:

■ Name lists of users and groups to exclude or include in all System Queues checks

■ Users that are allowed to use the at and batch utilities

User Files moduleThe User Files module reports on a variety of questionable ownership and permission settings in user home directories.


AT subsystem access RACA

PO9.3AI3.3

Access to the scheduling system should be restricted to those with a legitimate business need.

CRON subsystem access RACA

PO9.3AI3.3

Access to the scheduling system should be restricted to those with a legitimate business need.

CRONTAB file contents RACA

PO9.3AI3.3

Executables invoked by the scheduling system that are world-writable pose a serious risk, since an attacker could insert unauthorized commands that can be run on a scheduled basis.


File ownership CAICRAM

PO9.3DS5.6

Improper file ownership controls could allow unauthorized access.

World-writeable files CAICRAM

PO9.3DS5.6

World-writeable files could be used to gain unauthorized access.

Setuid or Setgid CAICRAM

PO9.3DS5.6

Setuid and setgid files should be examined to ensure that they are not a vehicle for unauthorized access.

PATH (using su) N/A N/A This is the recommended method for checking the PATH variable, upon which other checks depend.


Current directory not allowed in PATH

CAICRAM

PO9.3DS5.6

Files writeable by users other than root could allow unauthorized access or privilege escalation.

World-writeable directories in PATH

CAICRAM

PO9.3DS5.6


Group writeable directories in PATH

CAICRAM

PO9.3DS5.6


Umask (using su) N/A N/A This is the recommended method for checking the umask value, upon which other checks depend.

Umask CAICRAM

PO9.3DS5.6

Umask values that are set too low could allow unauthorized access or privilege escalation. This policy ships with a default setting of 027.

Startup file contents CAICRAM

PO9.3DS5.6

World-writeable files that are executed by system startup scripts could allow unauthorized access or privilege escalation.

Check startup file protection

CAICRAM

PO9.3DS5.6

If startup files are not properly protected, an attacker could change them and hijack the user’s account.

Local disks only N/A N/A This option is enabled for systems that use Network File System (NFS) to serve home directories.


Local accounts only N/A N/A This option is enabled for systems that use Network Information System (NIS) for managing the password and group files.


50 Mappings to PoliciesControls Compliance policy

Controls Compliance policyThe Sarbanes-Oxley Controls Compliance policy monitors the configuration of an operating system or database for compliance with the recommended state of control.

The modules that are included in this policy are described below with the checks that are enabled in the module. The following details are provided for individual security checks:









Account Integrity moduleThe Account Integrity module reports account and account privilege information.


Group IDs CAICM

AI3.3DS5.5

Undefined groups could allow accidental inheritance of unauthorized access privileges which may result in unauthorized access.

Accounts should be disabled (includes adm, bin, ftp, uucp)

CAICM

DS5.2 Allowing logins on these accounts could lead to unauthorized access.

User shell compliance

RA PO9.7 The presence of unauthorized login shells could indicate compromised access controls.

Local Disks Only N/A N/A This option is enabled for systems that use NFS to serve home directories.

51Mappings to PoliciesControls Compliance policy

Shells template filesThe Account Integrity module uses Shells templates to define legal login shells for the User shell compliance check. You can rename and edit copies of the default templates and enable new templates in a renamed copy of the policy. See the current Symantec ESM Security Update User’s Guide for UNIX for instructions.

The Account Integrity module uses the default Shells template files that are shown below for specific operating systems.

Login Parameters moduleThe Login Parameters module reports:

■ Computers that do not log successful or unsuccessful login attempts

■ Computers that allow excessive login retries

■ Root accounts that can be accessed through rlogin or telnet

Local Accounts Only N/A N/A This option is enabled for systems that use NIS for managing the passwd and group files.



AIX aix45shc.shc Shells -all

HP-UX hp1011shc.shc Shells - all

Red Hat lnxes2-3.shc Shells - all

Solaris sol26shc.shc Shells - all

SUSE Linux lnxsuse8.shc Shells - all


Successful login attempts not logged

CAICM

AI3.3DS5.7DS5.10

Certain system activities, including logins, must be logged and audited to facilitate monitoring for abuse of privilege.

Unsuccessful login attempts not logged

CAICM

AI3.3DS5.7DS5.10

Unsuccessful logins could indicate attempted unauthorized access. This activity must be logged and audited.


Network Integrity moduleThe Network Integrity module reports:

■ Trusted hosts and users

■ Computers with FTP enabled

■ TFTP daemons that are running as privileged users or that are not running in secure mode

■ Computers that are running xhost + in X Windows

Successful su attempts not logged

CAICM

AI3.3DS5.7DS5.10

Certain system activities, including privilege escalation, must be logged and audited, to facilitate monitoring for abuse of privilege.

Unsuccessful su attempts not logged

CAICM

AI3.3DS5.7DS5.10

Unsuccessful privilege escalation could indicate attempted unauthorized access. This activity must be logged and audited.

Remote root logins CAICRAM

PO9.7DS13.8

Permitting remote root login on an untrusted channel could allow unauthorized access.

Login retries CAICM

AI3.3DS5.7DS5.10

Allowing repeated retries to log in makes an account vulnerable to password guessing attempts. This policy ships with a default setting of 3.


Local accounts only N/A N/A This option is enabled for systems that use Network Information System (NIS) to manage password and group files.



Trusted hosts/users CAICM

DS5.2 The Berkeley trust mechanism is one of the vulnerabilities that is most frequently exploited by attackers. The mechanism does not properly authenticate users. Other means, such as SSH, should be used to authenticate users.

FTP enabled CAICM

DS5.2DS13.8

FTP is another frequently exploited vulnerability. Other means, such as SSH, should be used to authenticate users.


Oracle Accounts moduleThe Oracle Accounts module reports on lingering active accounts that should not be used in production.

Oracle Auditing moduleThe Oracle Auditing module reports if the auditing system has not been enabled.

Oracle Configuration moduleThe Oracle Configuration module reports on wrongly configured global settings for the Oracle server.

TFTP CAICM

DS5.2DS13.8

TFTP is another frequently exploited vulnerability. The mechanism does not properly authenticate users.

Access control (xhost) CAICM

DS5.2DS13.8

Access to the X console should be explicitly controlled.



Active default accounts (dba) CAICM

DS5.2 Default accounts that ship with the Oracle program are well known to attackers and could be used to gain unauthorized access.


Audit trail enabled CEICCAM

PO4.9AI3.7DS5.7DS5.10

The auditing system should be enabled.


DB link encrypted password CAICM

DS5.16 Unencrypted passwords can be captured by unauthorized parties on the network.


Oracle Patches moduleThe Oracle Patches module lists patches available from Oracle Corporation within a specified time frame.

Oracle patch template fileSymantec updates the Oracle patch template file (orapatch.orp) every two weeks and makes it available on the symantec.com website.

Table-level SELECT privileges RACAICM

PO9.7DS5.3

SELECT privileges should be mandatory before granting CHANGE or DELETE privileges.

Remote login password file (NONE)

CAICM

DS13.8 This policy ships with a default setting that prohibits remote logins. If the customer’s business needs include remote logins, the setting can be changed to SHARED or EXCLUSIVE as needed.

UTL_FILE accessible directories (*, NULL)

CAICM

DS5.3 Files containing codes executable by Oracle should be kept in explicitly authorized directory locations.

Redo log files CEICCAM

PO4.10DS5.3DS5.17

This policy ships with a default setting of 700. Redo log files that have access rights less restrictive than the setting could be at risk for tampering or deletion.

Control files CEICCAM

PO4.10DS5.3DS5.17

This policy ships with a default setting of 700. Control files that have access rights less restrictive than the setting could be at risk for tampering or deletion.



Oracle patches module CARAM

PO9.3DS5.19M2.4

Unpatched systems are the most common cause of technical security exploits. Patching known vulnerabilities constitutes an effective protection against anticipated threats.

Patch information N/A N/A This policy ships with a default setting of 90 days. Provided that the Oracle patch template file is up-to-date, all available patches released within the last 90 days will be reported. Review the list and confirm that all available patches have been applied to your server.


Note: Do not edit, move, or change your Oracle patch template file.

Oracle Roles moduleThe Oracle Roles module reports if the PUBLIC role has not been disabled..

Oracle Tablespace moduleThe Oracle Tablespace module reports on misuse of the SYSTEM tablespace.

OS Patches moduleThe OS Patches (Patch) module reports patches that are defined in the UNIX patch template files for AIX, HP-UX, Solaris, and Linux but that are not installed on the agent.


PUBLIC role access CAICM

DS5.2DS5.3

This policy ships with a default setting that assumes no access for the PUBLIC role. Use of the PUBLIC role is rarely necessary in production environments.


Object in SYSTEM tablespace (exclude SYS, SYSTEM)

CEICCAM

PO6.8DS5.3M2.1

Objects should not be placed in the SYSTEM tablespace except by the SYS and SYSTEM users.

SYSTEM tablespace assigned to user (exclude SYS, SYSTEM)

CEICCAM

PO6.8AI3.3DS5.3

The SYSTEM tablespace should only be assigned to the SYS or SYSTEM users.


All module checks

CARAM

PO9.3DS5.19M2.4

Unpatched systems are the most common cause of technical security exploits. Patching known vulnerabilities constitutes an effective protection against anticipated threats.

Superseded N/A N/A This check is identifies patches that have been replaced or superseded by later patches or service packs.


Patch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your system.

Note: Do not edit, move, or change your Patch template files.

The Patch module uses the following default Patch template files.

Password Strength moduleThe Password Strength module examines system parameters that control the construction, change, aging, expiration, and storage of passwords


AIX patch.pai Patch - AIX

HP-UX patch.ph1 Patch- HP-UX 10/11

Red Hat Linux patch.plx Patch - Linux

Solaris patch.ps6 Patch - Solaris 2.6 (template applies to Solaris 2.6 through 2.9)

SUSE Linux patch.psl Patch - SUSE Linux


Login requires password (AIX, Solaris)

CARAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Users without passwords could permit unauthorized access.

Password length restrictions (AIX, Solaris, Red Hat Linux)

CARAM

PO9.7DS5.2DS5.17

Easily guessed passwords do not meet the COBIT/COSO requirement for adequate authentication and access controls. Short passwords are easily guessed. This policy ships with a default setting of 8 characters.

Minimum password history (AIX, HP-UX 11)

CARAM

PO9.7DS5.2DS5.17

Limiting reuse of previously-used passwords reduces the risk of discovery. This policy ships with a default setting of 4 prior passwords.

Password age CARAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. Requiring passwords to be changed periodically reduces the risk of discovery. This policy ships with a default setting of 60 days.

Maximum password age CARAM

PO9.7DS5.2DS5.17

Controls to authenticate and permit access only to authorized individuals require effective password management. This policy ships with a default setting of 60 days.


Startup Files moduleThe Startup Files module reports:

■ PATH variables that include current directory

■ Running services that are not allowed in the Services template.

Minimum alphabetic characters (AIX)

CARAM

PO9.7DS5.2DS5.17

Forcing users to select passwords that conform to the minimum character class requirements helps to ensure passwords cannot be easily guessed. This policy ships with a default setting of 4.

Minimum non-alphabetic characters (AIX)

CARAM

PO9.7DS5.2DS5.17


Minimum different characters (AIX)

CARAM

PO9.7DS5.2DS5.17


Maximum repeated characters

CARAM

PO9.7DS5.2DS5.17

Easily guessed passwords do not meet the COBIT/COSO requirement for adequate authentication and access controls. Repeated characters make passwords easy to guess. This policy ships with a default setting of 2 characters.

Users without system password strength (AIX, HP-UX)

CARAM

PO9.7DS5.2DS5.17

This system setting, available on AIX and HP-UX, should be enabled to help ensure strong passwords.

Accounts can be used without a password

CARAM

PO9.7DS5.2DS5.17

This system setting, available on HP-UX, can help prevent accounts from being created without a password.


Local accounts only N/A N/A This option is enabled for systems that use Network Information System (NIS) for managing the password and group files.



System startup file contents

CARAM

PO9.3DS5.17DS5.19

World-writeable files that are executed by system startup scripts could allow unauthorized access or privilege escalation.

Current directory in startup path

CARAM

PO9.3DS5.17DS5.19



Services template filesMandatory, prohibited, and optional services for AIX, HP-UX, Solaris, and Linux are defined in Services templates.

Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your system.

The Startup Files module uses the following default template files.

System Auditing moduleThe System Auditing module reports the following:

■ Computers where auditing is not enabled

■ System calls that are audited for failure or success

■ Maximum log file size

Login/tty file contents CAICRAM

PO9.7DS13.8

Permitting remote root login on an untrusted channel could allow unauthorized access.

Enhanced security enabled N/A N/A This setting is required to enable other checks in ESM.

Services not in template CAICM

AI3.7DS5.17

Unauthorized services can be used to gain unauthorized access.



AIX basic.sairemote.sai

Services - AIX

HP-UX basic.sh1remote.sh1

Services - HP-UX 10-11

Red Hat Linux basic.slxremote.slx

Services - Linux

Solaris basic.ss6remote.ss6

Services - Solaris 2.6 (template applies to Solaris 2.6 through 2.9)

SUSE Linux basic.sslremote.ssl

Services - SUSE Linux


Of the supported UNIX platforms that run on Symantec ESM, only Solaris and HP-UX natively support auditing functions. However, the following checks on AIX, HP-UX, and Solaris verify compliance with the corresponding COBIT/COSO sections.

Event auditing and System call mapping template filesEvent auditing and System call mapping templates define authorized users, events, and system call auditing and mapping.

Symantec uses LiveUpdate every two weeks to overwrite the template files that are loaded on your system.


Auditing enabled (AIX, HP-UX, Solaris)

CECAICM

PO4.10AI3.7DS5.10

Review systems to report computers with auditing disabled. Computers with auditing disabled do not allow examination of system activities.

Event auditing (HP-UX, Solaris)

CECAICM

PO4.10AI3.7DS5.10

Review systems to report computers with Event auditing. Event Auditing defines events and system calls that can be misused by unauthorized users.

System call mapping (HP-UX, Solaris)

CECAICM

PO4.10AI3.7DS5.10

Review systems to report computers with system call mapping. System call mapping defines events and system calls that can be misused by unauthorized users.


AIX aix_policy.aud Events - all

AIX aix_policy.map Event Maps - all

HP-UX hpevents_policy.aud Events - all

HP-UX hpevtmap_policy.map Event Maps - all

Solaris solaris_policy.aud Events - all

Solaris solaris_policy.map Event Maps - all


System Mail moduleESM provides checks for the Sendmail program. However, systems that store and process information that is used for financial reporting should not use Sendmail because of Sendmail’s history of security vulnerabilities.

Note: If SMTP is required, use a more secure and reliable substitute such as qmail or Postfix.

The System Mail module reports the following:

■ Wizard passwords and decode aliases in mail configuration files

■ Mail aliases that are piped to a command or shell program

■ Agents that are not logging Sendmail messages

■ Agents that do not have properly configured logs


Wizard passwords CAICRAM

PO9.3DS5.17

Wizard passwords are frequently exploited, which could allow unauthorized access.

Decode aliases CAICM

DS5.19DS9.5

Decode aliases are a frequent vector for malicious code.

Command aliases CAICRAM

PO9.3DS5.7

Command aliases could be used to gain unauthorized access and could indicate system compromise.

Sendmail log CAICM

DS13.6 Correctly configuring the Sendmail log feature helps to detect and diagnose mail vulnerabilities.

Log level setting CAICM

DS13.6 This setting defines the minimum level of log information to be captured. This policy ships with a default setting of log level 9.

Sendmail configuration file

CAIC

DS9.4 An improperly configured Sendmail daemon could be used by attackers to obtain information about users, which could be used to compromise the security and integrity of information that is used for financial reporting.

symantec enterprise security manager™ policy …no part of this publication may be copied without...

Documents