2008 R2 MS V2.1.0
November 3, 2014 at 1:47pm EST
[michaelwillison]
RESEARCH
Confidential: The following report contains confidential information. Do not distribute,
email, fax, or transfer via any electronic mechanism unless it has been approved by the
recipient company's security policy. All copies and backups of this document should be
saved on protected storage at all times. Do not share any of the information contained
within this report with anyone unless they are authorized to view the information. Violating
any of the previous instructions is grounds for termination.
Table of Contents
About This Report
................................................................................................................................................................................................
Chapter 1
............................................................................................................................................................................................................................
1.1 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 .............................................................................................................................................. 2
1.2 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 ...........................................................................................................................................48
Table of Contents
Chapter 1
1.1 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0
Passed
Manual
Failed
7 Days
22
26
16
14 Days
21 Days
28 Days
11
> 29 Days
16
119
38
15
Chapter 1
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.12.12 Force SSL for all applications
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.9 Do not allow custom header status messages
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.8 Do not allow additional path delimiters (verify ALLOW_ENCODED_
SLASH is set to false)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11.3 Disable deploy on startup applications
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11.2 Disabling auto deployment of applications
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.7 Turn off session facade recycling
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.6 Enable strict servlet Compliance
Hosts in Repository 'net_10_31_112':
Chapter 1
Plugin Name
1.12.4 Force SSL when accessing the manager application
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.11.1 Starting Tomcat with Security Manager
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.27 Default account passwords - 'Change the default password for 'XDB'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.26 Default account passwords - 'Change the default password for
'WMSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.25 Default account passwords - 'Change the default password for
'WKSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.23 Default account passwords - 'Change the default password for 'WK_
TEST'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.22 Default account passwords - 'Change the default password for
'SYSTEM'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.20 Default account passwords - 'Change the default password for
'SPATIAL_WFS_ADMIN_USR'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Chapter 1
Plugin Name
1.1.19 Default account passwords - 'Change the default password for
'SPATIAL_CSW_ADMIN_USR'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.1.18 Default account passwords - 'Change the default password for 'SI_
INFORMTN_SCHEMA'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.17 Default account passwords - 'Change the default password for
'OWBSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.16 Default account passwords - 'Change the default password for
'OWBSYS_AUDIT'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.15 Default account passwords - 'Change the default password for
'OUTLN'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.14 Default account passwords - 'Change the default password for
'ORDSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.13 Default account passwords - 'Change the default password for
'ORDPLUGINS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.12 Default account passwords - 'Change the default password for
'ORDDATA'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Chapter 1
Plugin Name
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.1.8 Default account passwords - 'Change the default password for MDSYS'
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.1.10 Default account passwords - 'Change the default password for
OLAPSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.7 Default account passwords - 'Change the default password for
MDDATA'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.6 Default account passwords - 'Change the default password for
EXFSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.5 Default account passwords - 'Change the default password for DIP'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.3 Default account passwords - 'Change the default password for
CTXSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.2 Default account passwords - 'Change the default password for
APPQOSSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.2.4 Require Timeout for Login Sessions - 'console timeout < 10'
Chapter 1
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.1.5.3 Require SNMP Trap Server When SNMP is Used - 'snmp-server host'
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
1.1.2.4 Require Timeout for Login Sessions - 'ssh timeout < 10'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.5.4 Require Authorized Read SNMP Community Strings and Access
Control - 'snmp-server host'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.5.4 Require Authorized Read SNMP Community Strings and Access
Control - 'snmp-server community'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.5.2 Forbid SNMP Traps
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.5.1 Forbid SNMP Read Access
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.3.4 Require ASDM Banner
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.3.3 Require MOTD Banner
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.3.2 Require Login Banner
Chapter 1
Plugin Name
1.1.3.1 Require EXEC Banner
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.1.2.5 Require SSH Access Control
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.2.2 Require ASDM Management Access Control
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.5 Require AAA Accounting (aaa accounting command privilege)
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'aaa authorization command
tacacs+_server_group local'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'aaa authorization command
local'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'aaa authorization exec
authentication-server'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.3 Require Defined AAA Servers and Protocols - 'aaa-server timeout'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.3 Require Defined AAA Servers and Protocols - 'aaa-server host'
Chapter 1
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.1.5.11 Require AES128 or Better Encryption for SNMPv3 Access - 'All SNMP
users > AES 128 encryption'
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.1.5.6 Require AES128 or better encryption for SNMPv3 Access
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.5.5 Require Group for SNMPv3 Access
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.3 Installing Apache
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (/etc/logrotate.d/httpd)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (CustomLog)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (ErrorLog)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (LogLevel)
Chapter 1
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.16 Software Information Leakage Protection. (ErrorDocument 405 /
custom405.html)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ErrorDocument 404 /
custom404.html)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ErrorDocument 403 /
custom403.html)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ErrorDocument 400 /
custom400.html)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ServerSignature Off)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ServerTokens Prod)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Chapter 1
10
Plugin Name
1.15 Implementing Mod_SSL. (/usr/local/apache2/conf/httpd.conf 'SSLProt
ocol all -SSLv2')
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestLine)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestFieldSize)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestFields)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestBody)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (AcceptFilter https)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (AcceptFilter http)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (KeepAliveTimeout)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (KeepAlive)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Chapter 1
11
Plugin Name
1.13 Denial of Service Prevention Tuning. (Timeout)
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.12 Restrict File Extensions.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (RewriteRUle)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (RewriteCond)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (RewriteEngine)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.1 Enforce password history (>=24)
Hosts in Repository 'net_172_26_23':
172.26.23.13 - MAC Address: 00:50:56:bd:76:73 DNS Name: wsus.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\WSUS
172.26.23.27 - MAC Address: 00:50:56:bd:76:61 DNS Name: s11c.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S11C
172.26.23.33 - MAC Address: 00:50:56:bd:76:3d DNS Name: s3d.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S3D
172.26.23.47 - DNS Name: winsevm.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\WINSEVM
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
172.26.23.73 - DNS Name: s7d.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\S7D
172.26.23.107 - NetBIOS Name: UNKNOWN\WINSEVM
Plugin Name
1.1.3 Minimum password age (>=1)
Severity
Total
High
Plugin Name
1.1.4 Minimum password length (>=8)
Severity
Total
High
Chapter 1
12
172.26.23.13 - MAC Address: 00:50:56:bd:76:73 DNS Name: wsus.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\WSUS
172.26.23.27 - MAC Address: 00:50:56:bd:76:61 DNS Name: s11c.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S11C
172.26.23.33 - MAC Address: 00:50:56:bd:76:3d DNS Name: s3d.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S3D
172.26.23.47 - DNS Name: winsevm.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\WINSEVM
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
172.26.23.73 - DNS Name: s7d.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\S7D
172.26.23.84 - MAC Address: 00:50:56:bd:46:04 DNS Name: winsevm.lab.tenable NetBIOS Name: FM\SQL08
172.26.23.107 - NetBIOS Name: UNKNOWN\WINSEVM
Plugin Name
Severity
Total
1.1 Use the Latest OS Release - Check if Solaris 10 10/09 release is installed
High
Plugin Name
1.1 Establish firewall configuration standards (inetd_enable)
Severity
Total
High
Plugin Name
1.12.14 Require trusted path for credential entry = Enabled
Severity
Total
High
Plugin Name
1.12.13 Enumerate administrator accounts on elevation = Disabled
Severity
Total
High
Plugin Name
1.12.11 RPC Endpoint Mapper Client Authentication = Enabled
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
1.12.9 Solicited Remote Assistance = Disabled
Severity
Total
High
Plugin Name
1.12.8 Offer Remote Assistance = Disabled
Severity
Total
High
Chapter 1
13
Plugin Name
1.12.6 Do not process the run once list = Enabled
Severity
Total
High
Plugin Name
1.12.5 Do not process the legacy run list = Enabled
Severity
Total
High
Plugin Name
1.12.4 Turn off Data Execution Prevention for Explorer = Disabled
Severity
Total
High
Plugin Name
1.12.3 Allow Remote Shell Access = Disabled
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
1.11.7 Turn off Windows Update device driver searching = Enabled
Severity
Total
High
Plugin Name
1.10.3 Do not allow drive redirection = Enabled
Severity
Total
High
Plugin Name
1.10.2 Set client connection encryption level = Enabled to High Level
Severity
Total
High
Plugin Name
1.10.1 Always prompt client for password upon connection = Enabled
Severity
Total
High
Chapter 1
14
Plugin Name
1.1.3 Minimum Password Age: Minimum of 1 day
Severity
Total
High
Plugin Name
1.1.1 Enforce Password History: minimum of 24 passwords
Severity
Total
High
Plugin Name
1.12.14 Require trusted path for credential entry: Enabled
Severity
Total
High
Plugin Name
1.12.13 Enumerate administrator accounts on elevation: Disabled
Severity
Total
High
Plugin Name
1.12.11 RPC Endpoint Mapper Client Authentication: Enabled
Severity
Total
High
Plugin Name
1.12.10 Restrictions for Unauthenticated RPC Clients: Enabled and Authent
icated
Severity
Total
High
Plugin Name
1.12.9 Solicited Remote Assistance: Disabled
Severity
Total
High
Plugin Name
1.12.8 Offer Remote Assistance: Disabled
Severity
Total
High
Plugin Name
1.12.6 Do not process the run once list: Enabled
Severity
Total
High
Chapter 1
15
172.26.48.75 - MAC Address: 00:50:56:be:27:da DNS Name: win7x64.target.tenablesecurity.com NetBIOS Name: TARGET\WIN7X64
Plugin Name
1.12.5 Do not process the legacy run list: Enabled
Severity
Total
High
Plugin Name
1.12.3 Allow Remote Shell Access: Disabled
Severity
Total
High
Plugin Name
1.11.7 Turn off Windows Update device driver searching: Enabled
Severity
Total
High
Plugin Name
1.10.3 Do not allow drive redirection: Enabled
Severity
Total
High
Plugin Name
1.1.4 Minimum Password Length: Minimum of 12 characters
Severity
Total
High
Plugin Name
1.1.4 Minimum Password Length: at least 8 characters
Severity
Total
High
Plugin Name
1.1.3 Minimum Password Age: at least 1 day
Severity
Total
High
Plugin Name
1.1.1 Enforce Password History: at least 24 passwords remembered
Severity
Total
High
Plugin Name
1.12.7 Registry policy processing
Severity
Total
High
Chapter 1
16
Plugin Name
1.13.9 Screen Saver timeout = at most 900 seconds
Severity
Total
High
Plugin Name
1.13.8 Force specific screen saver = scrnsave.scr
Severity
Total
High
Plugin Name
1.13.7 Password protect the screen saver = Enabled
Severity
Total
High
Plugin Name
1.1.5 Password Must Meet Complexity Requirements: Enabled
Severity
Total
High
Plugin Name
1.1.4 Minimum Password Length: 8 characters
Severity
Total
High
Plugin Name
1.1.3 Minimum Password Age: 1 day
Severity
Total
High
Plugin Name
1.1.1 Enforce Password History: 24 passwords
Severity
Total
High
Plugin Name
1.12.11 Disable remote Desktop Sharing
Severity
Total
High
Plugin Name
1.12.10 Require trusted path for credential entry
Severity
Total
High
Chapter 1
17
Plugin Name
1.12.8 Turn off Autoplay
Severity
Total
High
Plugin Name
1.12.7 RPC Endpoint Mapper Client Authentication
Severity
Total
High
Plugin Name
1.12.6 Restrictions for Unauthenticated RPC clients
Severity
Total
High
Plugin Name
1.12.5 Solicited Remote Assistance
Severity
Total
High
Chapter 1
18
Plugin Name
1.12.4 Offer Remote Assistance
Severity
Total
High
Plugin Name
1.12.2 Do not process the run once list
Severity
Total
High
Plugin Name
1.12.1 Do not process the legacy run list
Severity
Total
High
Plugin Name
1.11.7 Turn off Windows Update device driver searching
Severity
Total
High
Plugin Name
Severity
Total
High
Chapter 1
19
Plugin Name
1.11.5 Turn off Search Companion content file updates
Severity
Total
High
Plugin Name
1.11.4 Turn off printing over HTTP
Severity
Total
High
Plugin Name
1.11.3 Turn off Internet download for Web publishing and online ordering
wizards
Severity
Total
High
Plugin Name
1.11.2 Turn off the 'Publish to Web' task for files and folders
Severity
Total
High
Plugin Name
1.11.1 Turn off downloading of print drivers over HTTP
Severity
Total
High
Chapter 1
20
172.26.23.13 - MAC Address: 00:50:56:bd:76:73 DNS Name: wsus.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\WSUS
172.26.23.27 - MAC Address: 00:50:56:bd:76:61 DNS Name: s11c.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S11C
172.26.23.33 - MAC Address: 00:50:56:bd:76:3d DNS Name: s3d.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S3D
172.26.23.47 - DNS Name: winsevm.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\WINSEVM
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
172.26.23.73 - DNS Name: s7d.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\S7D
172.26.23.84 - MAC Address: 00:50:56:bd:46:04 DNS Name: winsevm.lab.tenable NetBIOS Name: FM\SQL08
172.26.23.107 - NetBIOS Name: UNKNOWN\WINSEVM
Plugin Name
1.10.4 Do not allow passwords to be saved
Severity
Total
High
Plugin Name
1.10.2 Set client connection encryption level
Severity
Total
High
Plugin Name
1.10.1 Always prompt client for password upon connection
Severity
Total
High
Plugin Name
1.12.3 Registry policy processing (NoBackgroundPolicy)
Severity
Total
High
Chapter 1
21
172.26.23.84 - MAC Address: 00:50:56:bd:46:04 DNS Name: winsevm.lab.tenable NetBIOS Name: FM\SQL08
172.26.23.107 - NetBIOS Name: UNKNOWN\WINSEVM
Plugin Name
1.12.3 Registry policy processing (NoGPOListChanges)
Severity
Total
High
Plugin Name
1.1.5 Password must meet complexity requirements
Severity
Total
High
Plugin Name
1.1.24 Disable Mounting of udf Filesystems - '/etc/modprobe.d/CIS - install
udf /bin/true'
Severity
Total
High
Plugin Name
1.1.23 Disable Mounting of squashfs Filesystems - '/etc/modprobe.d/CIS install squashfs /bin/true'
Severity
Total
High
Plugin Name
1.1.22 Disable Mounting of hfsplus Filesystems - '/etc/modprobe.d/CIS install hfsplus /bin/true'
Severity
Total
High
Chapter 1
22
Plugin Name
1.1.21 Disable Mounting of hfs Filesystems - '/etc/modprobe.d/CIS - install
hfs /bin/true'
Severity
Total
High
Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems - '/etc/modprobe.d/CIS - install
jffs2 /bin/true'
Severity
Total
High
Plugin Name
1.1.19 Disable Mounting of freevxfs Filesystems - '/etc/modprobe.d/CIS install freevxfs /bin/true'
Severity
Total
High
Plugin Name
Severity
Total
High
Chapter 1
23
Plugin Name
1.1.23 Disable Mounting of squashfs Filesystems '/etc/modprobe.d/CIS install squashfs /bin/true'
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems '/etc/modprobe.d/CIS - install
jffs2 /bin/true'
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
Chapter 1
24
Plugin Name
1.1.24 Disable Mounting of udf Filesystems - '/etc/modprobe.d/CIS.conf install udf /bin/true'
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
1.1.21 Disable Mounting of hfs Filesystems - '/etc/modprobe.d/CIS.conf install hfs /bin/true'
Severity
Total
High
Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems - '/etc/modprobe.d/CIS.conf install jffs2 /bin/true'
Severity
Total
High
Plugin Name
Severity
Total
High
Chapter 1
25
Plugin Name
1.1.18 Disable Mounting of cramfs Filesystems - '/etc/modprobe.d/CIS.conf install cramfs /bin/true'
Severity
Total
High
Plugin Name
1.1.24 Disable Mounting of udf Filesystems
Severity
Total
High
Plugin Name
1.1.23 Disable Mounting of squashfs Filesystems
Severity
Total
High
Plugin Name
1.1.22 Disable Mounting of hfsplus Filesystems
Severity
Total
High
Plugin Name
1.1.21 Disable Mounting of hfs Filesystems
Severity
Total
High
Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems
Severity
Total
High
Chapter 1
26
Plugin Name
1.1.19 Disable Mounting of freevxfs Filesystems
Severity
Total
High
Plugin Name
1.1.18 Disable Mounting of cramfs Filesystems
Severity
Total
High
Plugin Name
1.1.17 Set Sticky Bit on All World-Writable Directories
Severity
Total
High
Plugin Name
1.1.16 Add noexec Option to /dev/shm Partition
Severity
Total
High
13
Plugin Name
1.1.15 Add nosuid Option to /dev/shm Partition
Severity
Total
High
13
Chapter 1
27
172.26.48.78
172.26.48.79 - MAC Address: 00:50:56:bd:28:3e DNS Name: webapp1.target.tenablesecurity.com
Plugin Name
Severity
Total
High
13
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
Plugin Name
Severity
Total
High
13
Chapter 1
28
Plugin Name
1.1.9 Create Separate Partition for /home
Severity
Total
High
13
Plugin Name
1.1.8 Create Separate Partition for /var/log/audit
Severity
Total
High
13
Plugin Name
1.1.7 Create Separate Partition for /var/log
Severity
Total
High
13
Chapter 1
29
Plugin Name
Severity
Total
High
13
Plugin Name
Severity
Total
High
13
Plugin Name
Severity
Total
High
13
Plugin Name
Severity
Total
High
13
Chapter 1
30
Plugin Name
1.1.2 Set nodev option for /tmp Partition
Severity
Total
High
13
Plugin Name
1.1.1 - Create Separate Partition for /tmp
Severity
Total
High
13
Severity
Total
Medium
Severity
Total
Medium
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'List All Commands'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Chapter 1
31
Plugin Name
1.1 Use the Latest Package Updates
Severity
Total
Medium
Plugin Name
1.1.2 Do not connect to the Internet when setting up a Mac
Severity
Total
Medium
Plugin Name
1.1.1 Securely erase the Mac OS X partition before installation
Severity
Total
Medium
Plugin Name
1.13.3 Notify antivirus programs when opening attachments = Enabled
Severity
Total
Medium
Plugin Name
1.13.2 Hide mechanisms to remove zone information = Enabled
Severity
Total
Medium
Plugin Name
1.12.15 Prevent the computer from joining a homegroup = Enabled
Severity
Total
Medium
Plugin Name
1.12.12 Turn off Autoplay = Enabled for all drives
Severity
Total
Medium
Plugin Name
Severity
Total
Medium
Plugin Name
1.11.5 Turn off Search Companion content file updates = Enabled
Severity
Total
Medium
Chapter 1
32
Plugin Name
1.11.4 Turn off printing over HTTP = Enabled
Severity
Total
Medium
Plugin Name
1.11.3 Turn off Internet download for Web publishing and online ordering
wizards = Enabled
Severity
Total
Medium
Plugin Name
1.11.2 Turn off the 'Publish to Web' task for files and folders = Enabled
Severity
Total
Medium
Plugin Name
1.11.1 Turn off downloading of print drivers over HTTP = Enabled
Severity
Total
Medium
Plugin Name
1.10.5 Do not allow passwords to be saved = Enabled
Severity
Total
Medium
Plugin Name
1.13.3 Notify antivirus programs when opening attachments: Enabled
Severity
Total
Medium
Plugin Name
1.13.2 Hide mechanisms to remove zone information: Enabled
Severity
Total
Medium
Plugin Name
1.12.15 Prevent the computer from joining a homegroup: Enabled
Severity
Total
Medium
Plugin Name
1.12.12 Turn off Autoplay: Enabled for all drives
Severity
Total
Medium
Chapter 1
33
Plugin Name
1.12.10 Restrictions for Unauthenticated RPC Clients: Enabled and Authent
icated.
Severity
Total
Medium
Plugin Name
1.12.4 Turn off Data Execution Prevention for Explorer: Disabled
Severity
Total
Medium
Plugin Name
1.12.2 Require a Password When a Computer Wakes (Plugged In): Enabled
Severity
Total
Medium
Plugin Name
1.12.1 Require a Password When a Computer Wakes (On Battery): Enabled
Severity
Total
Medium
Plugin Name
Severity
Total
Medium
Plugin Name
1.11.5 Turn off Search Companion content file updates: Enabled
Severity
Total
Medium
Plugin Name
1.11.4 Turn off printing over HTTP: Enabled
Severity
Total
Medium
Plugin Name
1.11.3 Turn off Internet download for Web publishing and online ordering
wizards: Enabled
Severity
Total
Medium
Plugin Name
1.11.2 Turn off the 'Publish to Web' task for files and folders: Enabled
Severity
Total
Medium
Chapter 1
34
Plugin Name
1.11.1 Turn off downloading of print drivers over HTTP: Enabled
Severity
Total
Medium
Plugin Name
1.10.5 Do not allow passwords to be saved: Enabled
Severity
Total
Medium
Plugin Name
1.10.2 Set client connection encryption level: Enabled to High Level
Severity
Total
Medium
Plugin Name
1.10.1 Always prompt client for password upon connection: Enabled
Severity
Total
Medium
Plugin Name
1.10.3 Do not allow drive redirection
Severity
Total
Medium
Passed Checks
Plugin Name
Severity
Total
Info
Plugin Name
Severity
Total
1.12.17 Do not resolve hosts on logging valves (verify server.xml has resolve
Hosts set to false)
Info
Severity
Total
Info
Plugin Name
1.12.17 Do not resolve hosts on logging valves (verify context.xml has
resolveHosts set to false)
Chapter 1
35
Plugin Name
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
Severity
Total
1.12.5 Rename the manager application (verify the default manager.xml has
been renamed)
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.12.10 Configure connection Timeout
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.5 Rename the manager application (verify the default manager directo
ry has been removed/renamed)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.3 Restrict manager application
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.2 Restrict access to the web administration
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.1 Ensure Web content directory is on a separate partition from the
Tomcat system files (verify Web content directory)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.16 Do not allow cross context requests
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.15 Do not run applications as privileged
Chapter 1
36
Plugin Name
1.12.14 Do not allow symbolic linking
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.10.1 Restrict runtime access to sensitive packages
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.24 Default account passwords - 'Change the default password for
'WKPROXY'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.21 Default account passwords - 'Change the default password for 'SYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.9 Default account passwords - 'Change the default password for
LBACSYS'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.4 Default account passwords - 'Change the default password for
DBSNMP'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.1 Default account passwords - 'Change the default password for APEX_
040000'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.1.5.3 Require SNMP Trap Server When SNMP is Used - 'snmp-server
enable traps snmp authentication'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Chapter 1
37
Plugin Name
1.1.4.2 Require Enable Password
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.1.4.1 Require Local User and Encrypted Password
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.2.3 Require SSHv2 for Remote Management Access - 'ssh version = 2'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.2.3 Require SSHv2 for Remote Management Access - 'Telnet is not
enabled'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.2.1 Require Local Password
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting enable console'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting ssh console'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting telnet console'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting serial console'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Chapter 1
38
Plugin Name
1.1.1.3 Require Defined AAA Servers and Protocols - 'aaa-server protocol'
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.1.1.2 Require AAA Authentication for Console and Other Interactive
Management Protocols - 'http'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.2 Require AAA Authentication for Console and Other Interactive
Management Protocols - 'SSH'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.2 Require AAA Authentication for Console and Other Interactive
Management Protocols - 'Telnet'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.2 Require AAA Authentication for Console and Other Interactive
Management Protocols - 'Serial'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.1.1 Require AAA Authentication for Enable Mode
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.1.5.10 Require Group for SNMPv3 Access - 'snmp-server group is not
plaintext'
Hosts in Repository 'net_10_31_102':
10.31.102.250 - MAC Address: a4:0c:c3:74:68:40 DNS Name: c2960.net.melcara.int
10.31.102.253 - MAC Address: a8:b1:d4:f4:8f:c0 DNS Name: vlan102-core.net.melcara.int
Plugin Name
1.1.2 Do not Install on a Multi-use System
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.1 Pre-installation Planning Checklist
Chapter 1
39
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2/logs)
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2/conf)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2/*)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/src/httpd-2*)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/apache2/manual)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/apache2/cgi-bin/*)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/apache2/htdocs/*)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (valid_protocol)
Hosts in Repository 'net_10_31_112':
Chapter 1
40
Plugin Name
1.10 Limiting HTTP Request Methods.
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.1 Installation
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.1 Enforce password history (>=24)
Hosts in Repository 'net_172_26_23':
172.26.23.84 - MAC Address: 00:50:56:bd:46:04 DNS Name: winsevm.lab.tenable NetBIOS Name: FM\SQL08
Plugin Name
1.1.3 Minimum password age (>=1)
Severity
Total
Info
Plugin Name
Severity
Total
1.1 Use the Latest OS Release - Check if Solaris 10 10/09 release is installed
Info
Plugin Name
1.1 Establish firewall configuration standards (/etc/hosts.allow)
Severity
Total
Info
Plugin Name
1.1.10 Update system software using verified packages
Severity
Total
Info
Plugin Name
1.13.6 Prevent access to registry editing tools = Enabled
Severity
Total
Info
Plugin Name
1.13.5 Remove Security tab = Enabled
Severity
Total
Info
Chapter 1
41
Plugin Name
1.13.4 Remove CD Burning features = Enabled
Severity
Total
Info
Plugin Name
1.13.1 Do not preserve zone information in file attachments = Disabled
Severity
Total
Info
Plugin Name
1.10.4 Allow users to connect remotely using Remote Desktop Services =
Disabled
Severity
Total
Info
Plugin Name
1.1.9 Reset Account Lockout Counter After: Minimum of 15 minutes
Severity
Total
Info
Plugin Name
1.1.8 Account Lockout Threshold: Maximum of 10 attempts
Severity
Total
Info
Plugin Name
1.1.7 Account Lockout Duration: Minimum of 15 minutes
Severity
Total
Info
Plugin Name
1.1.2 Maximum Password Age: Maximum of 90 days
Severity
Total
Info
Plugin Name
1.13.6 Prevent access to registry editing tools: Enabled
Severity
Total
Info
Plugin Name
1.13.5 Remove Security tab: Enabled
Severity
Total
Info
Chapter 1
42
Plugin Name
1.13.4 Remove CD Burning features: Enabled
Severity
Total
Info
Plugin Name
1.10.4 Allow users to connect remotely using Remote Desktop Services:
Disabled
Severity
Total
Info
Plugin Name
1.1.9 Reset Account Lockout Counter After: minimum of 15 minutes
Severity
Total
Info
Plugin Name
1.1.8 Account Lockout Threshold: maximum of 10 attempts
Severity
Total
Info
Plugin Name
1.1.7 Account Lockout Duration: 15 minutes
Severity
Total
Info
Plugin Name
1.1.2 Maximum Password Age
Severity
Total
Info
Plugin Name
1.1.9 Reset Account Lockout Counter After: at least 15 minutes
Severity
Total
Info
Plugin Name
1.1.8 Account Lockout Threshold: 50 attempts
Severity
Total
Info
Plugin Name
1.1.7 Account Lockout Duration: at least 15 minutes
Severity
Total
Info
Chapter 1
43
Plugin Name
1.1.2 Maximum Password Age: at the most 90 days
Severity
Total
Info
Plugin Name
1.13.10 Enable screen saver = Enabled
Severity
Total
Info
Plugin Name
1.13.1 Do not preserve zone information in file attachments: Disabled
Severity
Total
Info
Plugin Name
1.1.9 Reset Account Lockout Counter After: 15 minutes (minimum)
Severity
Total
Info
Plugin Name
1.1.8 Account Lockout Threshold: maximum of 50 attempts
Severity
Total
Info
Plugin Name
1.1.7 Account Lockout Duration: 15 minutes (minimum)
Severity
Total
Info
Plugin Name
1.1.6 Store Passwords Using Reversible Encryption: Disabled
Severity
Total
Info
Plugin Name
1.1.2 Maximum Password Age: 90 minutes
Severity
Total
Info
Plugin Name
1.1.9 Reset account lockout counter after
Severity
Total
Info
Chapter 1
44
Plugin Name
1.1.8 Account lockout threshold
Severity
Total
Info
Plugin Name
1.1.7 Account lockout duration
Severity
Total
Info
Plugin Name
1.1.6 Store passwords using reversible encryption
Severity
Total
Info
Plugin Name
1.1.5 Password must meet complexity requirements
Severity
Total
Info
Plugin Name
1.1.2 Maximum password age (Max of 90 days or less)
Severity
Total
Info
Chapter 1
45
Plugin Name
1.1 Subscribe to Debian Security Lists
Severity
Total
Info
Plugin Name
1.1.17 Set Sticky Bit on All World-Writable Directories
Severity
Total
Info
10
Plugin Name
1.1.13 Add nosuid Option to Removable Media Partitions
Severity
Total
Info
Plugin Name
1.1.12 Add noexec Option to Removable Media Partitions
Severity
Total
Info
Plugin Name
1.1.11 Add nodev Option to Removable Media Partitions
Severity
Total
Info
Chapter 1
46
Chapter 1
47
Passed
7 Days
Manual
Failed
23
14 Days
27
16
21 Days
28 Days
> 29 Days
15
27
14
Chapter 1
48
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.2.6 Remove Oracle Sample Users - 'Remove the sample user SCOTT'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.2.5 Remove Oracle Sample Users - 'Remove the sample user PM'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.2.4 Remove Oracle Sample Users - 'Remove the sample user OE'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.2.3 Remove Oracle Sample Users - 'Remove the sample user IX'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.2.2 Remove Oracle Sample Users - 'Remove the sample user HR'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.2.1 Remove Oracle Sample Users - 'Remove the sample user BI'
Hosts in Repository 'net_172_26_22':
172.26.22.127
Plugin Name
1.2.2.1.4 Configure the SSH Timeout - 'ssh timeout < 5'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.2.1.5 Limit the number of SSH Authentication Tries - 'aaa local authent
ication attempts max-fail < 5'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Chapter 1
49
Plugin Name
1.2.4.2 Require NTP Authentication (ntp server)
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.2.4.2.3 Define the NTP Trusted Key
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.4.2.2 Define NTP Key Ring and Encryption Key
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.4.2.1 Enable NTP Authentication
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.4.1 Require Primary NTP Server
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (service-policy)
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (flow-export event-type)
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (class)
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (policy-map)
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (match access-list)
Chapter 1
50
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'class-map'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'access-list'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'flow-export delay flowcreate'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'flow-export template
timeout-rate'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'flow-export destination'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.5 Require Logging to Syslog Server
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.2 Require Console Logging Severity Level if required by policy 'logging console = critical'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.1 Forbid Console Logging
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.2.3 Forbid ASDM Service If Not Used - 'http server is not enabled'
Chapter 1
51
Plugin Name
1.2.2.2 Forbid DHCP Server Service - 'dhcpd is not enabled'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
1.2.1.3.2 Set Daylight Savings Dates
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.1.2 Forbid Daylight Savings Time Clock Adjustments
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.1.1 Require Clock Timezone - 'Device clock is set to UTC'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.4.2.4 Bind the NTP Key Ring to each NTP server - 'ntp server is configu
red to use a key ring'
Hosts in Repository 'net_10_31_102':
10.31.102.250 - MAC Address: a4:0c:c3:74:68:40 DNS Name: c2960.net.melcara.int
10.31.102.253 - MAC Address: a8:b1:d4:f4:8f:c0 DNS Name: vlan102-core.net.melcara.int
Plugin Name
1.2.4.2.3 Define the NTP Trusted Key - 'ntp trusted-key is defined'
Hosts in Repository 'net_10_31_102':
10.31.102.250 - MAC Address: a4:0c:c3:74:68:40 DNS Name: c2960.net.melcara.int
10.31.102.253 - MAC Address: a8:b1:d4:f4:8f:c0 DNS Name: vlan102-core.net.melcara.int
Plugin Name
1.2.4.2.2 Define NTP Key Ring and Encryption Key - 'ntp authentication-key
is defined'
Hosts in Repository 'net_10_31_102':
10.31.102.250 - MAC Address: a4:0c:c3:74:68:40 DNS Name: c2960.net.melcara.int
10.31.102.253 - MAC Address: a8:b1:d4:f4:8f:c0 DNS Name: vlan102-core.net.melcara.int
Plugin Name
1.2.4.2.1 Enable NTP Authentication - 'ntp authentication is enabled'
Hosts in Repository 'net_10_31_102':
10.31.102.250 - MAC Address: a4:0c:c3:74:68:40 DNS Name: c2960.net.melcara.int
10.31.102.253 - MAC Address: a8:b1:d4:f4:8f:c0 DNS Name: vlan102-core.net.melcara.int
Chapter 1
52
Plugin Name
1.2 ModSecurity Overview.
Severity
Total
High
Severity
Total
High
Plugin Name
1.2 Use the Latest OS Release - '/etc/redhat-release > 6.1'
Hosts in Repository 'net_172_26_48':
Plugin Name
Severity
Total
1.2 Install TCP Wrappers - Check if permissions for /etc/default/inetd are OK.
High
Plugin Name
1.2 Install TCP Wrappers - Ensure 'ENABLE_TCPWRAPPERS' is set to 'YES'
in /etc/default/inetd
Severity
Total
High
Plugin Name
1.2 Install TCP Wrappers - Deny access to this server from all networks
Severity
Total
High
Plugin Name
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.
255.255.0 with a network block in use at your organization.
Severity
Total
High
Plugin Name
Severity
Total
1.2 Build a firewall configuration that denies all traffic from 'untrusted'
networks and hosts, except for protocols necessary for the cardholder data
environment. (ipfw_load)
High
Chapter 1
53
Plugin Name
Severity
Total
1.2 Build a firewall configuration that denies all traffic from 'untrusted'
networks and hosts, except for protocols necessary for the cardholder data
environment. (firewall_enable)
High
Plugin Name
1.2. Enable SSH (/etc/ssh/sshd_config)
Severity
Total
High
Plugin Name
1.2. Enable SSH (Protocol 2)
Severity
Total
High
Plugin Name
1.2.9 Disable Core Dumps
Severity
Total
High
Plugin Name
1.2.7 Reduce the sudo timeout period
Severity
Total
High
Plugin Name
1.2.3 Create an access warning for the command line
Severity
Total
High
Plugin Name
1.2.1 Use an EFI password
Severity
Total
High
Plugin Name
1.2.11 Audit: Force Audit Policy Subcategory Settings (Windows Vista or
Later) to Override Audit Policy Category Settings: Enabled
Severity
Total
High
Chapter 1
54
Plugin Name
Severity
Total
1.2.11 Audit: Force audit policy subcategory settings (Windows Vista or later)
to override audit policy category settings
High
Plugin Name
1.2.9 Audit system events
Severity
Total
High
Plugin Name
1.2.8 Audit process tracking
Severity
Total
High
Plugin Name
1.2.7 Audit privilege use
Severity
Total
High
Plugin Name
1.2.6 Audit policy change
Severity
Total
High
Chapter 1
55
Plugin Name
1.2.5 Audit object access
Severity
Total
High
Plugin Name
1.2.4 Audit logon events
Severity
Total
High
Plugin Name
1.2.3 Audit directory service access
Severity
Total
High
Plugin Name
1.2.2 Audit account management
Severity
Total
High
Plugin Name
1.2.1 Audit account logon events
Severity
Total
High
Chapter 1
56
172.26.23.13 - MAC Address: 00:50:56:bd:76:73 DNS Name: wsus.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\WSUS
172.26.23.27 - MAC Address: 00:50:56:bd:76:61 DNS Name: s11c.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S11C
172.26.23.33 - MAC Address: 00:50:56:bd:76:3d DNS Name: s3d.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S3D
172.26.23.47 - DNS Name: winsevm.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\WINSEVM
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
172.26.23.73 - DNS Name: s7d.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\S7D
172.26.23.84 - MAC Address: 00:50:56:bd:46:04 DNS Name: winsevm.lab.tenable NetBIOS Name: FM\SQL08
172.26.23.107 - NetBIOS Name: UNKNOWN\WINSEVM
Plugin Name
Severity
Total
1.2 Validate Your System Before Making Changes, should pass /var/log/* do
not contain any files with error, warning or critical messages.
High
Plugin Name
1.2.5 Disable yum-updatesd
Severity
Total
High
Plugin Name
1.2 Validate Your System Before Making Changes, should pass if /var/log/*
do not contain any files with error, warning or critical messages.
Severity
Total
High
Plugin Name
1.2 Validate Your System Before Making Changes, should if pass /var/log/*
do not contain any files with error, warning or critical messages.
Severity
Total
High
Plugin Name
1.2.4 Disable the rhnsd Daemon
Severity
Total
High
Plugin Name
1.2.6 Verify Package Integrity Using RPM
Severity
Total
High
Chapter 1
57
Plugin Name
1.2.2 Verify Red Hat GPG Key is Installed
Severity
Total
High
Severity
Total
Medium
Plugin Name
Severity
Total
Medium
Severity
Total
Medium
Severity
Total
Medium
Severity
Total
Medium
Plugin Name
1.2.3.3 Require Logging Facility
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.2.1.1 Generate the RSA Key Pair
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.8 Remove unneeded QuickTime components
Hosts in Repository 'net_172_26_48':
172.26.48.86 - MAC Address: 00:50:56:bd:74:b5 DNS Name: osx108.target.tenablesecurity.com NetBIOS Name: UNKNOWN\OSX108
Plugin Name
1.2.5 Obtain Software Package Updates with yum
Severity
Total
Medium
Plugin Name
1.2.1 Configure Connection to the RHN RPM Repositories
Severity
Total
Medium
Chapter 1
58
Passed Checks
Plugin Name
Severity
Total
Info
Severity
Total
Info
Plugin Name
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.2.3.7 Require System Logging
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.3.4 Require Logging History Level - 'logging history = notifications or
informational'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.2.1.6 Require SSH version 2 - 'ssh version = 2'
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.2.1.3 Configure a local user account
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.2.1.2 Configure AAA authentication local
Hosts in Repository 'net_10_31_254':
10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
1.2.1.3 Require Summer Time Clock When Using Local Time Zone - 'clock
summer-time recurring'
Hosts in Repository 'net_10_31_254':
Chapter 1
59
Plugin Name
1.2.1.3.1 Set Local Time Zone
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
1.2.8 Disable Info module - 'info_module is not loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.7 Disable User Directories Modules - 'userdir_* is not loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.6 Disable Proxy Modules - 'proxy_* is not loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.5 Disable Autoindex module - 'autoindex_module is not loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.4 Disable Status module - 'status_module is not loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.3 Disable WebDAV modules - 'dav_*module is not loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.2 Enable the Log Config Module - 'log_config_module is loaded'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.1 Enable only necessary Authentication and Authorization Modules 'Loaded ldap* modules'
Hosts in Repository 'net_10_31_112':
Chapter 1
60
Plugin Name
Severity
Total
Info
Plugin Name
Severity
Total
1.2 Install TCP Wrappers - Check if permissions for /etc/default/inetd are OK.
Info
1.2.1 Enable only necessary Authentication and Authorization Modules 'Loaded auth._* modules'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
Severity
Total
Info
Plugin Name
1.2 Install Solaris 10 Encryption Kit - Check if Package SUNWcry is installed
Severity
Total
Info
Plugin Name
Severity
Total
Info
Plugin Name
1.2. Enable SSH (sshd_enable)
Severity
Total
Info
Plugin Name
1.2. Enable SSH (Banner)
Severity
Total
Info
Plugin Name
1.2. Enable SSH (PermitRootLogin)
Severity
Total
Info
Chapter 1
61
Plugin Name
1.2.6 Disable the iSight camera
Severity
Total
Info
Plugin Name
1.2.5 Disable Bluetooth
Severity
Total
Info
Plugin Name
1.2.10 Audit: Shut Down System Immediately if Unable to Log Security
Audits: Disabled
Severity
Total
Info
Plugin Name
1.2.10 Audit: Shut down system immediately if unable to log security audits
Severity
Total
Info
Plugin Name
1.2 Establish a BIOS Password
Severity
Total
Info
Plugin Name
1.2.4 Disable the rhnsd Daemon
Severity
Total
Info
Plugin Name
1.2.3 Verify that gpgcheck is Globally Activated
Severity
Total
Info
Chapter 1
62
Chapter 1
63