ࡱ>  9:;<=xz|  !#$%&'()*+,-./012345678?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F1HWorkbook MBD00050858  F`˦7`˦7Ole = !-F!cover!Object 1  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89qOh+'0  4 @ L Xdlt|Christian, Michele  Normal.dotmChristian, Michele Data 81Table",CompObjyOlePres000>\8DdO zp<  C Ab48{ߌ[4yͰL8Dn8{ߌ[4yͰLPNG  IHDRO:EgAMA pHYs12N– IDATx}8e}{p#0rCG`9&r"D3KPxg`EF.oϼX̋ϼX̋ϼX̋ϼX̋ϼX̋ϼX̋0+놡y8ck+Sx脰:D[Q/[??HPTI5o HuoD1ճC ]^Qhz|`VOOay Z8n#ʬCR6RJUoZ篟tXܳCPZNa~FET5ېbns#n[.ZW>w9 |[FV,:xۧ/{k>qvD h"СP))F #ƟS)!GĎjJ3+Dbm5Ĕn~CZLCa#`m魜;?kWOV!Jm UKaܣj\$܄=O9FV"kTגyn- jVw!:j<ݜwAxND(ySzYKz>pRN=XT*QU/{o+T&iJ6YK~=H'?0Ou7-峭+5GdA:Vc&~E|OJӒ*X@UNHtc>Z󋄆4OgҨz/'~BQ1| .3SZ$N588l ՃbjU4&٢x/1fç#N-olKu!,O[\g(yϨh:\4{5q=~)|*Xpu0zc7C6Jg5}9AFtFqr74՚ d4ϣnVH A? 'bq„c|sB&IPݝ6m}궕i#:'PfC.4NUc31Zoj!4Oqf3]o"eLt W<'aM(>e5v M:_Y*y]Ɓ ďg%u =ԖIWqBYm]Gn 4<rф 傼;+ZܞQ |V^kɶ=KL)9#bчMBHdG tSs 6( W<ϖO3qͧTʴ[K` k߂cd ؑ/\^芊 >1_OO, λX%Z뤿6@qNgϗI3<=Α}M:skfwvA[" %cŖ=yTwt|P @Y9[jO==E /`1{zX Uѫc5qVxͤe+WbJkAmؗHv&5vmԜ0?0`OwjtkᾛMX;>_*I|p۫7QǢr&C"[m%Ls h6>%k^n{;8c,z'F3{?ͲQ{@?YM|R5\טT}dufx ]"H!' C~H)ӘDVi})"OҼFZL0+IO1&f>}OXwMZѺJnrtw2@v&O7>z?l3bS]';q:MyT'fEmS ű+HZOn,Fa `D7·(-$T*&󟟢ܣX^$Q;_MuKé(Uֆ1uCs1XGb6(kg3h١Rq"3n논%SRbKO,Ts~f~90C`QɨĬlYkTsL,'˼k N ۽ [rLc(>-ZA )ҟFJAt~O[~O)gA{'maQ aB3r#Sq#rО5$Pb=6 ՅZvѺEfD+1EѾDT $wV{cDyhK֚&{)t }5 EyTV\vj.AsTr ;21Vm|hY%!#n>q^: nI {N4}&8Zܚ6HȖ܊)*# zc۶7o= 1z E@l>}= ׌7EBe¦cБ~P {9dkwe5-|dBͫ7EQm]eU0kl\% ~߳zlLrGݠ5fq~Ê Mb஁՚;vpl_3N( a5LfH>&Qb0'=fbLO&߃uY+XPEDJW]3LLL UJ oYs_M'6($>LYcR31[mU %G9L'0.Xָ*vKZ߫Z?NFD>}2 >wV _U 7Q <\YhNh1U=H' x?BkS|blyjrrDTP,8pCwqm?dο"B_WeP]ڀk{e'bf0ݑ]'إ)ԮZg:ħ0nY-ˍ :*1稝 RjVWAN$(VT@W&iP?|opOj=@Z=Nx>;&=VSj'4 &*NwCvό5\4c=:_8~T`w Ci??ҍ}mkP3ZGuxkТ-q K@ $Gۖ [ѐZJدqЀau|'eM_͉v*l' xZ3NX:D2m΂-Dzwk1@t_xUڏ|G-U~lLKوĞڱeJ? /v|v܈k,'|`Lqu`a0QT'{KE!S$,kض'8NՀ88dRdy:7pbmd?uPs7a,zh4@2,|u m16j=yסhg9Ms5'.)lp*,Gxst% UgBu 3ggwhxy׃$Ӏ._)$/]uQI͟ἧ&O:@9T'>t~m 4~@sTodZ揥&"_ [$)(zuOoyqS]n?ħyx++W"%EUO{/`,P'^qbN -=8R/]uF<'PkViHguDvTq=4~9 E[:=S{uCrN2o3CU%^MtKs^çyG-VK26۲uYwg3ЀRuJnى| +ZL'm)D9,,ϧw։MɓnS.!#1N)rt#|nDX~ұDx:} hG"8DD5׀AOI` C*T ^NԢ#qoWD^Km^NJϩ 4FŖBӳ٦hz4y.4yҝ4dIB,^N,il xs EbD CFLE[% aQNƏ*żgQ% *k<s&Tq~)qgK#X nX|L )4tsl(%9y3ڏ|ڑhzKn%g|S&)\>נo@3([W`ЎD_$ WQ`-Ml[C *\Dn ^0Cxj}A-.O5Af7JhtY?`Z|?}H$=E[]g?N><$*hnY !*2S>||Ͼ"ey?\ꋆCXAE)qO_EP=)N r ڱWoK]>,g䓿rwo?ۏU\2!QAp4._~0HhSBY2@"XbjZãuE+N;{b7Oy ۥ1{i3;irMCPq?wf|`*gBQ mGCvEǡ2CD:Sqxtd?r/J,P'O0[߻la<о@cH'i0o1h篟~ 7c=KY}H9PQq| ? /ЮwTdml&=ʒè ,3 Yf*s}73lǜJ<[y|OOm:*KD؃0 >g/CMrwDESt,|&sonu!]{yCDP`;4}toS^OwG/1Յ3٧*N.@~Hnl|mI}E5I 3$LNW`UXBowN?vNLDw|.ݪ8J:*Vn_1 a7 ?A)wk*B6sX.tpיhbЏADgO[Q?{l5LQ<76ٍ$UolFLs )9i"p ]msPw'6/l6j;Bňj kƶhԽ3 X}RWv]Nat;΅bPWU9s5z8%w_DDGݓD:Jܡr̷Đ}`Dh._G.E>IF.b=b#>Cͥ'1]sWO?9:L $(qTO97h*h0SJAV\:Dh=ΰk^ZK4N4SoNNZX>! []'*R힓]0*OPqy{K/IT[g ."Onn|ul}^-a"4byrab/<^)Pt7nF`e"Rص d5t[2~DNlRӇ˥a>SAۿK#sU?=x7ǽ ḀG~uZ.w鞖1EL\/\f<Ѯ04ԺzzOgٮ1i{u^,WF]\85PEB9bYiӶ5l]a~Im9e%dDŽ!`bKewKtRoO+VO2.e OO?|e|Sx|$+cֹB}ҙS=Rx#Xc%K|B{C 7cԟ}@TX@bn"ˋZvQe(b^œi[}nKA,8R⪞GKj#Lz67 fPS=C# vQ7+wB&o\~l좢E} ٠Ds`/'ב4Qr)qik )e-1B\ϯǓ2|cx{%F9!s9Y¥r1<)\[NS΂ߏkat~\D/#.0mbp<((v`hĊ/]㾼fUxL,۹h-Dq|.&\ARfj\lzxbՉWxY>vH5+ a.2_~kF &_'4 <螦oUlFwIEEяⰫ3އ"x !I[= ߸N|gdd9s& McbTrC13u)\qy)`f/2&A-0Kt O%wV3>>"s":Y#ɟ~t N)3*#5Vi ĶޘUx煱;Ձpn_³mw<*҆SxyfM:O' .mj r>ҋ"n*NT4pN c \)1 {on^ WXdrqޑy0]{tVgź? *xntlo:p;Fݱ&-WJ]0\OXg>.)8u;":y۱=ǐ淖}/ѳ"p+e:&s&gNg<8fe[M蚧}xV8q$,;<?wvG8$g}-y;,*=Qxu`w*ޟ쿽p:^cWqxd]YbPT怚wRfE"za0Z1јa4U{IMхBI*PEq,.bPlvLMZzm;Q|FJL#qL wbKzo6\#|3g/FcF3VUxd1dy #UB|q|F,~`C5>fG11]˞#y=~hauucX!-q|ڻ >=':B~[h*NV|=Mɧ92Y (E* vfx %ߵ $+lgoaBgڍ18M@Ty-q =k ;p1N/JPIeUKrk /PPG" XE7@ ?)8֋(|& <]_EmE#æV\lވbSM/2( d|izy8 yeo'+-kF3X@iK;-^(۽#m6yܔO"7?T,G/QdōLꚃlcL˰ |F3P6"|>Zё.(#§1Ѫ)ħ1Ƿɵوth1ُ)ɱ?<>JA<+ ?t/d CWOC#+y+y+y+y+y+y+y+y+y+y+y+y+yWQ~?|q^R2j^%"Eh嘫g^|g^|g^|g^|g^|g>$pxW.>w@YoJѝSqzx:tn4W%sW䡽F1kymЉO2g?Y3:̤&bstU] |b`,Vl k& W(|2\i|\}1ɸK^9(vS>B |9 >7ç6NcBB"|Xgx>8.45ǧp| [Qj{cюefu ;)X&~Jȧ5'| Ơ#2C AT.gӷtⳋsN pCvm>x~l bj; T^x[T?\MԭӦ̾1=qYP)<< еl=P<a x; ӼO(I}@޹? c%T.% 缟pk%c藹}gy/^%+y+y+y+y+y+y+y+y~a/9\~+Gݝ?eY׷[b9Plz}qUyڿeƵѷ]b6 q'9ϏC! ryAo,㣇[xw"xse e; <qxψ> (U)s Otnx B=/bIrvtllO(L@G q)cڹ 5*>U洡P}ጟ欙S7e;¿?O(戾vİjہ񁣧95?ϰҾǑ>ֲ%p?DֱЯ|.1E!=~A 8nag(33}8^\QRs ]0v1Cٜ&ǁxS32{GTGܘ98\*>E@8;BJ`aIF|윟|wԗBg>k1#!CNRh}a'Q}ȪQսbNg~iRQ4Es>/l?xjc1G^2Qsɱ&O'x2E祊tTЊlOT` T,Ŷ%LF2ٲLML\zjhb zyJ,|" Bj9swF|w0oJs\HTTÁ~k-ՎHL>!?yY+$)Y:zoD V_>|c+@283c\R1o 9f+< l?vJ=Y-a42v$r1v#|Εs;Ͻw\n; oR|МL 2p\_)`l8[0DǜJ>-l*ĩ릿o2KVڶmaI_4 }{0 |Zk<|{@6y07MNу՘;6`1|.|B;D:9*Őz ^"L=F#Pv ˻5} O#?tg4 $|x p{y,eԍ&.,kMi뺞/5oHyvZu#ԣ1[Ɛ9oOLE+ޜ p0OBěRyvh ٵ_r*6'\'쌹'MeQ0OVog=U(T1izg墈4+ܴiE(n[9ZAZ|idE_UQ dԇp C)us iC.*9Kt|2n Ԏ^?7cP ͐ + uL ZIl/ٿD{% ȜTeN|}NIka l?L';y$*||FeuP-;v;{Rwfoyy`[? wzPGDw)A_o$Er>s´"0<< U۾A5?'~@ѿ?) e痺:P8;_(IPLm9-/9">^wɩmf:iCe=>BHg6a!*2GJ`B)sᳱcli/soȑͧʣؚ l)?m f#TL=scb>[=lCc[~>LafOTA?Uk3wNa1kf=2l˃( d>_jSb Pħ_myݧ>Kh.#*MNPħC{꽏GE/!O^në  6ё-u/ G'YŻ'|1ERYU؟xL"&i1ULdiqqY`t陓4>#v5A>ɠR|2lOv,ϲp@?HVr&2Hj-//ozĩϕ=Uy[g# E%,~o8+U;N.|ڽa?oϼk=983Ec"ZO#f{DHJY&RO;u0XB/v6v09ASigz{$s |q3HH`oӼf>sHeWdB߷SqTZ~O7xkhvuB)E(Z}UaRw}~؃W\5Ƙ 8;[w"GɊ_M_1`Fxw[7+}Θ1'սi GHSʍ{`;EČ/O8G fJt#A~y$ݏPp~t4y GzDϴπ06666666666666666666666666666666666666666666666666hH6666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH N`N Normal,ndhCJOJQJ_HmH sH tH " pHeading 1,1 ghost,g,Ghost,ghost,g ,1ghost,Ghost +,h1,Chapter Number,Divider Page Text,og,Heading,Ghos,g1,Graphic @&CJ*2* Heading 2,2 headline,h,headline,h2,h headline,Heading 11,heading 1,H2,heading 2,Heading 12,oh,Header1,Heading 121,h g2,Heading 1211,Heading 12111,2 hheadline,01 Headline,Heading 13,Heading 121111,Heading 1211111,Heading 12111111,2 headline1,2 headline2@& #@5;020 Heading 3,3 bullet,b,2,bullet,SECOND,Bullet,Second,4 bullet,h3,BLANK2,B1,b1,blank1,3 dbullet,ob,bbullet,3 gbullet,dot,second,3bullet,Bulle,bdullet,heading 3,Bullet 1,3 dd,3 cb,3 Ggbullet,02 Bullet,bul,B,Heading 21,3 bbullet,Heading 211,3 bulle,h 2,Dot#F@&]#^F``B` Heading 4,4 dash,d,38[@&]8^[`nRn Heading 5,5 sub-bullet,sb,4[~@&][^~`fbf Heading 6,sub-dash,sd,5p @&]p^ `FF  Heading 7$$@&a$ CJ$OJQJNN  Heading 8$$x@&]a$5CJDA D Default Paragraph FontViV 0 Table Normal :V 44 la (k ( 0No List JJ center bold,cbo$dha$5@@ center plain,cp$a$bb col text,9 col text,ctdPP @CJ.". |col bullet,cb,Center Bold,col bulletcsb,u,cbbullet,C2 Col Bullet,cb 10pt,col bullet1,cb1,c,Center Bcbold,6 chart,Chart,chart @E^`EN!2N col dash,cd k@^`JBJ col heading,8 col heading,ch,Col Heading,8 col heading,8colheading,9 col heading,e,ColHead,C1 col heading,8colheading,C0 Col Heading$dPPa$ 5;CJZ!RZ col sub-bullet,csb ^`LQbL col sub-dash,csd^`FArF col sub-heading,csh;BB first,f,1#^#`CJ> > Footerd P2CJJ&J Footnote Reference6CJEHH*TT  Footnote Texthd^h`6CJPP footnote,fnhd^h`6CJLL harvey ball$a$ CJOJQJ>> Headerd P2CJBB note,no#^#`6CJRR numbered text,nt #^#`5;NN oversized graphic!]^@"@ paragraph,p"#d`#T2T source,so # ud^`u6CJ>B> step,st$8^8`5<!R< sub-heading,sh%;FbF table title&$da$5CJZ!Z trailer,7 trailer,t'x#$2/..).  Page NumberJJ TitlePageBottom)$da$CJXTX  Block Text*$yC]y^Ca$5;CJ$OJQJJJ File Name in Footer CJOJQJ^^ facing page #,fp,&@#$2/.5CJPK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] " 8@0(  B S  ? #2  hh^h`OJQJo(#2 n @@UnknownG* Times New Roman5Symbol3. * ArialABook AntiquaY Harvey BallsCourier New;WingdingsA BCambria Math@ "1hJK#fiK&,cY0dS2HX $P n2!xxChristian, Michele Christian, Michele        !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\ FT&" WMFC l EMF \KhC   % %   Rp@"CalibriHRO`2H@,$O`2H@ o.1@H <:o.1 ,%7.{ @Calibr ŗ`2s:Lt9'1z%1<:dv% % % !F(GDIC!b K  QOPl0 (Oppp@@@000 PPP```C k                                  H       "             [           &" WMFC m            8          ^                5   2                #    h                                          &" WMFC M                            &" WMFC -                                                                &" WMFC                                                                                                                                         &" WMFC                                               &" WMFC                                                                       &" WMFC                                                                                                                                                                           &" WMFC                                                                      &" WMFC m    &" WMFC M                                                          &" WMFC -                                                                                                           &" WMFC                                                                                                               &" WMFC                                                                                                    &" WMFC                                                                                                             &" WMFC                                                                                                 &" WMFC                                                                                                                             &" WMFC m                                                                                                              &" WMFC M                                                                                                                  &" WMFC -                                                                                                   &" WMFC                                                    & WMFC " FGDIC" % % % TTAEALP % %   n."System-- @"Calibri---,n,TA Op(Oppp@@@000 PPP```C k                                  H       "             [                       8          ^                5   2                #    h                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         ''--- 2 pn --NANIWordDocument SummaryInformation( DocumentSummaryInformation8 ,SummaryInformation( 0 bjbj΀ 0 $$$$$$$$8!% -% $'9%9%9%9%9%&&&'')')')')')')'^),v)'$&&&&&)'$$9%9%>'f&f&f&&$9%$9%''T) f&&''f&f&&&9%q=4$&R&'T'0'&v,f&v,&v,$&$&&f&&&&&&)')'f&&&&'&&&&v,&&&&&&&&& #:         h hjh U    dgd  .:p n) =!"#$% 44Microsoft Office Word@ʗ1@KhM@FJ@(Z4՜.+,0 hp  BOOZ-ALLEN & HAMILTON  TitleOh+'0 P      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwyz{|}~ \p Andrew Westner Ba=   ThisWorkbook=<5x-8A@"1Arial1Calibri1Calibri1Calibri1Arial1(  Arial Narrow1 Arial1 Arial1Arial1 Arial1Arial1Arial1 Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1 Arial1Arial1 Arial1(Arial1 Arial1 Arial1Arial1h>1,>1>1>111<Calibri1>Calibri1?Calibri14Calibri14Calibri1 Calibri1 Calibri1Calibri1Calibri1 Calibri1Tahoma"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_) 0.0%                                        ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  "  &   ( ff + ) , * * !   P  P    $   ' ` #        %    + a )  x@ @   p   h  "x  x   x  *x  )x  !x  x@ @   x  x@ @   Zx@ @  1 |@ @  "x@ @   (@ @   ,@ @  (8@ @  (<@ @  +8@ @   |@ @  8@ @  <@ @  8@ @          @  &x""  p  p  `   x  )x  p""  p""  t""  p""  x"" *p""  x""   "x@ @   `@ @   @ @   x@ @  @ @   x  x@ @   x@ @   x@ @  8@ @  x@ @  x@ @  *x@ @   x@ @  *x@ @   |  x )x *x  (@ @   `@ @   (@ @    x@ @   x@ @   x@ @   x@ @   @ @    x@ @   p@ @   8@ @   `@ @ 7  `@ @ 7  `@ @ 7 1 |@ @   x !0   (  x *pUU@ @  x@ @  x@ @   `  `  x@ @   p@ @   x@ @   h@ @  "p@ @   `@ @  "p@ @    x@ @    h@ @   @  *x@ @   p@ @   @ @   |@ @   x@ @   x@ @ +  x@ @ +  x@ @ )  @ @   x@ @   x@ @   `  `     @       Q *X "X ( "x@ @  "x@ @  "x@ @   (8@ @   (8@ @   (8@ @  8@ @  8@ @  8@ @  8@ @  8 8@ @  8@ @  8@ @  8@ @  "x"  "x"@  "x "@   x"@ @   x"@ @   x "@ @   x@ @   x@ @   "x  )x  !x ||?z}(}00\);_(*}(}00\);_(*}(}00\);_(*}(} 00\);_(*}(}400\);_(*}(}400\);_(*}(}400\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}ef00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}(}00\);_(*}<} 00\);_(*_)?_);_(}<} 00\);_(*_)?_);_(}(}00\);_(*}(}00\);_(*}(}00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}-}> 00\);_(*}A}1 00\);_(*;_(@_) }A}2 00\);_(*?;_(@_) }A}3 00\);_(*23;_(@_) }-}4 00\);_(*}A}0 a00\);_(*;_(@_) }A}( 00\);_(*;_(@_) }A}8 e00\);_(*;_(@_) }}6 ??v00\);_(*̙;_(@_)    }}< ???00\);_(*;_(@_) ??? ??? ??? ???}}) }00\);_(*;_(@_)    }A}7 }00\);_(*;_(@_) }}* 00\);_(*;_(@_) ??? ??? ??? ???}-}@ 00\);_(*}x};00\);_(*;_(??? ??? ???}-}/ 00\);_(*}U}? 00\);_(*;_( }A}" 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}# 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}$ 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}% 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}& 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A}  00\);_(*23;_(}A}' 00\);_(* ;_(}A} 00\);_(*ef ;_(}A} 00\);_(*L ;_(}A}! 00\);_(*23 ;_( +   2 +   2 +   23 + !3   !3 2 ! +   25 3 @3 + !3   !3 2 ! 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L湸 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ٗ % 60% - Accent3M( 60% - Accent3 23֚ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %(Bad9Bad  %) Calculation Calculation  }% * Check Cell Check Cell  %????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextG5Explanatory Text % 0Good;Good  a%1 Heading 1G Heading 1 I}%O2 Heading 2G Heading 2 I}%?3 Heading 3G Heading 3 I}%234 Heading 49 Heading 4 I}%5( Hyperlink 6InputuInput ̙ ??v% 7 Linked CellK Linked Cell }% 8NeutralANeutral  e%"Normal 9Normal 2: Normal 2 2 ;Noteb Note   <OutputwOutput  ???%????????? ???=$Percent >Title1Title I}% ?TotalMTotal %OO@ Warning Text? Warning Text %XTableStyleMedium9PivotStyleLight168=,=,̙̙3f3fff3f3f33333f33333\` XCoveriPurposer Dashboard  Test CasesOut Of Scope ControlsSources Legendj Change Log!  ;   _xlfn.IFERROR  ; YH  Á"n-L'Š!6@=n-L'Š!6 ]xxuP[np+NB)RHqNhqC (5H79;ss˞53 #$!B  a95y {H"/}m>f>JleP 0 %$a LгPN'OО OR#RГ5z<]dhȨ(ȨȀ?$"O!3π&נ i|!;ľ~ #O!L_bfiV?uxM=)Tst,!@j,^ @So?$|1OkxII@Oژ4TS,ZC]qeD|G(T)5).*= c9+WkuRX_P=?H_"wC*`&+@(nVV?5}Q{YڼQJ(kqUp:HwI$ Y6 S1gj3+|pO}W xK#.rqH\n* Ip}b'0X PX^qNg&'1Oz^WEj>.6yuɼ{e_@}j| U|QCKeZQ1pM]]( FY/w$թN ǼV70Me/ಥKLMkV#2i^V}jbpGR"p Ҕ;92Py"@0ne;Sq#XlXf"ޗ;-& x7mt| SmL% M._z6WT֑MM/odjQԕhA3ؖe\L6gbbm'Ra+b¿'"Zj0u>_mI`s./.%O|^/&8;ğq4sM޾څ ρo8Զ](bGKIaY, ][AnҬJKy_PcdDŔ8\G/@)?2d#;B륽Eyh5/]%QڔS觍 @-Y'K]Xl捙j-/?xŸ4Ϭ,nlp` $۰?k&Y̨V Bԏs&7t:^2E+8 <m":vKT#|M>޻,$Z1Uza $iET+\#27Uof^`裷B2 #|./Bu~6 Q PYe['4'&vcbvPBJJ> ',gF`73Ȓ.K1{]D6̬>Qj"TnvS^GRƌ8,!9b>7cNitA_q% I+>頹bbݳrXTf%M]ļ~˾ݏ W43JK<*?%^6[ +EH:f*"Oz^ֻa-ߞ 7 w@D~GBͅrW({{34&0PZVOQ jC" X'@JgCd,O 4WhBt;yb^f0OciЉ%FBpѺ+Lј%R 8ݻ#GyB}l{|~\h΂W$% AZ鱄KD&{;3Y:V$ޏ7a(!"s6hy~ m]0)V̲L:]@6"{D,dH/6Ƙ ,eԩpa7:DHi*;^{!GΒaS^$?IoUAyo `/G]|"Ff} ]PU3XWQqJ9=9K9̉,oRv\o Qp7t\*{0-Wu8Ytb;އ,cʥkGjp/g pdydݤ^Np7!oI oJ7n_ڢaZ W0Jq >|ǃS2mQ L[@<3u@L0LuȱY%}fH@O{v:xnd?Ug'%Ư; uNc}nLR#zo~#SʞiΒ7?2c79L_nn|+-33 :İgg|cqHeQrhe{jbX 3qH0^A9`}e`B˛FpVnt߂ߑp҂]ׇ1L@uVWw*5wL~|нA61oRLqW ma XVu]SX*H YmKf-8p*g&{|g֊ M 6M?Xcj PXȺZa|5f@CH6BoCuVUue2h4a0dέv*[ڛQsT c,yڌt*7X"BUx\S-*wF+5Fihgoq:ɿ{饗uS° l5DLNh mE[^hbC?X|̮LfdqAi-kFL8KC]vDUinmiֶGac4LW"2?dd;WZXwxMfKT[`0lR Ey I_ .ةcI9^ >ER}E>4G JYӣ3pMQX<,4eۃ~ VbuITzڟضGFi1X^2UQQ8~N1$Y[B: ̼pe&?vK KČPtv8iF)xxōs9^Qi,K!ْP̼7] ^fhO4g+GU=-ۈo$x+U44@DCߐW^kv(Tqļo%߷x.'J^^ 8>AME }R*bA{=w8V!l 3բdC=srM z6lv̜vӳMr63hv()+IR~WS5XiFcZL^G}'tXu@|G!S s$ v/_qA ŋ+(Ը;o>-O m $бՔ}:Ni0JN5ȂC{a3AV3̱A$K )wTJ1k@;+#@dt"0/wҬXAmn:TdϬ;C^|'M@;|"\M)$(ЯC|_gϲIO85޹X/2<{-&ԭumVҿ!*WEE%S5,"0*]A#g,B*G{TBsO^"J=Au t7/O-]ŭ*eR9gVՈk7xx = S.hW+W)?۔iy(;Ep^ATVٻdτ991 epIE‘TLJ BL[zް|z7Z-c1)j ul@ 1`NvśPV@hRV#9pb&h\ n ÑCPxS.J}}I_ݸʖ" ?M~0Czu7v, ޜZW_rqq{<[(PH\sUKR/C: =e5G;'wR5zj1*LfP>Z,gR>m>w(#p#oF#l71t..6*yda L#cQ%KQvw[ d@aD|I7re>Fő c76S$w"$7dX6׌z4Avb}(3fmYH$dUFo\ifzUCG"7U8xd?!RDBcRւ%iʶw'h3?Fhח\$]Ef{:cӮ_6u]wA d !s6ԇ-ڋ P' ^/(M&5W0b -tvk{̋s&#&+vs'4o.~yFI4fO|3aCzIb!Q-R!gS.A'< [@iגaN=^O <؃}JJyoIc>=Um8o|$r-S[Ѡv Z8l53&TTw:-K2ӷrÅenCa".}V_%\;;cP95*ْ>RxW6΃چDG$-w|!8eGL٢!>^L [+ 'jh7dV᯻$pGϾCcSzX-9 LڳLAj;Al;xfhMr evL}P 82>yCE8r*_vZy i|)'Ur-v焃hX'C0Z<ʞoơ$g%VjQ6U]My.Xtpsƽཟ ہߝ͕\rDi$;SiG'#%UK% f:mg&Ƭ;f >G³X]U+|yV@\K_E8O@7 ;$Ƥؽ68߸]ZrwɎ=MVOC4'$Q >h&Dm $)-̇zAu;Un /w3CvQqL;."ݶ֩4ʽ22;ޔqۣμV`'/vС*N`(un;[M+͘阾)9~{[p * }ݨ r "J ! K"u{pTIi0íofxe%em3&G+p}?Q.e!Vjt$^-U74-R NIQM |o7aA<[*&"jXqIM#Rzhq_4`Y۰evo''U#ԇԍοž&CJ8k֙fj`lEu!Up+M1޶y>(:|B^{wů;-W}\717,qCD-ׄj :'v~`Ԛm`Xp7~]5XVݾD:l"WgsqxBAKTd] ՎiN+ߥ F\ڤ>ƽ9.Ѱ<6<0`70?r4w-d&B' a{aaÏMxJwM/#>.9n7KP O~~G;҄Upj٨S%^^m<5Wae;9V @9凶ߠ˺:mmj旖ӭ](4÷ucbZޥL1uLK#]L+%.$_R'ώdq9+jIC ws*R+`!-2|ODLdSk o/+b2L8Ȟh/cr{YZL&nz1â"9꺣cVldd73n#.c>ݐe^cRӍ1d|tV!/ 6+ 6mP-ώoMNթ$e5w0IIf"CPߏo. |Ӭv tlz[;{*B-'. Nj)(Tz哉T7̈́aE8˪"Bs40yv)X`mS +fxa<(|2F]{F>%9ٰt888p1ܕɳʶ3ݱ'ޱh?}=ಹ2͞("ܴ䆲rݵ!7ݱ%2]nň/2/8r;Zb5Fy kW3z |ruYNNyh ) Jp4y9BN.zfES.յWvDh mĹn s$B٧GDὐK_x\Txۙ-F<R">Vubw$YTII6z;gcdҗ '"= xn6a*jg/mDΒ>Da攷_a\Mz뭵!U 0|+JA,T ixd"jm 'GBXGtۨW52z[R.2.;rsAʴi0آէe-苼gCe;*?2OнIXp᧤6qߜL;Vh٫!7Rr Ѱ\WP0u} 'TV!(|`rQŚPuk]yc⛲箑8HIKZfC]tsD íxyM70Uƙ{xX<_~)/oǚ]? <nHiT\O;m(,u%T(T*WQQ%[RHITv/̙{/z|_ϯ˼Ҝ99>9̜32'=/1>ǃհշ [8Ǿʑ辱9<*YRڥg 'j)5h}1QB:ӗAf ݜ+d61]Jaio9$dnG}i{(R7@bJPפ8CvXtzɓTZZ-;w.~wJNjJPBw{I!ߊSK&%UiRu.Y\֊2LpJYG?&S;^iWJYK`+#{n J':?m9,UoIm鴍UG~5JƁao2-L~A-,eGN?sڬX'|UCw7um{iڲ5S^y]fʻ U:}((}j-˚?pvN7v&gw 4u})n}M-v'>GuGWث9;շYcR([C9{D ) jIAtEm3~rh皁)x&\rJLq𲊦5?[ݕPЈ}\15MI*CMp# Wq6KO, ^e u6$ `n 4>sY,k^ֺ8UM;أz%Jf!wNdʮقЌECW7儧Oy%{"ar9G~e\k$~Tؖڲpmq޶$M4w1+[bSf1 &N`g֌ܲc\y &Yr 9딙Aɱt x;+J{]QY4概&)ComsZ$OejM'~ xb>V"U=k"D}RMcLDOC3 f}vrlm3<)u:18s<K7Hl2i`IT2u\/דsGԦs%q~SO\buI Ȯ$=:y]n QASWggBl{^bӷӯE ؔ$Yn,UtK>6jJLMr /KxXeחȎ0)1ˏ kSkm;ywDWtX`G&kJ4MV$捁fN$[NַO-{_Ϊ\Ƶ!?潵Okb-hjȴ r M]S<5H~.˛cӅK^Ŝ*+Km\%;[GxbVgQbܪd7x涓?]qr~F^m_g DQ#b%wvؚ9MO4Nȍ齧qL)d$tޜ["֐㳒gF^6T?ɻqfS{y`[K6uA/N+""Dsܫd) YY?%)o`'ԁ?oVTƅyu): W5T{d/Z[W|obyBԽ_cuBӊ&3./g΋9=uSsJi͒'8x&w{lk66_~ڱ?s-7OX~9F"g996ÏNOZ"U㶙"+RU?Գ~k9NǼu,~}'5SԹJÍvū< >6ճМC~緡8|;-%/̴ܰ>/虾6G9Ϲ9Fi$rժ9OlǓX߹eTzb}A52.aE8LK"&NiϱxauY># dۣUH%=lt3wY?X;qzU%ZZT~ZdHTY׫G__zڀ*E.ע'zZ YiL |ݤ+S+TU.kFnoi20Wkh^qyV5̑ܝ =;*y)ebʇ-$ Y " ǏN=3Wl/;Uwǹ"_Mso]aE|GL^#@4y`%qc"%~z]W/t FjvziARC6&LzQe3͏S]ǖ^PLTvdj%M+^b(S_zݬ*G-&%"~@iod&z\Pɼ=-rC+0ku W=u÷G[CH[Iۤc0?" 'B[TJL2vSXIC+I{M??H@BI:6noG7@ 合c2yCByhFБ5)SżLjAI(XV 6&/))$%%aD"inn9r|r2FVVavڅp6y%M,v8ϱ%0s[in"\#҂S[SxD7O#qrR33\S&/ AQ.^0h{0 /@a.5RmD0yDW'/R8C+An,'>&.A[mj"I-O9QQZTPv6dMq(S@4!?$ L-O* F:iaax +:,( p8#DZ(L dǓ:8/ :2}{<Bf^_7ôOdlxlBB` "lyG&71OC)CU;Ba(;Óat710 `" <)*&gx#T9NSQF 5"#lH"\+`1aѓbϚSգaUǑDF$|9B5'%(F 0kõ$mk t<J # Aʛ ZucWfsDΓ GZ4Bգ3,ESe8Qh .Ń虡2i1,y1[ PưBe1b̴;(7yʐu%0¾³ R\ zC&KN NhP-Mz4B DF`m-g % TJMpJ hb9ZOU=Kv"XePHy#efe`GHФ D) a0P Ȧԣ'R̟OJ4.# d$+ "H?IkR@KޯCPgXȆ)*5X4B  _ARnbsF: 0DA]IO`|$ 5.}JUyDKQgDIgOhsr0;| I'=u")3P9$ EOSIj+HE`S(y eIV:(%Gt iDG4xOa.n< ~#7ɿxm# C;G>Ԧf90ưűI΢yٹ()N03~ T8CX^ZiaDZ؎(b C ״$AP (9*85 }< L`c@Ul[#VBd'@Ʌ|@ɦ̍Cefa@!LaF䉈J 4'p%UVzo +M!p$`kDBଅĎb~2˨4Fa"gGbޖ!'{C BȠ<#"yBb|< ;9*Mvy"[bh} 3Bu1Lfx2j!;JuG'eG͠劲GE&XOg/fn<"8r9A/T?#&CyEE2VU<'*17G$]3ԙCĂ?Zȸb]#ӡ=/BW/WEAOmi7{Z4-X4#*~ O^TT2~'0?+_6<#|L͝öGFhe5y-6ԟ<ǖJqcK`l8ϱ%0s[i9sl qxBӽI(L u &)7WTX>0Hi7x&Ț.` \IТ:֯sA1c@?Bϯ0?KJ u*2*0b ?l/!ײ>f\CCr/%m DsXPg:C9? RgMuQȨ2> Damlx2V]є@Hf9 X,Oe [t伬2& ʗYز1J/I "xf "$'6 mvpptk8D-~ OvL OYW r^ ,::aH, {/݃>O6QIKj'3t&A@ဗE>E^ck1^Ht~  WxL\"$ j7## [>W 4bzIӂxPx5Jm(EAb`eqS)LO{G4zL"~xhg>J2X1HN"/9"TL2) ^MiQ(A8 $? VEw*AyChoSѐ4@DCڴnq3!"<?,#AKLlm-ğ(BI,-szkT]s6[ә_DH).;k+1ə݉͏kIE1yjV4u&C&7<=Lj^EwR7Ϥ(&ܝx*ItnԺ#\"! p)7kg΂Ԯ)RZj<>'qQPbOs&gb.Ll],(3weIdM4ۭONH:5~WԻn딏 (_ {TA@ȅaN`9=?Qnwq#rE? ~[{*w9 zO, Kү?eA¼V$OoiڊaxS~~8NZn;զNƗ _Ts `!ODkK sCJ+)V,E&KR|tOۀ\w3Wm-7h7XdO=#cVEELŲv+&sCG!}~89j_i }"Ucex uPUf3/ TPN7?r$(sR<}\x>>9S=n.3[P&RFuj^ N<'*<F[gYb?aij^GMg|ΰ#7Ey¯pr({oVȟ>ン, TK`uuG_7"+n+ ^N,6Jyd[T F=gt͙M qa- ;26~5y 6e >-հ{/*ĉ#ڿqu<:v7V D;6 kywwiCN!'>VW@Տ 'a`ůݮ_gّ_\GAn _sbǴJf!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ%+3z A\$[WXϧ ďo<}2C *+&%;T_^|oiih~8=^wL';M?>; ]{]܃lx!+/tiz<Q*AL'B!r%ZѽiQ3 ~TF|b2]a{տDW/--SÓ^t(@@1tmkM7z.m9]“^5V׶S؈* 9P)KEm<2Yv<]aa)~ϊ"[Aa6rSs}vgXR#; rFe/O%trohF"QRٳX a3VeOqxZagM0Cyz '<}W hnR}g(iWj;m„D7e/wo_+/Ņ:yʎI﨓+.=}s*@{Yq-Ga8<=:s7s<O@aO $; Y6pÂ8Kח[k ý`f~[lҔ?%wp{ϋZH CMlzu~kO7k):+:/aհx OфXH ;ҭ+'dz$i;Lf8Gn/YT-Ӓ`8(Ӧ.݂ m|;3?8lӘIqQǾχW ̃2c5~__gaOvi9 o,ϰUkj[jo)8d.+q˧A<>%Xsۏ%Ί)Q^ @΍qKqƍ>}UjR/]ש.ue/3 <ʘ}RGy45X gOԂnsTx[~/Y|zk~-y TRQ &SI_HBz/lYkx><~`o2FpQ2G?O QrE텛'? sY9óy,?y=`2-gPW-@xЛG@ a@p(pZ]ӽ)!X3|sdgfOoS r]uAX)?`b&'kmœ(WHi.}|VꃰR߱.rW\ ),cmpJ];+Ox^ ~r+tx:@6( v<}$joG:uoxf5~O|woِz$k) !U{G6@J7˹!ͣrכ ecoGoDCUיvo"es49m>xvǛXM@; +u/VkӢc)=/2ʰdy7s34 !׍ 0qW1Vn [,p&[629iXI3+:{Iv=f`n5Lzp<;!4>elwX0:OhyO9*q{ z][^8OAqdu~<3Ka>,s .=xLU;%@dz [˧:BQ;h (@퐊WX\#&}Hi'F.odzڣ ᜖#Dmѐj5>W#vn҉9wnljBnz'#CPhm`-=`fHZ]#wQ(cCΔ dHUs~tCw1Df'&A⽹.xa ;|^,:ZH'w9g> #$$Dko % s_sh~A(]{4[_&ujI Fh `YuhAxLjZ W}kd:O,A<*S >βgI9̦:=<3eό=MG^TFPE4Kx$I?PWM߈jwRn튤Pww<4 6Q/'u" &шm9"uxR./Itp":uL'Gʛ+oK$\3Nj^r}-xk * m.'`6*o=~!*mhsAp$U͑H v b"`n 3vdELb+Tt{p@aC[g-Z~;x<7OqYckJoX*/Uн*Υxp23I%DFMI8+е8>'چkk [Ϗ 3,J65*ʁ&29zN6v{ m6#$*h5ҏ`RQ #XMGj>>q,`@v'PJm'i 212ueƦ4aKPAJ*)2>+Zɷ4%紳(5?s<|tआE6cɧs7.źx253͍FFs'.&ճGM= J6ڠf%"#_ҤTmD;6xz}}6TGVOj(@j~fVDGtZд҉(9'7-jL+z 7ZP5™rw,m5=g #L;*wZtk'4E t>UqlULIEa IQT* k?TdwEC4o7A@_ 1Plz[Gu $:X<ɢ&mR.Ӎ8׋a|k'uU#Je:XW4I_gynafl!T,~E6KSpQɅOY/C*BL`0jn;mxׂr*}ѡ4uojHzx3OM T߱r/:U8 ŊMJQramoktf-ݩN!6vRCc'ibyሲB#2 G pƩ 7+DџlnN~wҠ9F+CPCՁ9Ak\oݶ`4x7[khhNMVO JUӸ{P ?^@!* "lEaI_{LL0P’s~y iΗ/iOl5ѦjC#+2-`SJHRJ ҽpl3MȊC_ϵ]t_լ@@%lx-RYiv fB;$Z(2"u( 5bhRۇb1Mwh x? \&]IU!ʓsiR^i\&K5ã0)vYU20PYo*> ϯC 5*4qPI`^碷Sڐpz d)*V D渡}Uotvw}:8y,?UX>gBAfC6*5xy5i 6\*h`?@.O{!u> S'AF`!sw5rPUƞu0C+4Q"kt7U;L)v{:+$B6|OCo'LĂ^AE-f|5iH%&Vm-RbJKJUe]l'gW n4) ]k\d(9j$qh1nWn-/ ç1;$NϏ-$?2Uj<ڰy}DVj5G}>% ' jEX\ Lju=vJZܩXz} g_,U7;W#&vWv %xvBg2O= {2pxd}˳jbGlJ96E|r[f|v1~h'z 7tTdnr'X5#_URjT|/OE0@;ÓE6DZ}K>jʉ h 7 N#߅i> -='Ϩ8ވ cAAV15.s %,;}}O(mw&ҩbV':G b^- /C3 =(Su+Y GzUygĽxPFJˀ71x}RswB7R8˅發(V+5s/Q{%4\ BgwEa@YfA͆[ S,^p'6*Ym(2kz<;ᓼ [Hb~`$qUnĒVbYz FK#om <b=hZlxr kG_K"h"f5;$`t7آ"K_ۯ=! \v?Iq7@AlQDSL\ƕ>L6w\'ƕ.|x@6M>>+h@MuL8}8Q\(QtBGtC%GeI_'czǰc]F>T7fF>KN_Y]kEcjRFaq_xc]  32]<}|0g 3A\ُ(|wcdg-5% .C/_!a2x^34n<1|JL6o)&v  ؒV[{{~E&TI)q+?|Vl^<'0-z8HW[Y'QfH'y he koYU ʁWQhD%I7:Փv: IP1N@_H < >Б _A%ZVRȑ#w"z\_ܝ˰ҙ7e%ՅkD7;>U^ЛWl#H5 ُ3QH(=ـQ_* <>9) şE

{ EӶgzdL* QKvK U$'^}7,$Q42t`3$ #8q?ަ)~|ֲ'N{mqxMzO09Ny$Peu|le.C7"v3 #,o;Ҏ8H""RGp~"G36I;peKqp4N *>;>uV x6|iP<t@哮TsMC!mnzٲOxR4;㨭%PiB\X0qx4LY'LH&/{ZK?\*.2Zt`c' =r`ـXzoց5Cy ątplD`(>5*M$ՅS㝲]rƳ֞4oo/zk,fdz4}Ϲy5;໖ p><촠>UKx}^x*3`~]7Z]x1(Ǧ9Hh| v޾7Čz<Bpl+:Ғ+ ǚ{uՈTp'hu%FxUvI7DD_OFnPQÙCq E*gB녟wr~ |!6P9Z!NfGv9+atg5+ dO'vтyhT=rTE?>و!Zdѱɂ31İհzʰ±<,d #]akCJko_"EOǚ2#<1TjIm{oSZ]=$W%!ӤH>c!L%ٟfͱէ\䥱败:I&݆[x[StxːFg̍0ZArtd c<ˤ$Rz!k#%\]W@,i'GN_q*YI5bƔ:|' @KƗ^?>'#?Fٳ>"t:Ɠ<[ NR>ވZv )Eh>sS (W*N`}$ќ3Qe@^IRb\1ћb*TfMFbEҥ6Rc&6K1 MƌB%oRU|sxNMގ/ZU,%g5%ޣHpܮT19ԒjфMY4J[6 ֙'<< x3h&Q>ɽ7OhHDGgu -#)I#/rkxb[8$a״Ot^gMOZ2Lyp6L5ѹ6g,yqa2xiTxBQƽ떭`Vq$mcgk'DHa[aGuZȳy$̢؉NpG5d &K3utϡ߬g`NHPx4Ĉ4!QQ# !̏:Jr%$'wlwHdހo Ert=86W-%ZB>&~4;W=\ϹÛw: *.1-/ZON܉gp,7lxC> H9VAH4紸.>;'s=L< j{^ғl4@BQCwRR\m?A&9\ B2:vEpecHޞ 'gX9b:wl4gGg0^cfdx*\t;a]N0 #?9Cu9i@y8@^<"93?'nwBr@dwZ+' jH1v ?>Nmm 9=ns ;_v.:[ Gqc_'b~幞%@]sX.Nrj}NdUy$3yMhm|=TQ4?Ceuo fi,5< Ӎ|V>ֳ0S鱫!|)܌[Xs-:$kϵ<dߦFV]eNO>Mjy%ngxDP/EMۮd8_6 m{S<|~ǬlI:;( X3'V3lմ!|==ʻ巡<"k.֌F UߘxaO#tBq0^`~ڽ hO_X %Cߚ˳gx0cXgJou<gL׉=RbCկ8.$w3ɠxag7?|->kC_8G:q^?kO~g:׿Ÿ%C?niO_? B忖!#Ÿe/+OΣ3Ӈ3D*GO ޶Ro+ 7{S AA@A@   anTo check if browsers are configured for SSL, select Edit >> Preferences in the browser tool bar, and then select the Privacy and Security menu item. Select the SSL tab and verify that  Enable SSL version 2 and  Enable SSL version 3 is checked under the SSL Protocol versions. If they are not, then this is a finding. (RHEL-FIREFOX Preferences-Advanced-Security)Perform the following to determine if uucp is active. Solaris, HP-UX and AIX # grep uucp /etc/inetd.conf Solaris 10 # svcs uucp Linux # chkconfig uucp Or # chkconfig  -list | grep uucp If UUCP is found to be enabled, then this is a finding. 6Checks to see if Snmp does runs on dedicated hardware.Check /etc/syslog.conf ownership and permissions: # ls  lL /etc/syslog.conf If /etc/syslog.conf is not owned by root or is more permissive than 640, then this is a finding. To determine the umask of the ftp user, perform the following: # su  ftp # umask If the umask value does not return 077, then this is a finding. Enter the command: # more /etc/syslog.conf Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit. If the system is not logging critical sendmail messages, then this is a finding. Perform: # more /etc/syslog.conf Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file. Perform: # ls -lL If the files is not owned by root, then this is a finding. <Checks to ensure library file permissions are securely set. GChecks to ensure ownership of NIS/NIS+/yp files is securely configured.JChecks to see if group ownership of NIS/NIS+ files is securely configured.KChecks to ensure NIS/NIS+ command file permissions are securely configured.Perform the following to determine if root has logged in over an unencrypted network connection. The first command determines if root has logged in over a network. The second will check to see if ssh is installed. " Solaris # last | grep  ^root  | egrep  v  reboot|console | more # ps  ef |grep sshd " HP-UX # last  R | grep  ^root  | egrep  v  reboot|console | more # ps  ef |grep sshd " AIX # last | grep  ^root  | egrep  v  reboot|console | more # ps  ef |grep sshd " Linux # last | grep  ^root  | egrep  v  reboot|console | more # ps  ef |grep sshd If the output from the  last command shows root has logged in over the network and sshd is not running, then this is a finding. ZCheck to see if system files, programs, and directories are not owned by a system account.`Check to see if the group owner of system files, programs, or directories is not a system group.Perform the following as root: # grep  ^root /etc/passwd | awk  F :  {print $6} # ls  ld <root home directory> If the permissions of the root home directory are greater than 700, then this is a finding. If the home directory is /, this check should be marked Not Applicable. \Check to see if the root accounts home directory (other than /) is more permissive than 700.- Solaris Confirm CONSOLE is set to /dev/console. # grep CONSOLE=/dev/console /etc/default/login - HP-UX Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null. # more /etc/securetty - AIX # /user/sbin/lsuser  a rlogin root - Linux Confirm /etc/securetty exists and is empty or contains only the word console or a single tty device. # more /etc/securetty Perform : # find / -name  *tftpd  print to locate the file. Once the file is located, use the command: # ls  la <file location> to check for the suid or sgid bit being set. If either of the bits are set, then this is a finding ,- Solaris # logins  d - HP-UX # pwck  s - AIX # grpck Compare with: # more /etc/group Confirm each gid referenced in the /etc/passwd file is listed in the /etc/group file. - Linux # pwck  r If a group referenced in the /etc/passwd file is not in the /etc/group file, then this is a finding.1Examine the /etc/shadow (or equivalent) looking for accounts with blank passwords using the following commands: - SOLARIS # pwck - HP-UX # pwck  s or authck  p - AIX # pwdck  n ALL - Linux # grep nullok /etc/pam.d/system-auth If an entry for nullok is found, then this is a finding on Linux. KChecks to see if the Linux X86 CTRL-ALT-DEL key sequence has been disabled.OChecks to see if the /etc/securetty file is group owned by root, sys, or bin.7Checks to see if the /etc/securetty file owned by root.2Perform the following to determine if the systems is used for routing: # netstat  a | grep  i listen | grep route Ask the SA if the system is used for any other services such as web servers, file servers, DNS servers, or applications servers. If it is used for an< other service, then this is a finding. Default system accounts (with the exception of root) are not listed in the at.allow file or not excluded from the at.deny file if at.allow does not exist.%There are no remote consoles defined.Perform the following to check if root is logging in directly: # last root |grep  v reboot If any entries exist for root other than the console, then this is a finding.-The root account is not logged onto directly.:The browser issues a warning when form data is redirected.oThe X server has none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.-Library file is not more permissive than 755.0NIS/NIS+/yp files are owned by root, sys or bin.;NIS/NIS+/yp files are group owned root, sys, bin, or other.9NIS/NIS+/yp command file is not more permissive than 755.dAn encrypted remote access program, such as ssh, disables the capability to log directly on as root.AThere are no files or directories with uneven access permissions.There are no unowned files.=Network services daemon file is not more permissive than 755./System command is not more permissive than 755.This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox can check for new browser version, but will not automatically install them. Verify that automatic software installation is not enabled. Select Edit>>Preferences>>Advanced from the web browser toolbar. Drop down the Advanced sub-menu. The Advanced options sub-menu gives us the Software Installation settings. Verify the  Enable software installation setting is not checked. If it is checked, then this is a finding.?The browser SmartUpdate or software update feature is disabled.GThe hosts.lpd (or equivalent) file is owned by a root, sys, bin, or lp.Check the man pages permissions by performing the following: # ls  lL /usr/share/man # ls  lL /usr/share/info # ls  lL /usr/share/infopage If any files in the above directories have permissions greater than 644, then this is a finding. 1Manual page file is not more permissive than 644.zCheck /etc/passwd permissions: # ls  lL /etc/passwd If /etc/passwd is more permissive than 644, then this is a finding. >Checks to see if the tftp daemon has the suid or sgid bit set.:SNMP community strings have been changed from the default.jIf the Xwindows system connections have been disabled or uninstalled if it is not required for production.Perform: # find / -name snmpd.conf # ls  lL <snmpd.conf> If the snmpd.conf file is more permissive than 700, then this is a finding. {Check for default system accounts in the following: " Solaris # more /etc/cron.d/cron.allow " HP-UX # more /var/adm/cron/cron.allow " AIX # more /var/adm/cron/cron.allow " Linux Red Hat # more /etc/cron.allow Or SuSE # more /var/spool/cron/allow Default accounts (such as bin, sys, adm, and others) will not be listed in the cron.allow file or this will be a finding. eChecks to see if access to the cron utility is controlled via the cron.allow and/or cron.deny files.Checks to see if default system accounts with the exception of root are listed in the cron.allow file or excluded from the cron.deny file if cron.allow does not exist.[Checks to see if access to the at utility is controlled via the at.allow and at.deny files.6Checks to see if the at.deny file exists and is empty.*Solaris, HP-UX, AIX, IRIX # grep  v  ^# /etc/inetd.conf |grep rlogind # grep  v  ^# /etc/inetd.conf |grep rshd Solaris 10 # svcs rlogin Linux # grep disable /etc/xinetd.d/rlogin # grep disable /etc/xinetd.d/rsh If either rlogin or rsh are found to be enabled, then this is a finding. 9Checks to see if remote login or remote shell is enabled." Solaris # ls  lL /var/cron/log # more /etc/default/cron CRONLOG=YES If this line does not exist, this is a finding. " HP-UX # ls  lL /var/adm/cron/log Cron is logged by default. " AIX # ls  lL /var/adm/cron/log Cron is logged by default. " IRIX # ls  lL /var/cron/log " Linux Cron logging is controlled by the syslog on Linux: # grep cron* /etc/syslog.conf Red Hat # ls  lL /var/log/cron SuSE # ls  lL /var/log/messages If an entry for cron is not found, then this is a finding. -Checks to see if cron logging is implemented." Solaris # logins  d " HP-UX # pwck  s " AIX # usrck  n ALL If duplicates are found, perform the following to display complete listing. # grep  ^.*:.*:<account_uid> /etc/passwd " Linux # pwck  r If accounts have the same uid, then this is a finding. QThe UNIX host should not allow booting to single user mode without authenticationRChecks to see if the UNIX host is bootable in single user mode without a password.Check the library permissions by performing the following: # ls  lL /usr/lib/* -or # ls  lL /usr/lib/* | grep -v lr | grep -v dr If any of the file permissions are greater than 755, then this is a finding.# ls  al /<usershomedirectory>/.login # ls  al /<usershomedirectory>/.cschrc # ls  al /<usershomedirectory>/.logout # ls  al /<usershomedirectory>/.profile # ls  al /<usershomedirectory>/.bash_profil< e # ls  al /<usershomedirectory>/.bashrc # ls  al /<usershomedirectory>/.bash_logout # ls  al /<usershomedirectory>/.env # ls  al /<usershomedirectory>/.dtprofile (permissions should be 755) # ls  al /<usershomedirectory>/.dispatch # ls  al /<usershomedirectory>/.emacs # ls  al /<usershomedirectory>/.exrc Note: Can use the following style syntax: # ls  al /home/*/.login (.cshrc, etc.) If local initialization files are more permissive than 740 or the .dtprofile file is more permissive than 755, then this is a finding. # ls -la /<usershomedirectory>/.* Note: Can use the following style syntax: # ls  al /home/*/.* | grep -i rws If any of the above files have the suid or sgid bit set, then this is a finding. k# ls  al /dev # ls  al /devices (Solaris) Note: Can use the following style syntax (may vary by OS type): # ls -al /dev | grep -i drwx Check the permissions on the directories and subdirectories that contain device files. If device file directories are writable by users other than a system account or as configured by the vendor, then this is a finding. find /  perm 4000 |more Ask the SA If the system is checked weekly against the system baseline for unauthorized suid files as well as unauthorized modification to authorized suid files, if not then this is a finding. # find /  perm 2000 |more If the ownership, permissions, and location of files with the sgid bit set are not baselined with the ISSO, then this is a finding. find /  perm 2000 |more If the system is not checked weekly against the system baseline for unauthorized sgid files as well as unauthorized modification to authorized sgid files, then this is a finding. " Solaris # ls  lL /usr/sbin/traceroute " HP-UX # ls  lL /usr/sbin/traceroute -or- # ls  lL /usr/control/bin/traceroute " AIX # ls  lL /usr/bin/traceroute " Linux # ls  lL /usr/sbin/traceroute If the traceroute command is not owned by root, then this is a finding. $" Solaris # ls  lL /usr/sbin/traceroute " HP-UX # ls  lL /usr/sbin/traceroute -or- # ls  lL /usr/control/bin/traceroute " AIX # ls  lL /usr/bin/traceroute " Linux # ls  lL /usr/sbin/traceroute If the traceroute command is not group owned by root, sys, or bin, then this is a finding. " Solaris # ls  lL /usr/sbin/traceroute " HP-UX # ls  lL /usr/sbin/traceroute -or- # ls  lL /usr/control/bin/traceroute " AIX # ls  lL /usr/bin/traceroute " Linux # ls  lL /usr/sbin/traceroute If the traceroute command is more permissive than 700, then this is a finding. Check the /etc/passwd file to determine if TFTP is configured properly: # grep tftp /etc/passwd If a tftp user account does not exist and TFTP is active, then this is a finding. Ensure the user shell is /bin/false or equivalent (/usr/bin/false). If it is not, then this is a finding. Ensure the TFTP user is assigned a home directory (/home/tftpdir). If not, then this is a finding.  Updates: -Cover: Reorganized the Tester and Agency POC information cells, to better reflect possible multiple POCs. -Test Cases: a. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status indicators. b. Added summary cells at the bottom of the checks. c. Added control names to the NIST ID cells. Primary control is listed in black; any secondary controls are listed in GRAY. d. Changed the primary control for several findings where there was a better fit than the currently assigned control: 48, 53-59, 62, 64 -Legend: Updated the Pass/Fail row to reflect the three possible status indicators (above). -Test IDs: -Minor changes to test steps in tests U/L-006, U/L-016, U/L-026, U/L-030, U/L-044, U/L-048, U/L-063, U/L-065, U/L-068, U/L-069, U/L-070, U/L-075, U/L-076, U/L-077, U/L-078, U/L-079, U/L-085, U/L-087, U/L-088, U/L-136, U/L-137, U/L-138, U/L-161, U/L-178  u08" Solaris # ls  lL /etc/cron.d/at.deny " HP-UX # ls  lL /var/adm/cron/at.deny " AIX # ls  lL /var/adm/cron/at.deny " Linux # ls  lL /etc/at.deny If the at.deny file is not owned and group owned by root, sys, or bin, then this is a finding. " Solaris # ls  lL /var/cron/log " HP-UX # ls  lL /var/adm/cron/log " AIX # ls  lL /var/adm/cron/log " Linux Red Hat # ls  lL /var/log/cron SuSE # ls  lL /var/log/messages If the cronlog file is more permissive than 600, then this is a finding. Look for the presence of a print service configuration file by using the command: # find /etc  name hosts.lpd  print If this file does not exist, use the command: # find /etc  name Systems -print If this file does not exist, use the command: # find /etc  name printers.conf If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform: # l< s  lL <print service file> If the owner of the file is not root, sys, bin or lp, then this is a finding. @Checks to see if the hosts.lpd is owned by root, bin ,sys or lp.aChecks to see if the browser homepage is configured for a blank page or a locally generated page.UChecks to see if the browser is configured for secure socket layer (SSLV2 and SSLv3).Check the permissions of the at directory by performing the following: # ls  ld /var/spool/cron/atjobs Or # ls  ld /var/spool/atjobs If the directory permissions are greater than 755, then this is a finding. LChecks to see if the at or equivalent directory is more permissive than 755.Check the ownership of the at directory by performing the following: # ls  ld /var/spool/cron/atjobs Or # ls  ld /var/spool/atjobs If the directory is not owned by root, sys, bin, or daemon, then this is a finding. NChecks to ensure authentication responses are not automated/scripted by users.kChecks to ensure the login delay between login prompts after a failed login is set to 4 seconds or greater.?Checks to make sure that the /etc/passwd file is owned by root.[To check for .Xauthority files being utilized, change directory to a user s home directory and perform: # ls  la .Xauthority If the file does not exist, ask the SA if the user is using Xwindows. If the user is utilizing Xwindows and the .Xauthority file does not exist and host based access control is not being used, then this is a finding. SChecks to see if a host using Xwindows host writes .Xauthority files or equivalent.Perform the following to determine if access to the X window system is limited to authorized clients: # xhost If the above command returns:  access control disabled, clients can connect from any host , then this is a finding. >The audit_user file has the same auditing level for all users.The UNIX host can be configured to require a password when booted to single-user mode and is located in a controlled access area accessible only by SAs.Verify that Linux systems have disabled the key sequence by performing: # grep ctrlaltdel /etc/inittab If the line returned is not commented out then this is a finding. Check /etc/sysctl.conf group ownership: # ls  lL /etc/sysctl.conf If /etc/sysctl.conf is not group owned by root, then this is a finding. 1The /etc/sysctl.conf file is group owned by root.OThe files contained in the /etc/news directory are group owned by root or news.IThe files contained in the /etc/news directory are owned by root or news.Reviewer to include any supporting evidence to confirm if the test case passed., failed on not applicable As evidence, provide the following information for the following assessment methods: 1. Interview - Name and title of the person providing information. Also provide the date when the information is provided. 2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the pertinent information is resident within the document (if possible). Ensure all supporting evidence to verify the test case passed or failed. If the control is marked as NA, then provide appropriate justification as to why the control is considered NA.LThe expected outcome of the test step execution that would result in a Pass._The actual outcome of the test step execution, i.e., the actual configuration setting observed.NIST ID'NIST 800-53/PUB 1075 Control Identifier8Checks to see if ob Service Protocol (FSP) is enabled.AChecks to see if the system is exporting x displays to the world.This check is mainly pertaining to passwords or sensitive data that can be stored by the browser cache. Ensure the following setting is enabled: Edit>>Preferences>>Privacy&Security from the web browser toolbar. Select the Passwords sub-category and verify  Use encryption when storing sensitive data under the Encrypting versus Obscuring is checked. If it is not, then this is a finding. RHEL - FIREFOX - either set a master password for storing sensitive information or un-tick the box that allows the information to be stored.2Default skeleton . files are owned by root or bin.FSystem files, programs, and directories are owned by a system account.DSystem files, programs, and directories are owned by a system group.BThe browser home page is a blank page or a locally generated page.FThe browser is configured for Secure Socket Layer (SSL) v2 and SSL v3._The root account does not use the browser for reasons other than to control local applications.3System audit logs are not more permissive than 640. SNMP runs on dedicated hardware.OThe /etc/login.access or /etc/security/access.conf file is group owned by root.3Check file applicable to the system, login.access or access.conf. Check /etc/login.access ownership: # ls  lL /etc/login.access Check /etc/security/access.conf ownership: # ls  lL /etc/security/access.conf If /etc/login.access or /etc/security/access.conf is not owned by root, then this is a finding. MChecks to see if the /etc/passwd file protection is more permissive than 644.UAccess to the cron utility is controlled via the cron.allow and/or cron.deny file(s).4The cron.allow file is not more permissive than 600.Default system accounts (with the possible exception of root) are not listed in the cron.allow file or excluded from the cron.deny file if cron.allow does not exist.;Critical sendmail log file is not more permissive than 644..forward files were not found.1Anonymous FTP is segregated into the network DMZ."The aliases file is owned by root.#The ftpusers file is owned by root.1The aliases file is not more permissive than 644.Ask the SA/ISSO if audit files are reviewed daily (or as stated by a policy interval) If the audit files are not reviewed daily (or according to local policy), then this is a finding. Note: This function may be performed by a Security group or Audit group with responsibility for maintaining and analyzing system audit logs. If this is the case interv< iew a representative from that group.IChecks to see if the cron.allow file permissions are securely configured.BChecks to see if crontab file permissions are securely configured.SChecks to see if the cron or crontab directory permissions are securely configured.JChecks to see if the cron log file is permissions are securely configured.FChecks to see if the cron.deny file permission is securely configured.7Checks to ensure the AT program is securely configured.OChecks to see if the permissions on the hosts.lpd file are securely configured.IChecks to see if the traceroute command group owner is sys, bin, or root.JChecks to see if the traceroute command permission is securely configured.ALook in the root account home directory for a .netscape or a .mozilla directory. If none exists, mark this check as Pass. If there is one, verify with the root users and the ISSO what the intent of the browsing is. Some evidence may be obtained by using the browser to view cached pages under the .netscape directory.4Checks to see if the browser is a supported version.DChecks to see if the alias file permissions are securely configured.IChecks to see if files executed through an alias are securely configured.=Checks to ensure critical-level sendmail messages are logged.SChecks to see if the critical sendmail logfile permissions are securely configured.NChecks to see if an anonymous ftp server is active and documented by the ISSO.GChecks to ensure the ftpusers file permissions are securely configured.*Checks the umask for the ftp user account.-Checks to ensure TFTP is securely configured. Checks to see if TFTP is active.GChecks to see if the Snmpd.conf file permission is securely configured.BChecks to see if the mib file permissions are securely configured.eChecks to see if the /etc/syslog.conf is owned by root and file permissions are securely configured.9Checks to see if a remote loghost is used and authorized.IChecks to see if SSH, or a similar utility is running and SSH v2 is used.>Checks to see if routing is implemented on dedicated hardware.SChecks to see if the export configuration file permissions are securely configured.gChecks to see if NFS file systems exported as writeable have been justified and documented by the ISSO.UChecks to see if a peer-to-peer file sharing application is installed and authorized."Checks to see if Samba is running.LChecks to see if the /etc/smb.conf file permissions are securely configured.KChecks to see if the /etc/smbpasswd file permission is securely configured.qChecks to see if the server is a internet network news server; if so, it checks to see if it has been authorized.SChecks to see if the /etc/news/nntp.nolimit file permission is securely configured.RChecks to see if the /etc/news/passwd/nntp file permission is securely configured.;Checks to see if the NIS protocol is in use and authorized.Checks to see if a system vulnerability tool is being run on the system weekly, or at an interval that is compliant with IRS security policy.aChecks to ensure unnecessary accounts and associated software have are not present on the system.Perform the following to determine if the system is using a remote loghost: # grep loghost /etc/hosts If the loghost entry is a remote machine, then ask the SA if the remote machine is documented as a loghost with the ISSO. If it is not documented then this is a finding. CA system is using a remote loghost and is documented with the ISSO.kAdded leading 0s to Test-IDs so that the findings will always sort together in Test-ID group order. Removed leading blank from a number of NIST-ID fields so that the checks can be sorted to group Controls together. Added lead-in row for generic checks. Changed wording of test objective for check UNIX-LINUX-008. Corrected wording of test objective for check UNIX-LINUX-023. Corrected wording of test objective for check UNIX-LINUX-053. Changed order of NIST-IDs for UNIX-LINUX-095, UNIX-LINUX-097, UNIX-LINUX-104, UNIX-LINUX-216 so that the primary NIST control (Audit) is first (for sort purposes). Added CM-7 as the primary NIST control for UNIX-LINUX-133, UNIX-LINUX-180 (it had been omitted.) Added CM-7 as the NIST control for LINUX-SPECIFIC-06 (none had been specified.) Added AU-2 as the primary NIST control for SOLAIRS-SPECIFIC-01 (it had been omitted.) Local initialization files are not more permissive than 740. - .dt (a directory, this should have permissions of 755) - .dtprofile (a file, this should have permissions of 755) DLocal initialization files do not have the suid or the sgid bit set.[The access control program is configured to grant and deny system access to specific hosts.JCrontab files are not more permissive than 600 (700 for some Linux files).AThe cron or crontab directories are not more permissive than 755.AThe at (or equivalent) directory is not more permissive than 755.7The at directory is owned by root, sys, bin, or daemon.@The at.allow file is owned and group owned by root, sys, or bin.[Device files used for backup are writable by users other than root or a pseudo backup user.fUser file systems, removable media, or remote file systems are mounted with the nosuid option invoked.&- SOLARIS # ls  lL /dev/audio - HP-UX # /usr/sbin/ioscan  f # ls  lL <audio device file> - AIX # /usr/sbin/lsdev  C | grep  I audio # ls  lL /dev/*aud0 - IRIX # ls  lL /dev/audio - Linux # ls -lL /dev/audio* If the permissions are greater than 644, then this is a finding. 0An audio device is not more permissive than 644.'- SOLARIS # ls  lL /dev/audio - HP-UX # /usr/sbin/ioscan  f # ls  lL <audio device file> - AIX # /usr/sbin/lsdev  C | grep  I audio # ls  lL /dev/*aud0 - IRIX # ls  lL /dev/audio - Linux # ls -lL /dev/audio* If the audio device is not owned by root, then this is a finding. "An audio device is owned by root.B- SOLARIS # ls  lL /dev/audio - HP-UX # /usr/sbin/ioscan  f # ls  lL <audio device file> - AIX # /usr/sbin/lsdev  C | grep  I audio # ls  lL /dev/*aud0 - IRIX # ls  lL /dev/audio - Linux # ls -lL /dev/audio* If the audio device group ownership is not root, sys, bin, or audio, then this is a finding. @The at.allow or at.deny file(s) is not more permissive than 600.,The operating system is a supported release.9The cron or crontab directories are owned by root or bin.NVendor recommended and security patches are installed and are not out-of-date.AThe cron.allow file is owned and group owned by root, sys or bin.Cron logging is implemented.BGlobal password configuration files are configured per guidelines.;The traceroute command is group owned by root, sys, or bin.IPerform the following to determine if TFTP is active: Solaris, HP-UX, AIX # grep  v  ^# /etc/inetd.conf |grep tftp Solaris 10 # svcs tftp Linux # chkconfig  -list | grep tftp Or # chkconfig tftp If TFTP is found to enabled, ask the SA if it is doc< umented with theI ISSO. This is a finding if it is not documented. Issue this command for each user in the /etc/passwd file to display user home directory group ownership: # ls  lLd /<usershomedirecotory> # grep <user> /etc/group If user home directories are not group owned by the assigned user s primary group, then this is a finding. Home directories with a group owner other than the assigned owner must be justified and documented with the ISSO. Home directories are group owned by the home directory owner s primary group. Exceptions may exist for application directories, which will be documented with the ISSO.d# more /etc/passwd Confirm all accounts with a gid of 99 and below (499 and below for Linux) are used by a system account. If a gid reserved for system accounts, 0  99 (0  499 for Linux), is used by a non-system account without documentation, then this is a finding. A regular account within this range must be justified and documented with the ISSO. Check /etc/samba/smb.conf ownership: # ls  lL /etc/samba/smb.conf If /etc/samba/smb.conf is not owned by root, then this is a finding. =" Solaris 2.5 - 9 # cd /etc/rcS.d # grep sulogin * The sulogin utility should be called from within the svm start up script. Additionally, # more /etc/default/sulogin (if it exists) Confirm PASSREQ=NO is not configured " Solaris 10 # more /etc/default/sulogin (if it exists) Confirm PASSREQ=NO is not configured By default Solaris 10 requires a password and the /etc/default/sulogin does not exist. " HP-UX # more /tcb/files/auth/system/default Confirm the d_boot_authenticate is: :d_boot_authenticate: The entry :d_boot_authenticate@: is a finding. " AIX - AIX has a chassis key that is used to prevent booting to single-user mode without a password. Confirm it is in the correct position and the key has been removed. " Linux - # more /etc/inittab Confirm the following line is configured: ~~:S:wait:/sbin/sulogin gA Linux system capable of booting multiple operating systems is justified and documented with the ISSO.1Checks to see if the rpc.ugidd daemon is enabled.YChecks to see if special privileged accounts such as shutdown and halt have been deleted.X servers get started several ways, such as xdm, gdm or xinit. Perform: # ps  ef |grep X Output for example: /usr/X11R6/bin/X  nolisten  ctp  br vt7  auth /var/lib/xdm/authdir/authfiles/A:0 The above example show xdm is controlling the Xserver. Check the Xservers file to ensure the following options are not enabled: -ac, -core, and -nolock . Xserver files can found in: /etc/X11/xdm/Xservers /etc/opt/kde3/share/config/kdm/Xservers /etc/X11/gdm/Xservers >Checks to see if the X server has the correct options enabled.[Checks to see if the Xserver has one of the following options enabled: -ac, -core, -nolock.Perform the following to determine if the Samba server is running: # ps  ef |grep smbd If a process is returned as running, ask the SA if the Samba server is operationally required. If it is not, then this is a finding. Check /etc/news/hosts.nntp.nolimit permissions: # ls  lL /etc/news/hosts.nntp.nolimit If /etc/news/hosts.nntp.nolimit is more permissive than 600, then this is a finding. YThe /etc/news/hosts.nntp.nolimit file has permissions that are less than or equal to 600.Check /etc/news/nnrp.access permissions: # ls  lL /etc/news/nnrp.access If /etc/news/nnrp.access is more permissive than 600, then this is a finding. LChecks to see if the /etc/news/nnrp.access file is more permissive than 600.SThe /etc/news/nnrp.access file has permissions that are less than or equal to 600..Check /etc/news/passwd.nntp permissions: # ls  lL /etc/news/passwd.nntp If /etc/news/passwd.nntp is more permissive than 600, then this is a finding. SThe /etc/news/passwd.nntp file has permissions that are less than or equal to 600..Perform: # find / -name snmpd.conf # ls  lL <snmpd.conf> # find / -name *.mib If the snmpd.conf file is not owned by root and group owned by sys or the application, then this is a finding. Attempt to determine if any backup devices exist for the system. Some systems will have a file containing the default device files (such as /etc/default/tar on Solaris). Others can be checked via a system administration GUI (such as SAM on HP-UX). If backup device files exists and is readable or writeable by a user other than root or a pseudo backup user, ask the SA or if the file(s) are documented with the ISSO4The system is not exporting X displays to the world.Perform the following to determine if the X server is running: # ps  ef |grep X Determine if xauth is being used by: # xauth xauth> list If the above command sequence does not show any host o< ther than the localhost, then xauth is not being used. Search the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. If none are found and user based access control is not being used, then this is a finding. mChecks to see if authorized X clients are listed in the X*.hosts file if the .xauthority utility is not used.Perform the following to determine if access to the X window system is limited to authorized clients: # xauth xauth> list Ask the SA if the clients listed are authorized. If they are not, then this is a finding. OChecks to see if access to the xterminal host is limited to authorized clients.hAt programs set the umask more permissive than 027 and these are justified and documented with the ISSO.Solaris, HP-UX, AIX, and Linux support single-user mode password. If the UNIX host is not be configured to require a password when booted to single-user mode and is not justified and documented with the ISSO, then this is a finding. The UNIX host is configured to require a password when booted to single-user mode and is justified and documented with the ISSO.Check /etc/samba/smb.conf permissions: # ls  lL /etc/samba/smb.conf If /etc/samba/smb.conf is not group owned by root, then this is a finding. @Checks to see if the /etc/smb.conf file is group owned by root.Check /etc/samba/smb.conf permissions: # ls  lL /etc/samba/smb.conf If /etc/samba/smb.conf is more permissive than 644, then this is a finding. :The smb.conf file is equal to or less permissive than 644.Check /etc/samba/smbpasswd ownership: # ls  lL /etc/samba/smbpasswd If /etc/samba/smbpasswd is not owned by root, then this is a finding. 8Checks to see if the smb password file is owned by root.IChecks to see if an audio device is not group owned by root, sys, or bin.MChecks to see if the .rhosts, .shosts, hosts.equiv or shosts.equiv are used. R mount | grep  v nosuid Confirm all NFS mounts, floppy & CD drives, and user file systems (e.g., /export/home or /usr/home) are configured with the nosuid option. If user file systems, removable media, or remote file systems that do not require suid/sgid files are not mounted with the nosuid option invoked, then this is a finding. {Checks to see if user file systems, removable media, or remote file systems are not mounted with the nosuid option invoked.3Checks to see if shell files have the sgid bit set.Perform the following to determine the location of audit logs and then check the ownership: " Solaris # more /etc/security/audit_control # ls  lLd <audit log dir> " HP-UX # ls  la /.secure/etc/* " AIX # grep  :bin: /etc/security/audit/config Directories to search will be listed under the bin stanza. # ls  la <audit directories> " Linux # ls  la /var/log/audit.d # ls  la /var/log/audit/audit.log If any of the audit log files are readable by unprivileged id s, then this is a finding. )The system and user default umask is 027.This check only applies to Solaris. Perform the following on NFS servers: # grep  ^default /etc/nfssec.conf Check to ensure the second column does not equal  0 . This would indicate the default is set to none. Perform the following to check currently exported file systems: # more /etc/exports Or # more /etc/dfs/dfstab If the option  sec=none is set on any of the exported file systems, then this is a finding. yChecks to see if the SA ensures that the sec option is not set to none and the default authentication is not set to none.Perform the following to determine if the NFS server is exporting with the root access option: # exportfs  v | grep  root= If the option is found on an exported file system, ask the SA if the access is justified and documented with the ISSO. If it is not, then this is a finding. OThe root access option for NFS has been justified and documented with the ISSO.bChecks to see if the root access option for nfs has been authorized and documented with the ISSO.+Perform the following to check for NFS exported files systems: # exportfs  v This will display all of the exported file systems. For each file system displayed perform and check the ownership: # ls  lL <filesystem> If the files and directories are not owned by root, then this is a finding. MChecks to see if NFS exported system files and directories are owned by root."Checks to see if services that allow interaction without authentication or via anonymous authentication are documented, justified to the ISSO, and are properly secured and segregated from other systems that contain services that explicitly require authentication and identity verification.Services that allow interaction without authentication or via anonymous authentication are documented, justified to the ISSO, and are properly secured and segregated from other systems that contain services that explicitly require authentication and identity verification.The information system separates user functionality (including user interface services) from information system management functionality.Interview the SA or ISSO and ask if the information system physically or logically separates user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.Checks to see if the information system separates user functionality (including user interface services) from information system management functionality.The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthoriz< ed individuals.Checks to see that when information requires cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.Interview the SA or ISSO to determine if FIPS 140-2 encryption is used on items requiring the use of cryptography for protection.KSufficient storage is available to meet IRS logging and retention policies.For information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with FIPS-140-2, applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. Checks to see if the organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measuresChecks to see if the organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.Test Case Tab: Execute the test cases and document the results to complete the IRS Safeguard Computer Security review. Reviewer is required to complete the following columns: Actual Results, Comments/Supporting Evidence. Please find more details of each column below. (Identification number of SCSEM test caseObjective of test procedure.Comments / Supporting EvidenceIRS Safeguard SCSEM LegendTester:Date: Location:Comments/Supporting EvidenceePerform: # ls  lL <system directory> <system files directories are listed below> to check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/usb, /sbin, and /usr/sbin. If the file permissions are greater than 755, and the files are system commands, then this is a finding. Note: Elevate to Criticality Code of HIGH if world writable. Perform the following to determine if ssh disables root logins: # find / -name sshd_config  print # grep -I <sshd_config path> permitrootlogin RHEL 4-5, SLES 9 The permitrootlogins value should be uncommented and set to no. Note: Speak with the administrator regarding alternative ways of restricting direct root ssh logins with PAM if they suggest that root logins via ssh are disabled and the above check suggests otherwise. NCheck to see if there are files or directories with uneven access permissions.Check the following log files to determine if access to the root account is being logged. Try to su  and enter an incorrect password. " Solaris # more /var/adm/sulog " HP-UX # more /var/adm/sulog " AIX # more /var/adm/sulog " Linux # more /var/log/messages or # more/var/adm/sulog (configurable from /etc/default/su) If root login accounts are not being logged, then this is a finding. NCheck to see if the root password is passed over a network in clear text form." Solaris # grep flags /etc/security/audit_control Confirm flags fd or +fd and -fd is configured. " HP-UX # grep  i  audevent_args1 /etc/rc.config.d/auditing \ | grep delete " AIX # more /etc/security/audit/events Confirm the following events are configured: FILE_Unlink, FS_Rmdir " Linux For LAUS: # grep  @rmdir-ops /etc/audit/filter.conf # grep  @unlink-ops /etc/audit/filter.conf For auditd: # grep  -a exit,always  S unlink  S rmdir /etc/audit.rules (RHEL5 /etc/audit/audit.rules) {" Solaris # ls  ld /var/spool/cron/crontabs " HP-UX # ls  ld /var/spool/cron/crontabs " AIX # ls  ld /var/spool/cron/crontabs " Linux # ls  ld /var/spool/cron # ls  ld /etc/cron.d # ls  ld /etc/cron.daily # ls  ld /etc/cron.hourly # ls  ld /etc/cron.monthly # ls  ld /etc/cron.weekly If the cron or crontab directories are more permissive than 755, then this is a finding. " Solaris # ls  lL /etc/cron.d/at.allow # ls  lL /etc/cron.d/at.deny " HP-UX # ls  lL /var/adm/cron/at.allow # ls  lL /var/adm/cron/at.deny " AIX # ls  lL /var/adm/cron/at.allow # ls  lL /var/adm/cron/at.deny " IRIX # ls  lL /etc/cron.d/at.allow # ls  lL /etc/cron.d/at.deny " Linux # ls  lL /etc/at.allow # ls  lL /etc/at.deny If the at.allow or at.deny file(s) is more permissive than 600, then this is a finding. JChecks to see if the at.allow or at.deny file is more permissive than 600. " Solaris # ls  lL /etc/cron.d/cron.allow " HP-UX # ls  lL /var/adm/cron/cron.allow " AIX # ls  lL /var/adm/cron/cron.allow " Linux Red Hat # ls  lL /etc/cron.allow Or SuSE # ls  lL /var/spool/cron/allow If the cron.allow file is more permissive than 600, then this is a finding. # find / -type f -perm -002 |more If there are world writable files, then this is a finding. # find / -type d -perm -002 |more If there are world writable directories that are not public directories (e.g., /tmp), then this is a finding. {Checks to see if device file directories are writeable by users other than a system account or as configured by the vendor.}Checks to see if device files used for backup are readable and/or writeable by users other than root or a pseudo backup user.JChecks to see if global initialization files are more permissive than 644.Check global initialization files ownership: # ls  l /etc/.login # ls  l /etc/profile # ls  l /etc/bashrc # ls  l /etc/env< ironment # ls  l /etc/security/environ If global initialization files are not owned by root, then this is a finding. find / -type d \( -perm -002 -a  perm  1000 \) |more If public directories are not owned by root or an application user, then this is a finding. -" Solaris 2.5 through 9 # grep flags /etc/security/audit_control Confirm flags ad or +ad and -ad is configured. " Solaris 10 and some prior versions of 8 and 9 # grep flags /etc/security/audit_control Confirm am or +am and -am is configured. " HP-UX # grep  i  audevent_args1 /etc/rc.config.d/auditing \ | grep admin # grep  i  audevent_args1 /etc/rc.config.d/auditing \ | grep removable " AIX # more /etc/security/audit/events Confirm the following events are configured: ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime,PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIds, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv " Linux For LAUS: # grep  @priv-ops /etc/audit/filter.conf # grep  @mount-ops /etc/audit/filter.conf # grep  @system-ops /etc/audit/filter.conf For auditd the following should be present in /etc/audit.rules: (RHEL5 /etc/audit/audit.rules) -w /etc/auditd.conf -w /etc/audit.rules -a exit,always  S stime  S acct  S reboot  S swapon -a exit,always  S settimeofday  S setrlimit  S setdomainname -a exit,always  S sched_setparam  S sched_setscheduler fChecks for the existance of SGID files; checks to see if they are checked weekly against the baseline.The system is checked weekly against the system baseline for unauthorized sgid files as well as unauthorized modification to authorized sgid files._Checks to see if the audit system is configured to audit login, logout and session initiation.As the root user perform the following to check the search path: # echo $PATH # ls  ld <each directory in path variable> If any of the directories in the PATH variable are world writeable, then this is a finding.,Checks for the existence of remote consoles.RChecks to see if successful and unsuccessful access to the root account is logged.Perform: # more /etc/security/audit_user If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the same flags as all users as defined in /etc/security/audit_control file. F An IRS approved virus scan program is used and configured correctly.Peform the following to determine if NIS is active one the system: # ps  ef |grep ypbind If NIS is found active on the system, ask the SA if it s use is documented with the ISSO. If NIS use is not documented, this is a finding. FThe NIS protocol is in use and justified and documented with the ISSO.?Normally tcpd logs to the mail or daemon facility in /etc/syslog.conf. Perform the following to determine if syslog is configured to log events by tcpd. # more /etc/syslog.conf Look for entries similar to the following: mail.debug /var/adm/maillog mail.none /var/adm/maillog mail.* /var/log/mail or maillog auth.info /var/log/messages daemon.* /var/log/messages authpriv /var/log/secure The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not logging and this is a finding. LChecks to see if the access control program logs each system access attempt.Check for the existence of /etc/hosts.allow and /etc/hosts.deny: # ls  la /etc/hosts.allow # ls  la /etc/hosts.deny # grep  ALL: ALL /etc/hosts.deny If the  ALL: ALL is in the /etc/hosts.deny file, then any tcp service from a host or network not listed in the /etc/hosts.allow file will not be allowed access. If the entry is not in /etc/hosts.deny or if either of the two files do not exist, then this is a finding. lChecks to see if the access control program is configured to grant and deny system access to specific hosts.TChecks to see if an IRS approved virus scan program is used or configured correctly.b# rpcinfo -p | grep yp | grep udp If NIS/NIS+ is implemented under UDP, then this is a finding. .Checks to see if NIS is implemented under udp.:Checks to see if the /etc/smb.conf file is owned by root.MCheck the permissions of inetd.conf file by: # ls  lL /etc/inetd.conf Or, for Linux systems # ls  lL /etc/xinetd.conf # ls  lL /etc/xinetd.d This is a finding if permissions for the inetd.conf files are greater than 440. In addition, on Linux systems, the /etc/xinetd.d directory permissions should not be greater than 755. Checks to see if the inetd.conf file permissions are more permissive than 440. The linux xinetd.d is more permissive than 755.=Checks to see if the browser/smart update feature is enabled.LChecks to see if the browser has unencrypted secure content caching enabled..Checks to see if the rexec service is enabled.4Checks to see if network analysis tools are enabled.Perform the following to determine if any network analysis tools are enabled: # find / -name ethereal # find / -name tcpdump # find / -name snoop (RHEL find / -name wireshark) If the any of the above network analysis tools are found, then this is a finding. WThe system is a print server/client, and the configuration is doc< umented with the ISSO. " Solaris # more /etc/cron.d/at.allow " HP-UX # more /var/adm/cron/at.allow " AIX # more /var/adm/cron/at.allow " Linux # more /etc/at.allow Default accounts (such as bin, sys, adm, and others) will not be listed in the at.allow file or this will be a finding. BChecks to see if default accounts are listed in the at.allow file.Ask the SA if the system is a print server or a client of another server. If it is either of these, ask the SA if it is documented with the ISSO. If the printer configuration is not documented with the ISSO, then this is a finding.sFind the aliases file on the system: # find / -name aliases  depth  print # more <aliases file location> (NOTE: THE -depth OPTION may not be required. Tested on RHEL5) Examine the aliases file for any directories or paths that may be utilized. Perform: # ls  lL <path> Ensure the file and parent directory are owned by root. If it is not, then this a finding. hChecks to see if the root account uses the browser for reasons other than to control local applications.Check the permissions of inetd.conf file by: # ls  lL /etc/inetd.conf Or, for Linux systems # ls  lL /etc/xinetd.conf # ls  lL /etc/xinetd.d This is a finding if any of the above files or directories are not owned by root or bin. MChecks to see if the inetd.conf or xinetd.conf file is owned by root or bin.9Check to see if the root account is logged onto directly." Solaris # grep flags /etc/security/audit_control Confirm flags fm or +fm and -fm is configured. " HP-UX # grep  i  audevent_args1 /etc/rc.config.d/auditing \ # | grep moddac " AIX # more /etc/security/audit/events Confirm the following events are configured: FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode and FILE_Owner " Linux For LAUS: # grep  @mode-ops /etc/audit/filter.conf # grep  @owner-ops /etc/audit/filter.conf (RHEL5 /etc/audit/audit.rules) For auditd the following system calls should be present in /etc/audit.rules: -a exit,always  S chmod  S fchmod  S chown  S chown32  S fchown -a exit,always  S fchown32  S lchown  S lchown32 (RHEL5 /etc/audit/audit.rules) .Checks to see if audit logs are rotated daily.{" Solaris # ls  ld /var/spool/cron/crontabs " HP-UX # ls  ld /var/spool/cron/crontabs " AIX # ls  ld /var/spool/cron/crontabs " Linux # ls  ld /var/spool/cron # ls  ld /etc/cron.d # ls  ld /etc/cron.daily # ls  ld /etc/cron.hourly # ls  ld /etc/cron.monthly # ls  ld /etc/cron.weekly If the cron or crontab directories are not owned by root or bin, then this is a finding. B" Solaris # ls  lL /etc/cron.d/cron.deny " HP-UX # ls  lL /var/adm/cron/cron.deny " AIX # ls  lL /var/adm/cron/cron.deny " IRIX # ls  lL /etc/cron.d/cron.deny " Linux Red Hat # ls  lL /etc/cron.deny Or SuSE # ls  lL /var/spool/cron/deny If the cron.deny file is more permissive than 600, then this is a finding. 1The cronlog file is not more permissive than 600.Perform the following to search the crontab for entries to rotate the audit logs.      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy{|}~ # crontab  l # less /etc/logrotate.conf can be checked for daily logrotation as well If a program can be located, this is not a finding. Otherwise, query the SA. If there is one that is demonstrable (and runs automatically), this is not a finding. If the SA runs it manually, it is still a finding, because if the SA is not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding. This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does not have today s date, this is a finding. Perform the following to determine if auditing is enabled: " Solaris # ps  ef |grep auditd " HP-UX # audsys " AIX # /usr/sbin/audit query | head -1 " Linux # ps  ef |grep auditd If the auditd process is not found, then this is a finding. )Checks to see if auditing is implemented." Solaris # more /etc/cron.d/at.deny " HP-UX # more /var/adm/cron/at.deny " AIX # more /var/adm/cron/at.deny " Linux # more /etc/at.deny If the at.deny file exists and is empty, then this is a finding. JChecks to see if the cron or crontab directories are owned by root or bin.(" Solaris # egrep  flags|naflags /etc/security/audit_control Confirm flags lo or +lo and -lo is configured. Confirm naflags lo or +lo and  lo is configured. " HP-UX # grep  i  audevent_args1 /etc/rc.config.d/auditing \ | grep login " AIX # more /etc/security/audit/events < Confirm the following events are configured: USER_Login, USER_Logout, INIT_Start, INIT_End and USER_SU " Linux For LAUS: # grep process-login /etc/audit/filter.conf |grep always For auditd: This is not a finding. Auditd enables this by default in the source code. Check the release of the OS: " Solaris # uname -a Supported releases are 2.7 and newer. " HP-UX # uname -a Supported releases are 10.20 and newer. " AIX # uname -a Supported releases are 4.3 and newer, and 5.1 and newer. " Linux # uname -R Supported releases are RedHat Enterprise 3 and newer and SUSE Enterprise 9 and later. If the operating system is not a supported release, then this is a finding. jInterview ISSO or SA and ask if log storage is sufficient to meet IRS logging and retention requirements. " Solaris Confirm SLEEPTIME is set to 4 or more, or that this variable is not configured as 4 is the system default. # grep SLEEPTIME /etc/default/login Note: This check is currently not applicable for Solaris 5.10. " HP-UX Confirm the t_logdelay is set to 4 or more. # grep :t_logdelay# /tcb/files/auth/system/default " AIX Confirm the logindelay field is set to 4 or more. # grep logindelay /etc/security/login.cfg " Linux Confirm FAIL_DELAY is set to 4 or more. # grep FAIL_DELAY /etc/login.defs =Passwords are not allowed reused within the last six changes.Perform the following to check the permissions: " Solaris # ls  la /usr/bin or /usr/sbin " HP-UX # ls  la /usr/lbin " AIX # ls  la /usr/sbin " Linux # ls  la /usr/sbin If any of the files that are used to start network daemons in the above directories have permissions greater than 755, then this is a finding. Note: Network daemons that may not reside in these directories (such as httpd or sshd) must also be checked for the correct permissions. Check skeleton files permissions: " AIX. # ls  l /etc/security/.profile " All Other Platforms # ls  alL /etc/skel If skeleton dot files are more permissive than 644, then this is a finding. -The /usr/aset/userlist file is owned by root.@The /usr/aset/userlist file contains a list of all system users.HNIS+ is not configured on the Solaris system and YPCHECK is set to true.)All NFS servers have logging implemented.;ASET environment variables in the asetenv file are correct._ASET is not used on any firewall system and the firewall parameters are in /usr/aset/asetenv. 0The /usr/aset/masters/uid_aliases file is empty.AAset master files are located in the /usr/aset/masters directory.'No automated password methods are used.vChecks to see if passwords contain information such as names, telephone numbers, account names, dictionary words, etc.Interview the SA or ISSO and ask if passwords are allowed that contain contains information such as names, telephone numbers, account names, dictionary words, etc.lPasswords do not contain information such as names, telephone numbers, account names, dictionary words, etc.@Checks to see if the critical sendmail logfile is owned by root.Perform: # more /etc/syslog.conf Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file. Perform: # ls -lL If the log file permissions are greater than 644, then this is a finding. ?Run control scripts execute world writable programs or scripts.-Run control scripts are owned by root or bin.5Run control scripts are not more permissive than 755.=Run control scripts do not have the sgid or the suid bit set.NPublic directories are group owned by root, sys, bin, or an application group.Check /etc/news/hosts.nntp permissions: # ls  lL /etc/news/hosts.nntp If /etc/news/hosts.nntp is more permissive than 600, then this is a finding. :The /etc/news/hosts.nntp file is less permissive than 600.*The smbpasswd file is group owned by root.$The smbpasswd file is owned by root.*The smb.conf file is group owned by root.Check /etc/sysctl.conf permissions: # ls  lL /etc/sysctl.conf If /etc/sysctl.conf is more permissive than 600, then this is a finding. eNo uid's reserved for system accounts, 0  99 (0  499 for Linux), are used by a non-system accounts.8The audit_user file is group owned by root, sys, or bin.7An enabled account on the system is password protected.%The audit_user file is owned by root.#The smb.conf file is owned by root.5Check file applicable to your system, login.access or access.conf. . Check /etc/login.access ownership: # ls  lL /etc/login.access Check /etc/login.access ownership: # ls  lL /etc/security/access.conf If /etc/login.access or /etc/security/access.conf is more permissive than 640, then this is a finding. 6Detailed test procedures to follow for test execution.On x86 systems enter the system BIOS and confirm that a supervisor password is enabled. Some systems will have only one password setting, while others may have both user and supervisor settings. On those with two settings, ensure the supervisor password is enabled and set. If the system cannot be rebooted to confirm the settings, ask the system administrator if a BIOS password is enabled. If it is not, then this is a finding.Verify the cron.allow and cron.deny files exist: " Solaris # ls  lL /etc/cron.d/cron.allow # ls  lL /etc/cron.d/cron.deny " HP-UX # ls  lL /var/adm/cron/cron.allow # ls  lL /var/adm/cron/cron.deny " AIX # ls  lL /var/adm/cron/cron.allow # ls  lL<  /var/adm/cron/cron.deny " Linux Red Hat # ls  lL /etc/cron.allow # ls  lL /etc/cron.deny Or SuSE # ls  lL /var/spool/cron/allow # ls  lL /var/spool/cron/deny If the cron.allow or cron.deny files do not exist, then this is a finding. sChecks to see if the audit system is configured to audit all discretionary access control permission modifications.#Look for the presence of a print service configuration file by using the command: # find /etc  name hosts.lpd  print If this file does not exist, use the command: # find /etc  name Systems -print If this file does not exist, use the command: # find /etc  name printers.conf If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform: # ls  lL <print service file> and verify the permissions are not greater than 664. If the permissions are greater than 664, then this is a finding. 6" Solaris # ls  lL /etc/cron.d/cron.allow " HP-UX # ls  lL /var/adm/cron/cron.allow " AIX # ls  lL /var/adm/cron/cron.allow " Linux Red Hat # ls  lL /etc/cron.allow Or SuSE # ls  lL /var/spool/cron/allow If the cron.allow file is not owned and group owned by root, sys, or bin, then this is a finding. FChecks to see if the cron.allow file is owned and group owned by root.1" Solaris # ls  lL /etc/cron.d/cron.deny " HP-UX # ls  lL /var/adm/cron/cron.deny " AIX # ls  lL /var/adm/cron/cron.deny " Linux Red Hat # ls  lL /etc/cron.deny Or SuSE # ls  lL /var/spool/cron/deny If the cron.deny file is not owned and group owned by root, sys, or bin, then this is a finding. EChecks to see if the cron.deny file is owned and group owned by root.7" Solaris # ls  lL /var/spool/cron/crontabs/ " HP-UX # ls  lL /var/spool/cron/crontabs/ " AIX # ls  lL /var/spool/cron/crontabs/ " Linux # ls  lL /var/spool/cron/ (Permissions of 600) # ls  lL /etc/cron.d/ (Permissions of 600) # ls  lL /etc/crontab (Permissions of 600) # ls  lL /etc/cron.daily/ (Permissions of 700) # ls  lL /etc/cron.hourly/ (Permissions of 700) # ls  lL /etc/cron.monthly/ (Permissions of 700) # ls  lL /etc/cron.weekly/ (Permissions of 700) If crontab files are more permissive than 600 (700 for some Linux files), then this is a finding. kVerify the at.allow and/or at.deny files exist. " Solaris # ls  lL /etc/cron.d/at.allow # ls  lL /etc/cron.d/at.deny " HP-UX # ls  lL /var/adm/cron/at.allow # ls  lL /var/adm/cron/at.deny " AIX # ls  lL /var/adm/cron/at.allow # ls  lL /var/adm/cron/at.deny " Linux # ls  lL /etc/at.allow # ls  lL /etc/at.deny Ensure at least on of the above files exists. ]ls  lL /etc/services The services file is not owned by root or bin, then this is a finding <Checks to see if the services file is owned by root or bin.als  lL /etc/services If the services file is more permissive than 644, then this is a finding. ?Checks to see if the services file is more permissive than 644." Solaris # ls  ld /var/spool/cron/crontabs " HP-UX # ls  ld /var/spool/cron/crontabs " AIX # ls  ld /var/spool/cron/crontabs " Linux # ls  ld /var/spool/cron # ls  ld /etc/cron.d # ls  ld /etc/cron.daily # ls  ld /etc/cron.hourly # ls  ld /etc/cron.monthly # ls  ld /etc/cron.weekly If the cron or crontab directories are not group owned by root, sys, or bin, then this is a finding. " Solaris # ls  lL /etc/cron.d/at.allow " HP-UX # ls  lL /var/adm/cron/at.allow " AIX # ls  lL /var/adm/cron/at.allow " Linux # ls  lL /etc/at.allow If the at.allow file is not owned and group owned by root, sys, or bin, then this is a finding. DChecks to see if the at.allow file is owned and group owned by root.SUnnecessary accounts (e.g., games, news) and associated software have been deleted.Perform the following to check for unnecessary privileged accounts: # more /etc/passwd Some examples of unnecessary privileged accounts include halt, shutdown, reboot and who. ISpecial privilege accounts, such as shutdown and halt, have been deleted.EThe /etc/passwd and /etc/shadow (or equivalent) file is owned by root~If the CMOS is not configured to disable the capability to boot from removable media (e.g., diskette), then this is a finding.IThe cron or crontab directories are not group owned by root, sys, or bin.3Accounts do not have the same user or account name.-Accounts have not been assigned the same uid.Determine if an NFS server is running on the system by: # ps  ef |grep nfsd If an NFS server is running, confirm that it is not configured with the insecure_locks option by: # exportfs  v The example below would be a finding: /misc/export speedy.redhat.com(rw,insecure_locks) %The insecure_locks option is not set.9Passwords cannot be changed more than once every 15 days.< @Check to see if accounts are locked after 90 days of inactivity.7The traceroute command is not more permissive than 700.QThe root account home directory (other than  / ) is not more permissive than 700.MThe root account does not have world writable directories in its search path.]The root account cannot be directly logged into from somewhere other than the system console.Actual ResultsTest ID/The export configuration file is owned by root.(The traceroute command is owned by root.Perform the following to determine if the rexec service is enabled: Solaris, HP-UX, AIX, IRIX # grep  v  ^# /etc/inetd.conf |grep rexec Solaris 10 # svcs rexec |grep disabled Linux # grep disable /etc/xinetd.d/rexec If rexec is found to be enabled, then this is a finding. The rexec service is disabled.(Remote login or remote shell is disabled$Network Analysis tools are disabled.dThe inetd.conf file (xinetd.conf file and the xinetd.d directory for Linux) is owned by root or bin.The inetd.conf (xinetd.conf for Linux) file is not more permissive than 440. The Linux xinetd.d. directory is not more permissive than 755.*The services file is owned by root or bin.2The services file is not more permissive than 644.Most syslog messages are logged to /var/log, /var/log/syslog, or /var/adm directories. Check the permissions by performing the following: # ls  lL <syslog directory> If any of the log files permissions are greater than 640, then this is a finding. 0System log file is not more permissive than 640.OAccess to the at utility is controlled via the at.allow and/or at.deny file(s).OThe at.deny file does not exist. OR The at.deny file exists and is not empty.3The cron.deny file is not more permissive than 600.PTFTP is disabled OR TFTP is active and justified and documented with the ISSO.Perform the following to find all the Management Information Base (MIB) files on the system: # find / -name *.mib  print # ls  lL <mib file> Any file returned with permissions greater than 640 is a finding. 6Anonymous FTP is not active or documented by the ISSO.Perform the following to determine if a system is capable of anonymous ftp: # ps  ef |grep ftpd # grep ftp /etc/passwd Use the command ftp to activate the ftp service. Attempt to log into this host with a user name of anonymous and a password of guest (also try the password of guest@mail.com). If the logon is successful, ask if the use of anonymous FTP on the system is documented with the ISSO. If it is not, then this is a finding. Perform the following to determine if a system is capable of anonymous ftp: # ps  ef |grep ftpd # grep ftp /etc/passwd Ask the SA if the server is on a separate subnet located in a DMZ. If it is not, then this is a finding. @Checks to see if anonymous ftp is segregated in the network DMZ.Determine if the X window system is running by: # ps  ef |grep X Ask the SA if the X window system is an operational requirement. If it is not, then this is a finding. To check if SNMP is used, execute the following command: # netstat -a | grep LISTEN | grep snmp. # netstat  a | grep LISTEN | egrep  161|162 If there is any output, then ask the SA if this is an snmp server. If it is an snmp server, then ask what other applications run on it. If there is anything other than network management software and DBMS software that is used only for the storage and inquiry of snmp data, this is a finding. }Checks to see if the unix host is not configured to require a password when booted to single user mode and is not documented._Checks for SUID files; checks to see if this process is performed weekly against the baseline.VChecks to see if the cron or crontab directories are group owned by root, sys, or bin.HChecks to see if the at directory is owned by root, bin, sys, or daemon.Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password. " Solaris 2.5 - 9 # cd /etc/rcS.d # grep sulogin * The sulogin utility should be called from within the svm start up script. Additionally, Solaris 10 # more /etc/default/sulogin (if is exists) Confirm PASSREQ=NO is not configured " Solaris 10 # more /etc/default/sulogin (if is exists) Confirm PASSREQ=NO is not configured " HP-UX # more /tcb/files/auth/system/default Confirm the d_boot_authenticate is: :d_boot_authenticate: The entry :d_boot_authenticate@: is a finding. " AIX - AIX has a chassis key that is used to prevent booting to single-user mode without a password. Confirm it is in the correct position and the key has been removed. " Linux - # more /etc/inittab Confirm the following line is configured: ~~:S:wait:/sbin/sulogin If the UNIX host can not be configured to require a password when booted to single-user mode and is not located in a controlled access area accessible only by SAs, then this is a finding. An access-controlled area is defined as requiring two different checks of an individual<  s identity and authority before gaining access to the system. JChecks to see if local initialization files are owned by the user or root.TChecks to see if the local initialization files permissions are securely configured.JChecks to see if local initialization files have the sgid or suid bit set.`Checks the to see if the local initialization files execute world writeable programs or scripts.\Checks to see if .rhosts, .shosts, or hosts.equiv files contain other than hosts-user pairs.AChecks to see if shell files permissions are securely configured.JChecks to see if an audio device file permissions are securely configured.2Checks to see if an audio device is owned by root.}Checks the ownership permissions and location of files with the sgid bit; checks to see if they are documented with the ISSO.@Checks ensure public directory ownership is properly configured.IChecks to see if public directory group ownership is properly configured.ls  ld `find / -type d \( -perm -002 -a  perm  1000 \)` |more If public directories are not group owned by root, sys, bin, other or an application group, then this is a finding. JChecks to see if the system and user default umask is securely configured.To determine if unused default system accounts have been disabled perform the following: " Solaris # grep  *LK* /etc/shadow " HP-UX # grep u_lock /tcb/files/auth/b/bin Repeat for other system accounts. " AIX # grep account_locked /etc/security/user " Linux # awk  F:  $2 ==  * {print $0} /etc/shadow If there are any unused default system accounts that are not locked or have false for a shell, then this is a finding. The accounts in questions are: guest, demo, games, nuucp, uucp, daemon, bin, man, lpd, sys, nobody, ftp, smtp. Additionally, review the account list for any accounts that would appear to be a site specific test, development or temporary account and ensure these accounts are locked. OChecks to see if system audit logs are restricted to authorized personnel only.FChecks to see if system audit log permissions are securely configured.|Checks to see if the audit system is configured to audit failed attempts to access files and programs, including FTI files. To view the version number click  Help then click  About Browser from the browser tool bar. If the browser version is not Netscape 4.79 or greater, or FireFox 1.5 or greater, then this is a finding. #The browser is a supported version.IThe /etc/login.access or /etc/security/access.conf file is owned by root.TFTP is configured to vendor specifications, including the following: - A TFTP user will be created. - The default shell will be set /bin/false, or equivalent. - A home directory owned by the TFTP user will be created. ;An X Windows host writes .Xauthority files (or equivalent).oAuthorized X clients are listed in the X*.hosts (or equivalent) file(s) if the .Xauthority utility is not used.2The ftpusers file is not more permissive than 640.An FTP user s umask is 077.To determine if fsp is enabled, perform the following: # grep in.fspd /etc/inetd.conf # netstat  an |grep fspd If an entry for fsp is found, then this is considered a finding. FSP is disabled.7The TFTP daemon does not have the suid or sgid bit set.?The at.deny file is owned and group owned by root, sys, or bin.AThe cron.deny file is owned and group owned by root, sys, or bin.3Check file applicable to the system, login.access or access.conf. . Check /etc/login.access ownership: # ls  lL /etc/login.access Check /etc/login.access ownership: # ls  lL /etc/security/access.conf If /etc/login.access or /etc/security/access.conf is not group owned by root, then this is a finding. <The browser has unencrypted secure content caching disabled.5The /etc/passwd file is not more permissive than 644.BSuccessful and unsuccessful access to the root account are logged.0Accounts other than root do not have a uid of 0.BThe root password is not passed over a network in clear text form.Audit trails and/or system logs are reviewed on a daily basis for: - Excessive logon attempt failures by single or multiple users - Logons at unusual/non-duty hours - Failed attempts to access restricted system or data files indicating a possible pattern of deliberate browsing - Unusual or unauthorized activity by System Administrators - Command-line activity by a user that should not have that capability - System failures or errors - Unusual or suspicious patterns of activity NThe audit system is configured to audit login, logout, and session initiation.bThe audit system is configured to audit all discretionary access control permission modifications.OThe audit system is configured to audit files and programs deleted by the user.vThe Ctrl-Alt-Delete sequence is disabled and the system is located in a controlled access area accessible only by SAs.Determine if an NFS server is running on the system by: # ps  ef |grep nfsd If an NFS server is running, confirm that it is not configured with the insecure option by: # exportfs  v The example below would be a finding: /misc/export speedy.redhat.com(rw,insecure) 5Moved and renamed check UNIX-LINUX-187 as SOLAIRS-SPECIFIC-15. Corrected spelling "SOLAIRS-" to "SOLARIS-" in Solaris-Specific TestIDs. Modified check separator row TestID fields so they will sort before their associated TestIDs when worksheet is sorted by TestID. Changed the primary NIST control for SOLARIS-SPECIFIC-13 from SA-10 to SI-2 (SA-10 is not referenced in Pub. 1075.) Added AC-3 as primary NIST control for UNIX-LINUX-113. Added conditional formats (colors) to Pass/Fail Column: Pass=Green; Fail=Red; Info=Tan; other (e.g. N/A) = clear (default).Indications of inactive accounts are those that have no entries in the last log. Check the date in the last log to verify it is within the last 90 days. If an inactive account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or TCB equivalent), check the /etc/passwd file to check if the account has a valid shell. If not, then this is a finding. Non-interactive application accounts may be documented./Accounts are locked after 90 days of inactivityMCheck to se< e if passwords are allowed to be reused within the last 6 changes.nChecks to see if password complexity is enforced when possible depending on the UNIX variant that is deployed.GCheck to see if passwords can be changed more than once every 15 days.lChecks to see if global initialization files are group owned by root, sys,bin, other or the system default.@Checks to see if global initialization files are owned by root.FChecks to see if default skeleton dot files are owned by root or bin.sChecks to see if the xwindows system connections are required If not required, checks to see if they are disabled.DChecks to see if the files in /etc/news are owned by root or news.BIf an IM client is installed, ask the SA if it configured to communicate only with IRS IM servers. If it has access to servers on the internet, then this is a finding. EXAMPLES - GAIM, PIDGIN, KOPETE (or others) #rpm -qa |grep -i gaim #rpm -qa |grep -I pidgin or find / -name gaim find / -name pidgin find / -name kopete GCheck to see if an enabled account on the system is password protected.UChecks to see if the root account has world writeable directories in its search path.Check to see if an encrypted remote access program such as ssh is configured to disable the capability to log on directly as root.@- Solaris 2.5, 2.6, and 7 Confirm CONSOLE is set to /dev/console. # grep CONSOLE=/dev/console /etc/default/login - Solaris 8, 9, and 10 Confirm there is no output from the below mentioned command. # consadm  p - HP-UX Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null. # more /etc/securetty - AIX Ensure /etc/security/login.cfg does not define an alternate console. # more /etc/security/login.cfg - Linux Confirm /etc/securetty exists and is empty or contains only the word console or a single tty device. # more /etc/securetty *Perform the following to check NIS file ownership: " Solaris # ls  la /usr/lib/netsvc/yp " HP-UX # ls  la /var/yp/<nis domainname> " AIX # ls  la /usr/lib/netsvc/yp or /usr/lib/nis " Linux # ls  la /var/yp/<nis domainname> If the file ownership is not root, sys, bin, then this is a finding. 3Checks to see if users do own their home directory.Pass / Fail / N/AMReviewer to indicate if the test case passed, failed, or is not applicable. gThe first step for this test is to identify where on the system FTI resides. If it resides on the operating system file structure, then use the following commands to determine if access to FTI files residing on the operating system are audited. " Solaris # more /etc/security/audit_control Confirm flags  fr or fr is configured. " HP-UX # grep  i  audevent_args1 /etc/rc.config.d/auditing \ | grep open " AIX # more /etc/security/audit/events Confirm the following events are configured: FILE_Open " Linux For LAUS: # grep  @open-ops /etc/audit/filter.conf For auditd: # grep  -a exit,always  S open  F success!=0 /etc/audit.rules (RHEL5 /etc/audit/audit.rules) If FTI resides in the application or database, then interview the application or database administrator for due dilligence to determine if access attempts to FTI files are audited. kThe audit system is configured to audit failed attempts to access files and programs, including FTI files. \Checks to see if the audit system is configured to audit all administrative, privileged and security actions, including all system changes with the potential to compromise the integrity of audit policy configurations, security policy configurations and audit record generation services and enabling or disabling of audit report generation services.MThe audit system is configured to audit all administrative, privileged, and security actions, including all system changes with the potential to compromise the integrity of audit policy configurations, security policy configurations and audit record generation services and enabling or disabling of audit report generation services.@Find the snmpd.conf by: # find / -name snmpd.conf  print # more snmpd.conf Search for the community name to check if the password was changed to something other than public, private, snmp-trap or password and which meets the IRS requirements for password construction. The community string will be in plain text. -Checks to see if the uucp service is enabled.OChecks to see if the snmp community strings have been changed from the default.NThe /etc/syslog.conf file is owned by root or is not more permissive than 640.nThe .rhosts, .shosts, hosts.equiv, or shosts.equiv are not used or are justified and documented with the ISSO.If there is an application running on the system that is continuously in use (such as a network monitoring application), ask the SA what the name of the application is. # ps  ef | more If the logon session for an application requiring a continuous display does not ensure: - The logon session is not a root session. - The inactivity exemption is justified and documented with the ISSO. - The display station (e.g., keyboard, CRT) is located in a controlled access area. Then this is a finding. The logon session for an application requiring a continuous display ensures: - The logon session is not a root session. - The inactivity exemption is justified and documented with the ISSO. - The display station (e.g., keyboard, CRT) is located in a controlled access area. dThe ownership, permissions, and location of files with the sgid bit set are documented with the ISSO`Checks to see if the system is a router, if it is not a router, the default gateway must be set.=The system i< s not a router and has a default gateway defined.URouting is implemented on dedicated hardware. If not, it is documented with the ISSO.dChecks to see if the snmpd.conf file is not owned by root and group owned by sys or the application.# find / -name .netrc If the .netrc file exists, then this is a finding. The .netrc must be justified and documented with the ISSO. 3Checks to see if shell files have the suid bit set.lCheck run control scripts ownership: " Solaris # cd /etc # ls  lL rc* # cd /etc/init.d # ls  l " HP-UX # cd /sbin # ls  lL rc* # cd /sbin/init.d # ls  l # /etc/rc.config.d # ls -l " AIX # cd /etc # ls  lL rc* " Linux # cd /etc (may vary) # ls  lL rc* # cd /etc/init.d # ls  l If run control scripts are not owned by root or bin, then this is a finding. Check run control scripts group ownership: " Solaris # cd /etc # ls  lL rc* # cd /etc/init.d # ls  lL " HP-UX # cd /sbin # ls  lL rc* # cd /sbin/init.d # ls  lL " AIX # cd /etc # ls  lL rc* " Linux # cd /etc (may vary) # ls  lL rc* # cd /etc/init.d # ls  lL rc* If run control scripts are not group owned by root, sys, bin, other or the system default, then this is a finding. QChecks to see if run control scripts execute world writeable programs or scripts.EChecks to see if shell files exist that are not owned by root or bin.Audit logs are rotated daily.Perform: # ps  e | egrep  innd|nntpd If an Internet Network News server is running and not justified and documented by the ISSO, then this is a finding. Perform the following to check for at jobs: # cd /var/spool/cron/atjobs Or # cd /var/spool/atjobs Determine if there are any at jobs by viewing a long listing of the directory. If there are at jobs perform the following to check for any programs that may have a umask more permissive than 027: # grep umask ./* If there are any, this is a finding unless the ISSO has justifying documentation. If there are no  at jobs present, this vulnerability is Not Applicable. I# more //.* Look for programs or scripts executed within the local initialization files, and issue an ls -al on any programs or scripts found to check if the called program or script is world writable. If local initialization files execute world writable programs or scripts, then this is a finding. 'Checks to see if the.netrc file exists.mCheck run control scripts permissions: " Solaris # cd /etc # ls  lL rc* # cd /etc/init.d # ls  l " HP-UX # cd /sbin # ls  lL rc* # cd /sbin/init.d # ls  l # /etc/rc.config.d # ls -l " AIX # cd /etc # ls  lL rc* " Linux # cd /etc (may vary) # ls  lL rc* # cd /etc/init.d # ls  l If run control scripts are more permissive than 755, then this is a finding. DChecks to see if home directories have permissions greater than 750.ZChecks to see if an accounts primary gid is different from the account home directory gid.DChecks to see if system start-up files are more permissive than 755.CChecks to see if run control scripts have the sgid or suid bit set.XChecks to see if the default skeleton dot file permissions are more permissive than 644.Check skeleton files ownership: " AIX. # ls  l /etc/security/.profile " All Other Platforms # ls  alL /etc/skel If skeleton dot files are not owned by root or bin, then this is a finding. TRun control scripts are group owned by root, sys, bin, other, or the system default.=Global initialization files are not more permissive than 644..Global initialization files are owned by root.OThe securetcpip command is in /etc. If it is not there, this is a finding. Perform: # more /etc/security/config If the stanza: tcpip: netrc = ftp, rexec is not there, then this is a finding. The stanza indicates the securetcpip command, which disables all the unsafe tcpip commands, (e.g., rsh, rlogin, tftp)has been executed. 7Checks to see if the securetcpip command has been used._Checks to see if the CMOS is configured to disable the capability to boot from removable media.tChecks to see if the password configuration table has the supervisor passwd set to off or the user passwd set to on.EChecks to see if the /etc/securetty file is more permissive than 640.Determine if the following flags are set for auditing: # tail /etc/rc.config.d/auditing The AUDOMON_ARGS flag should be the last line in the file. Look at the arguments and compare them to -p 20, -t 1, -w 90. If any of these differ, this a finding. XChecks to see if the HPUX audomon_args flag is set to IRS or other more secure settings.HP-UX AUDOMON_ARGS flag is set to IRS or other best practice documents. More secure settings should be similar to: -p 20, -t 1, -w 90.W# ls  lL /etc/securetty If /etc/securetty is not owned root, then this is a finding. 5Checks to see if the /etc/securetty is owned by root.MChecks to see if the /etc/securetty file is group owned by root, sys, or bin.a# ls  lL /etc/securetty If /etc/securetty is more permissive than 640, then this is a finding. @Checks to see if the /etc/securetty is more permissive than 640.EThe /etc/securetty file has permissions of less than or equal to 640.HThe /usr/aset/userlist file has permission of less than or equal to 600.KChecks the /etc/login.access or /etc/security/access.conf is owned by root.eChecks to see if the /etc/login.access or /etc/security/access.conf file is more permissive than 640.@Checks to see if the /etc/sysctl.conf file is not owned by root.Check /etc/news files ownership: # ls  al /etc/news If /etc/news files are not owned by root or news, then this is a finding. Check /etc/news files group ownership: # ls  al /etc/news If /etc/news files are not group owned by root or news, then this is a finding. AChecks to see if the /etc/news fi< les group owner is root or news.SWAT must be utilized with ssh to ensure a secure connection between the client and the server. The ssh daemon on the server must be configured to allow port forwarding. If SWAT is being utilized to administer Samba on the server, perform the following: # grep AllowTcpForwarding /etc/ssh/sshd_config If the line is commented out or set to  no and SWAT is in use, then this is a finding. UChecks to see if the Samba web administration tool is used with SSH port forwarding.# find / -name .rhosts # more //.rhosts # find / -name .shosts # more //.shosts # find / -name hosts.equiv # more //hosts.equiv # find / -name shosts.equiv # more //shosts.equiv If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files contain other than hostname-user pairs and are not justified and documented with the ISSO, then this is a finding. The .rhosts, .shosts, hosts.equiv, or shosts.equiv files do not contain other than host-user pairs and are not justified and documented with the ISSO.# find / -name .rhosts # find / -name .shosts # find / -name hosts.equiv # find / -name shosts.equiv If .rhosts, .shosts, hosts.equiv, or shosts.equiv are found and not justified and documented with the ISSO, then this is a finding. No gid's reserved for system accounts are used by a non-system accounts. - gid 14 (sysadmin - Solaris)  may be used if documented with the ISSO. - gid 20 (users - HPUX)  may be used if documented with the ISSO.=Issue this command for each user in the /etc/passwd file to display user home directory permissions: # ls  lLd /<usershomedirectory> If a user s home directories are more permissive the 750, then this is a finding. Home directories with permissions greater than 750 must be justified and documented with the ISSO. AIssue this command for each user in the /etc/passwd file to display user home directory ownership: # ls  lLd /<usershomedirectory> If a user s home directory(s) are not owned by the assigned user, then this is a finding. Home directories not owned by the assigned user must be justified and documented with the ISSO. Systems are configured to log out of interactive processes (i.e., terminal sessions, ssh sessions, etc.,) after 15 minutes of inactivity or ensure a password protected screen lock mechanism is used and is set to lock the screen after 15 minutes of inactivity.Check to see if the feedback from the information system provides information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.Interview ISSO or SA and ask if any applications or services display the user or service account password during input or after authentication. Checks to see if the organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.aPerform the following to determine if nfs clients are mounting file systems with the nosuid and nosgid options: # mount  v | grep " type nfs " | grep "nosuid" # mount  v | grep " type nfs " | grep "nosgid" If the mounted file systems do not have the above two options, then this is a finding and it must be justified and documented with the ISSO. @Checks to see if a public instant messaging client is installed." AIX # /usr/sbin/lsuser  a umask ALL | more " All other platforms - Global Initialization Files # grep umask /etc/* Confirm the global initialization files set the umask to 027. - Local Initialization Files # grep umask /<usershomedirectory>/.* Confirm the local initialization files do not exceed the default umask to 027. Note: If the default umask is 000 or allows for the creation of world writable files this becomes a Severity Code I finding. If the system and user default umask is not 027, then this a finding. ;Check to see if unused default accounts have been disabled.+Unused default accounts have been disabled.wChecks to see if there are world writeable files or directories that have not been determined to be public directories.~There are no world writable files or world writable directories other than those determined to be public files or directories.Perform the following to determine the location of audit logs and then check the permissions: " Solaris # more /etc/security/audit_control # ls  la <audit log dir> " HP-UX # ls  la /.secure/etc " AIX # grep  :bin: /etc/security/audit/config Directories to search will be listed under the bin stanza. # ls  la <audit directories> " Linux # ls  la /var/log/audit.d # ls  la /var/log/audit/audit.log If any of the audit log file permissions are greater than 640, then this is a finding. @Checks to see if the /etc/lilo.conf is more permissive than 600.TChecks to see if Kickstart or Autoyast are used outside an isolated development lan.To enable NFS server logging the  log option must be applied to all exported files systems in the /etc/dfs/dfstab. Perform the following to verify NFS is enabled: # share The preceding command will display all exported filesystems. Each line should contain a  log entry to in< dicate logging is enabled. If the  log entry is not present then this is a finding. If the share command does not return anything, then this is not an NFS server and this is considered Not Applicable. >Checks to see if the NFS server does have logging implemented.BThe /etc/securetty file has permissions less than or equal to 640.WChecks to see if the audit_user file has a different auditing level for specific users.Check /etc/security/audit_user ownership: # ls  lL /etc/security/audit_user If /etc/security/audit_user is not owned by root, then this is a finding. 1Checks to see if the audit_user is owned by root.Check /etc/security/audit_user group ownership: # ls  lL /etc/security/audit_user If /etc/security/audit_user is not group owned by root, sys, or bin, then this is a finding. IChecks to see if the audit_user file is group owned by root, sys, or bin.Check /etc/security/audit_user permissions: # ls  lL /etc/security/audit_user If /etc/security/audit_user is more permissive than 640, then this is a finding. BChecks to see if the audit _user file is more permissive than 640.<The audit_user file has permissions of less or equal to 640.qChecks for a version of the Sun Answerbook2 that was found vulnerable to the dwhttpd format string vulnerability.jChecks to see if the NFS server is configured to deny client access request that do not include a user id.GCheck to see if system command permission are more permissive than 755.Perform: # ls  lL <system directory> <system files directories are listed below> to check the group owner for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/usb, /sbin, and /usr/sbin. If the files are not owned by a system group or application group, then this is a finding. " Solaris # ls  lL /etc/dfs/dfstab " HP-UX # ls  lL /etc/exports " AIX # ls  lL /etc/exports " Linux # ls  lL /etc/exports If the export configuration file is not owned by root, then this is a finding. @Checks to see if the export configuration file is owned by root." Solaris # ls  lL /etc/dfs/dfstab " HP-UX # ls  lL /etc/exports " AIX # ls  lL /etc/exports " Linux # ls  lL /etc/exports If the export configuration file is more permissive than 644, then this is a finding. HThe export configuration file has permissions less than or equal to 644.Perform the following to determine if NFS File Systems are writeable: # exportfs  v |grep rw If any entries are returned, ask the SA if the file systems have been approved and documented with the ISSO for export as writable. VNFS file systems exported as writeable have been justified and documented by the ISSO.ICheck to see if system log file permissions are more permissive than 640.JCheck to see if manual page file permissions are more permissive than 644.Perform: # ls  lL <system directory> <system files directories are listed below> to check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/usb, /sbin, and /usr/sbin. Uneven file permission exist if the file owner has less privileges than the group or world users and when the file is owned by a privileged user or group (such as root or bin).. If any of the files in the above listed directories contain uneven file permissions, then this is a finding. (Check to see if there are unowned files.VCheck to see if network services daemon file permissions are more permissive than 755.?Perform the following to check NIS file group ownership: " Solaris # ls  la /usr/lib/netsvc/yp " HP-UX # ls  la /var/yp/<nis domainname> " AIX # ls  la /usr/lib/netsvc/yp or /usr/lib/nis " Linux # ls  la /var/yp/<nis domainname> If the file group ownership is not root, sys, bin or other, then this is a finding. 3Perform the following to check NIS file permissions: " Solaris # ls  la /usr/lib/netsvc/yp " HP-UX # ls  la /var/yp/<nis domainname> " AIX # ls  la /usr/lib/netsvc/yp or /usr/lib/nis " Linux # ls  la /var/yp/<nis domainname> If any of the file permissions are greater than 755, then this is a finding. Applicable to Solaris 2.5.1 through Solaris 5.8. # find / -name dhttpwd If the Answerbook binary is found, check for the following patches: Solaris 5.5.1 110532-01 Solaris 5.5.1_x86 110538-01 Solaris 5.6 110532-01 Solaris 5.6_x86 110538-01 Solaris 5.7 110532-01 Solaris 5.7_x86 110538-01 Solaris 5.8 110532-01 Solaris 5.8_x86 110538-01 - Apply the applicable patch or remove the binary/application to remediate this finding. - Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, to LOW Verify that ASET is being used by: # crontab  l |grep aset If there is an output, then check to make sure that the files in question are in the /usr/aset/masters directory by performing: # ls  l /usr/aset/masters The following files should be in the listing: tune.high, tune.low, tune.med, and uid_aliases. If the all of the files are not in the directory listing, then t< his is a finding. VChecks to see if the ASET master files are located in the /usr/aset/masters directory.# more /usr/aset/masters/uid_aliases If fhe /usr/aset/masters/uid_aliases file is not empty or all contents are not commented out, then this is a finding. <Checks to see if the /usr/aset/masters/uid_aliases is empty.iChecks to see if ASET is used on a firewall system and the firewall parameters are in /usr/aset/asetenu.Perform the following to determine if ASET is scheduled to run: # crontab  l | grep aset The default user list is /usr/aset/userlist. If the  u option is specified in the crontab entry, then the userlist file is the argument supplied to the  u option. Perform: # more /usr/aset/userlist If the file does not exist or if the file does not contain a list of the system usernames, then this is a finding. QChecks to see if the /usr/aset/userlist file contains a list of all system users.c# ls  lL /usr/aset/userlist If /usr/asset/userlist is not owned by root, then this is a finding. >Checks to see if the /usr/aset/userlist file is owned by root.i# ls  lL /usr/aset/userlist If /usr/aset/userlist is more permissive than 600, then this is a finding. JChecks to see if the /user/aset/userlist file is more permissive than 600.@Configuration requires that passwords are changed every 60 days.ZChecks to ensure the operating system version in use is a supported version by the vendor.OChecks to ensure system time is synchronized with an authoritative time server.5Checks to ensure all accounts have unique user names./Checks to ensure all accounts have unique UIDs.KChecks to ensure UID s 0-99 (0-499 Linux) are reserved for system accounts.KChecks to ensure GID s 0-99 (0-499 Linux) are reserved for system accounts.DChecks to ensure groups listed in the passwd file are in /etc/group.7Checks to ensure the IRS approved login banner is used.@Checks to ensure successful login and logout activity is logged.JChecks to ensure accounts are disabled after 3 unsuccessful login attemptsZChecks to determine if automatic session termination applies to local and remote sessions.The SA will configure systems to log out interactive processes (i.e., terminal sessions, ssh sessions, etc.,) after 15 minutes of inactivity or ensure a password protected screen lock mechanism is used and is set to lock the screen after 15 minutes of inactivity.:Checks to ensure secure operation of application sessions.- Solaris 10 Confirm HISTORY is set to 6 or more. # grep HISTORY /etc/default/passwd - HP-UX # grep HISTORY /etc/default/security AIX If the System Management Interface Tool (SMIT) is used, run the following to invoke the graphical mode tool: # smit or smit -a Use SMIT to inspect the characteristics of user password attributes and check that password history is set to 6 or more. - Linux # ls /etc/security/opasswd # more /etc/pam.d/system-auth |grep password | grep pam_unix.so | grep remember If /etc/security/opasswd does not exist, then this is a finding. If the  remember option in /etc/pam.d/system-auth is not set to 6, then this is a finding. If passwords are reused within the last six changes, then this is a finding. Percent (%)StatusPassFailInfoNot ApplicableBlank (Not Reviewed)Total Tests PerformeduCheck run control scripts for sgid and suid: " Solaris # cd /etc # ls  lL rc* # cd /etc/init.d # ls  l " HP-UX # cd /sbin # ls  lL rc* # cd /sbin/init.d # ls  l # /etc/rc.config.d # ls -l " AIX # cd /etc # ls  lL rc* " Linux # cd /etc (may vary) # ls  lL rc* # cd /etc/init.d # ls  l If run control scripts have the sgid or suid bit set, then this is a finding. Check /etc/passwd ownership: # ls  lL /etc/passwd Check /etc/shadow and equivalent file(s) ownership: " HP-UX The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if they deviate from this configuration. /tcb d555 root sys /tcb/files d771 root sys /tcb/files/auth d771 root sys /tcb/files/auth/[a-z]/* 664 root root " AIX. # ls  lL /etc/security/passwd " All Other Platforms # ls  lL /etc/shadow If the /etc/passwd and /etc/shadow (or equivalent) file is not owned by root, then this is a finding. If HP-UX /tcb directories and files ownerships are not configured as detailed above, then this is a finding. Perform the following to determine if a default route is defined: # netstat  r |grep default If a default route is not defined, then this is a finding. AAccess to the X-terminal host is limited to authorized X clients.The UUCP service is disabled.4The snmpd.conf file is not more permissive than 700./The MIB files are not more permissive than 640.AClick on  Edit >> Preferences >>  Navigator , and verify the  Blank Page button under  Navigator Start With is selected or, if Home Page is selected, verify the pathname under the Home Page box is for a local web server. For Firefox select Edit >> Preferences in the browser to< ol bar, and then select the General item. \Global initialization files are group owned by root, sys, bin, other, or the system default.:Default skeleton . files are not more permissive than 644.Perform more command to look in the system startup files to check for files or scripts being executed. Check the permissions on the files or scripts to check if they are world writable. Alternatively, the command # find / -perm  0002  type f > wwlist Will give a list of world writable files that can be checked against the executed files or scripts. If world writeable files are found to be executed from systems startup scripts, then this is a finding. [The snmpd.conf and .mib files are owned by root and group owned by sys or the application.Check /etc/shadow and equivalent file(s) permissions: " HP-UX The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if they deviate from this configuration. /tcb d555 root sys /tcb/files d771 root sys /tcb/files/auth d771 root sys /tcb/files/auth/[a-z]/* 664 root root " AIX. # ls  lL /etc/security/passwd " All Other Platforms # ls  lL /etc/shadow If the /etc/shadow (or equivalent) file is more permissive than 400, then this is a finding. If HP-UX /tcb directories and files permissions are not configured as detailed above, then this is a finding. JChecks to see if the shadow file permissions are more permissive than 400.BChecks to see if run control scripts are not owned by root or bin.hChecks to see if run control scripts are not group owned by root, sys, bin, other or the system default.wobs executed through an aliases file are owned by root and reside within a directory owned and writable only by root.Hobs executed through an aliases file are not more permissive than 755.,Critical-level sendmail messages are logged.AU-5SA-10SA-11CM-2CM-3CM-4CM-5CM-6MP-7SI-9SI-10SI-11SI-12IA-7QChecks to see if the at.deny file is owned and group owned by root, sys, or bin.6Checks to see if the traceroute command owner is root.Find the aliases file on the system: # find / -name aliases  depth  print # ls  lL <alias location> (NOTE: THE -depth OPTION may not be required. Tested on RHEL5) If the file is not owned by root, then this is a finding. Perform the following on the ftpusers file associated with the applicable operating system: # ls  la <file location> Locations of the ftpusers file: Solaris 5.5.1  5.8 /etc/ftpusers Solaris 5.9  5.10 /etc/ftpd/ftpusers HPUX 10 /etc/ftpusers HPUX 11 /etc/ftpd/ftpusers AIX /etc/ftpusers Linux (wu-ftp) /etc/ftpusers Linux (vsftpd) /etc/vsftpd.ftpusers If the file is not owned by root, then this is a finding. 5Checks to see if the ftp users file is owned by root.Find the aliases file on the system: # find / -name aliases  depth  print # more <aliases file location> (NOTE: THE -depth OPTION may not be required. Tested on RHEL5) Examine the aliases file for any directories or paths that may be utilized. Perform: # ls  lL <path> to check the permissions are not greater than 755. If files executed through an alias have permissions greater than 755, then this is a finding. KChecks to see if the browser issues a warning when form data is redirected.Search for any .forward files on the system by: # find  name .forward  print This is considered a finding if any .forward files are found on the system. Find the aliases file on the system: # find / -name aliases  depth  print # ls  lL <alias location> (NOTE: THE -depth OPTION may not be required. Tested on RHEL5) If the permissions are greater than 644, then this is a finding. 1Checks to see if the alias file is owned by root.Checks to see if files executed through an alias file are owned by root and reside within a directory owned and writeable only by root.`Checks to see if the system is a print server and the configuration is documented with the ISSO.To determine if tcp wrappers is installed perform the following: Solaris, HP-UX , and AIX # grep tcpd /etc/inetd.conf Solaris 10 # svcprop  p defaults inetd | grep tcp_wrappers This should return a line with the following: defaults/tcp_wrappers boolean true If the above line contains the word false, then this is a finding on Solaris 10. Solaris 8 or 9 # grep  i enable_tcpwrappers /etc/default/inetd If the value returned is not set to yes and /etc/inetd.conf does not contain tcpd, then this is a finding. Linux # rpm  qa |grep tcpd or Check the services in the /etc/xinetd.d directory that are not disabled for an entry containing noaccess or only_from. Ensure an entry returns specifically for tcp< d, not tcpdump. NOTE: Tcpwrappers can also be configured through /etc/host.allow and /etc/hosts.deny. Checks thses files for additional access control configuration.A system vulnerability assessment tool is being run on the system weekly, or at an interval that is compliant with IRS security policy.9Checks to see if an access control program is being used._Any servers running the Internet Network News server are justified and documented by the ISSO.KChecks to see if the /etc/news/hosts.nntp file is more permissive than 600.^Checks to see if password lengths are compliant with IRS requirements of 8 characters or more.Mpassword lengths are compliant with IRS requirements of 8 characters or more.Interview the ISSO or SA and ask if passwords can be automated through function keys, scripts, or other methods where passwords may be stored on the system.[Checks to see if the /etc/login.access or /etc/security/access.conf is group owned by root.>Checks to see if the /etc/sysctl.conf is group owned by root.BChecks to see if the /etc/sysctl.conf is more permissive than 600.DThe /etc/sysctl.conf file has permissions less than or equal to 600.bThe /etc/login.access or /etc/security/access.conf file has permissions less than or equal to 640.0Checks to see if the nfs insecure option is set.2Checks to see if the insecure_locks option is set.Determine is ASET is being used by: # crontab  l | grep aset Check the configuration of ASET by: # more /usr/aset/asetenv If there are any changes below the following two lines that are not comments, this is a finding: # Don't change from here on down ... # # there shouldn't be any reason to. # In addition, if any of the following lines do not match, this is a finding. TASKS="firewall env sysconf usrgrp tune cklist eeprom" CKLISTPATH_LOW=${ASETDIR}/tasks:${ASETDIR} \ /util:${ASETDIR}/masters:/etc CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin: \ /usr/sbin:/usr/ucblib YPCHECK=false PERIODIC_SCHEDULE="0 0 * * *" UID_ALIASES=${ASETDIR}/masters/uid_aliases PChecks to see if the ASET environment variables in the asetenv file are correct.Perform the following to determine if ASET is configured to check NIS+: # grep YPCHECK /usr/aset/asetenv If NIS+ is running and the YPCHECK variable is set to false, then this is a finding. SCSEM Results Dashboard # of Tests-Total # Tests AvailableOut-of-Scope ReasonRA-1 Control covered in the MOT SCSEMRA-2RA-3RA-5PL-1PL-2PL-4PL-5,Control not selected in IRS Publication 1075SA-1SA-2SA-3SA-4SA-5SA-6SA-7SA-9CA-1CA-2CA-3CA-5CA-6CA-7PS-1PS-2PS-3PS-4PS-5PS-6PS-7PS-8CP-1CP-2CP-3CP-4CP-6CP-7CP-8CP-9CP-10CM-1CM-8MA-1MA-2MA-3MA-4MA-5MP-1Control covered in the SDSEMMP-2MP-3MP-4MP-5MP-6PE-1PE-2PE-3PE-4PE-5PE-6PE-7PE-8PE-9PE-10PE-11PE-12PE-13PE-14PE-15PE-16PE-17SI-1SI-3SI-4SI-5SI-8IR-1IR-2IR-3IR-4IR-5IR-6IR-7AT-1AT-2AT-3AT-4IA-1IA-3IA-4AC-1AC-19AC-20AU-1AU-7AU-11SC-1SC-12SC-14SC-15SC-17SC-18SC-19SC-20SC-22 References+IRS Publication 1075, October 2007 Revision Test Method Test ExamineInterview Examine InterviewExamineInterview Examine Examine TestTestThe system is checked weekly against the system baseline for unauthorized suid files as well as unauthorized modification to authorized suid files.:Successful and unsuccessful logins and logouts are logged.\The login delay between login prompts after a failed login is set to more than four seconds.mDevice file directories are not writable by users other than a system account or as configured by the vendor.<The /etc/securetty file is group owned by root, sys, or bin.X servers get started several ways, such as xdm, gdm or xinit. Perform: # ps  ef |grep X Output for example: /usr/X11R6/bin/X  nolisten  ctp  br vt7  auth /var/lib/xdm/authdir/authfiles/A:0 Check the Xservers file to ensure the following options are enabled: -audit, -auth. Xserver files can found in: /etc/X11/xdm/Xservers /etc/opt/kde3/share/config/kdm/Xservers /etc/X11/gdm/Xservers -The X server has the correct options enabled.Perform the following to check for unnecessary user accounts: # more /etc/passwd Some examples of unnecessary accounts includes games, news, gopher, ftp. 4An audio device is group owned by root, sys, or bin.)Shell files do not have the suid bit set.)Shell files do not have the sgid bit set.%Shell files are owned by root or bin.-Shell files are not more permissive than 755.MLocal initialization files do not execute world writable programs or scripts.A .netrc file does not exist.9Local initialization files are owned by the user or root.;The access control program logs each system access attempt.(An access control program is being used.Auditing is implemented.9System audit logs are not readable by unauthorized users.<Public directories are owned by root or an application user.Expected Results_The CMOS is configured to disable the capability to boot from removable media (e.g., diskette).Test Objective Test StepsThe insecure option is not set.Determine if the organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives. Examples are access to public facing government service websites such as www.firstgov.gov.|To determine if a browser has browser data redirection warning enabled perform: Select Edit>>Preferences>Privacy and Security from the browser toolbar. Select the Validation (RHEL-FIREFOX-VERIFICATION) tab. Ensure that  Use OCSP to validate only certificates that specify an OCSP service URL is selected under the OCSP heading. If it is not selected, then this is a finding. DSSH is not using v1 compatibility, only v2 connections are accepted.Check /etc/samba/smbpasswd ownership: # ls  lL /etc/samba/smbpasswd If /etc/samba/smbpasswd is not group owned by root, then this is a finding. AChecks to see if the /etc/smbpasswd file is group owned by root.Check /etc/samba/smbpasswd permissions: # ls  lL /etc/samba/smbpasswd If /etc/sa< mba/smbpasswd is more permissive than 600, then this is a finding. ;The smbpasswd file is equal to or less permissive than 600.Perform the following to check for access permissions: # exportfs  v If the exported filesystems do not contain the  rw or  ro options, then this is a finding. \Checks to see if the NFS server is configured to restrict file system access to local hosts.1Ask the SA if any peer-to-peer file-sharing applications are installed. Some examples of these applications include: - Napster - Kazaa - ARES - Limewire - IRC Chat Relay - BitTorrent If any of these applications are installed without an Acceptance of Risk Letter from the DAA, then this is a finding. LChecks to see if the nosuid and nosgid options are enabled on an nfs client.Checks to ensure the Unix host is configured to require a password when booted to single user mode and is located in a controlled access area.Verify that a combination of alpha and numeric or special characters is required for a password. " Solaris 9 and prior This check is not applicable. " Solaris 10 Confirm MINLOWER is set to at least 1 and MINUPPER is set to at least 1. # egrep  MINLOWER|MINUPPER /etc/default/passwd " HP-UX # grep PASSWORD_MIN_LOWER_CASE_CHARS /etc/default/security # grep PASSWORD_MIN_UPPER_CASE_CHARS /etc/default/security " AIX # grep minalpha /etc/security/user " Linux # egrep lcredit|ucredit /etc/pam.d/system-auth Lcredit and ucredit should be set to -1. If the settings do not enforce a combination of alpha and numeric or special characters, then this is a finding. Checks to see if passwords are changed every 60 days at a minimum for privileged user accounts and 90 days for normal user accounts.Version Release DateSummary of ChangesName First ReleaseDUpdated warning banner language based on the IRS.gov warning banner." Solaris 5.1 through Solaris 9 Confirm RETRIES is set to 3 or less in /etc/default/login. This does not lock the account, but will discourage brute force password guessing attacks. # grep RETRIES /etc/default/login " Solaris 10 Confirm LOCK_AFTER_RETRIES is set to YES. # grep LOCK_AFTER_RETRIES /etc/security/policy.conf " HP-UX Confirm the u_maxtries is set to 3 or less, but not 0. # grep :u_maxtries# /tcb/files/auth/system/default " AIX Confirm the loginretries field is set to 3 or less, but not 0 for each user. # /usr/sbin/lsuser -a loginretries ALL " Linux # more /etc/pam.d/system-auth Confirm the following line is configured; account required /lib/security/pam_tally.so deny=3 no_magic_root reset If the above settings are not correct, then this is a finding. RCheck to see if global password configuration files are configured per guidelines.grep  :0: /etc/passwd | awk  F :  {print$1 : $3 : } | grep  :0: If any accounts are shown in addition to root, then this is a finding. =Check to see if an account other than root has a uid of zero.`Check to see if the root account can be directly logged into from other than the system console." Solaris Check if successful logons are being logged. # last | more Check if unsuccessful logons are being logged. # ls  l /var/adm/loginlog " HP-UX Check if successful logons are being logged. # last  R | more Check if unsuccessful logons are being logged. # lastb  R | more " AIX Check if successful logons are being logged. # last | more Check if unsuccessful logons are being logged. # last  f /etc/security/failedlogin | more " Linux Check if successful logons are being logged. # last  R | more Check if unsuccessful logons are being logged. # lastb  R | more If successful and unsuccessful logins and logouts are not logged, then this is a finding. Login banners will be configured for all services that allow login access to the system. For TCP WRAPPERS, check for hosts.allow and hosts.deny files and then look for banner files associated with them. For ssh, locate the ssh configuration file, sshd_config or ssh2d_config. This file is usually located in /etc/sshd, /etc/ssh2, /etc/ssh, or /usr/local/etc. Confirm that the Banner variable contains the full path to the file containing the Logon Warning banner. Other files specific to each vendor are listed below. " Solaris Check for logon warning banner display. # more /etc/issue # more /etc/motd # more /etc/dt/config/*/Xresources (if GUI is implemented) # more /etc/default/telnetd (if telnet is implemented without TCP_Wrappers) # more /etc/default/ftpd (if ftp is implemented without TCP_Wrappers) # more /etc/ftpd/banner.msg (Solaris 9 and above, if ftp is implemented without TCP_Wrappers) " HP-UX Check for logon warning banner display. # more /etc/issue # more /etc/motd # more /etc/dt/config/*/Xres< ources (if GUI is implemented) # more /etc/ftpaccess (if ftp is implemented without TCP_Wrappers  should contain banner=/etc/issue) " AIX Check for logon warning banner display. # more /etc/motd # more /etc/dt/config/*/Xresources (if GUI is implemented) # more /etc/ftpmotd # more /etc/ftpaccess.ctl # more /dev/console # more /etc/security/login.cfg " Linux Check for logon warning banner display. # more /etc/issue # more /etc/motd # more /etc/issue.net # more /etc/X11/xdm/Xresources (if GUI is implemented) # more /etc/X11/xdm/kdmrc (if GUI is implemented) # more /etc/X11/gdm/gdm (if GUI is implemented) # more /etc/vsftpd.conf (if ftp is implemented without TCP_Wrappers) If the IRS logon banner is not displayed prior to a logon attempt, then this is a finding. After three consecutive unsuccessful login attempts, the account are disabled. (The number of unsuccessful attempts may be determined by the organization)Check if NTP running: - All platforms # ps  e | egrep  xntpd|ntpd Check if ntpdate scheduled to run: - Solaris # grep ntpdate /var/spool/cron/crontabs/* - HP-UX # grep ntpdate /var/spool/cron/crontabs/* - AIX # grep ntpdate /var/spool/cron/crontabs/* - Linux # grep ntpdate /var/spool/cron/* # grep ntpdate /etc/cron.d/* # grep ntpdate /etc/cron.daily/*I11 # grep ntpdate /etc/cron.hourly/* # grep ntpdate /etc/cron.monthly/* # grep ntpdate /etc/cron.weekly/* If NTP is running or ntpdate is found: # more /etc/ntp/ntp.conf Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. IRS source. If a non-local/non-authoritative (U.S. IRS approved source) time-server is used, then this is a finding." Solaris # logins  d " HP-UX # pwck  s " AIX # usrck  n ALL If duplicates are found, perform the following to display full listing. # grep  <account_name> /etc/passwd " Linux # pwck  r If accounts have the same account name, then this is a finding. To check for the rpc.ugidd daemon perform: # chkconfig  list rpc.ugidd Or # ps  ef | grep  i ugidd If the daemon is running or installed this is a finding. $The rpc.ugidd daemon is not enabled.GKickstart or AutoYaST are not used outside an isolated development LAN.Check /etc/lilo.conf permissions: # ls  lL /etc/lilo.conf If /etc/lilo.conf is more permissive than 600, then this is a finding. 4The /etc/lilo.conf file is less permissive than 600.*The grub.conf is less permissive than 600. 0.3 (cont.)gThe Password Configuration Table has the Supervisor Password set to ON or the User Password set to OFF.&NIS/NIS+ is not implemented under UDP.CThe Samba Web Administration tool is used with SSH port forwarding.ASamba is not running or is running and is operationally required.cA peer-to-peer file-sharing application is installed and is authorized and documented with the DAA.3A public instant messaging client is not installed.KThe NFS server is configured to restrict filesystem access to local hosts.YThe NFS server is configured to deny client access requests that do not include a userid.Check /etc/securetty permissions: # ls  lL /etc/securetty If /etc/securetty is more permissive than 640, then this is a finding. zCheck /etc/securetty ownership: # ls  lL /etc/securetty If /etc/securetty is not owned by root, then this is a finding. )The /etc/securetty file is owned by root.\" Solaris Confirm PASSLENGTH is set to 8 or more. # grep PASSLENGTH /etc/default/passwd " HP-UX Confirm MIN_PASSWORD_LENGTH is set to 8 or more # grep MIN_PASSWORD_LENGTH /etc/default/security " AIX Confirm the minlen field is set to 8 or more for each user. # /usr/sbin/lsuser -a minlen ALL " Linux Confirm pass_min_len is set to 8 or more for each user. # grep minlen /etc/pam.d/passwd If a password does not contain a minimum of 8 characters, then this is a finding. If the system does not have the capability to enforce greater than 8 characters, then the password length should be set to 8. CNFS exported system files and system directories are owned by root.nThe sec option is not set to none (or equivalent); additionally the default authentication is not set to none.:The nosuid and nosgid options are enabled on a NFS Client.DSun AnswerBook2 has no vulnerabilities to the dwhttpd format string.&The securetcpip command has been used.EThe /etc/shadow (or equivalent) file is not more permissive than 400.7User home directories are not more permissive than 750.Users own their home directory.eck /etc/securetty group ownership: # ls  lL /etc/securetty If /etc/securetty is not group owned by root, sys, or bin, then this is a finding. Check /etc/sysctl.conf ownership: # ls  lL /etc/sysctl.conf or # ls  lL /etc/sysconfig/sysctl If /etc/sysctl.conf is not owned by root, then this is a finding. +The /etc/sysctl.conf file is owned by root.EA group referenced in the /etc/passwd file is in the /etc/grou< p file.i " Solaris Confirm the max days field (the 5th field) is set to 60 or less for privileged user accounts, 90 or less for normal user accounts, but not 0 for each user. # more /etc/shadow " HP-UX Confirm the exptm is set to 60 or less, but not 0 for each user. # getprpw -r -m exptm <USER> Note: This command gives a result of "-1". Must review setting using SAM. " AIX Confirm the maxage field is set to 60 or less for privileged user accounts, 90 or less for normal user accounts, but not 0 for each user. # /usr/sbin/lsuser -a maxage ALL " Linux Confirm the max days field (the 5th field) is set to 60 or less for privileged user accounts, 90 or less for normal user accounts, but not 0 for each user. # more /etc/shadow If passwords are not changed at least every 60 days for privileged user accounts and 90 days for normal user accounts, then this is a finding. !(  # more /etc/passwd # more /etc/passwd Confirm all accounts with a uid of 99 and below (499 and below for Linux) are used by a system account. Note: 200 and below for HP-UX. If a uid reserved for system accounts, 0  99 (0  499 for Linux), is used by a non-system account without documentation, then this is a finding. A regular account within this range must be justified and documented with the ISSO.  < " Solaris Confirm the min days field (the 4th field) is set to 15 or more for each user. # more /etc/shadow " HP-UX Confirm the mintm is set to 15 or more for each user. # getprpw -r -m mintm <USER> Note: This command gives a result of "-1". Must review setting using SAM. " AIX Confirm the minage field is set to 15 or more for each user. # /usr/sbin/lsuser -a minage ALL " Linux Confirm the min days field (the 4th field) is set to 15 or more for each user. # more /etc/shadow If passwords can be changed more than once every 24 hours, then this is a finding.  i " Solaris Confirm MINWEEKS is set to 2 or more. # grep MINWEEKS /etc/default/passwd Confirm MAXWEEKS is set to 12 or less, but not 0. # grep MAXWEEKS /etc/default/passwd Confirm WARNWEEKS is set to 2 or less. # grep WARNWEEKS /etc/default/passwd " HP-UX Confirm the default mintm is set to 2 or more # getprdef -r -m mintm Note: This command gives a result of "-1". Must review setting using SAM. Confirm the default exptm is set to 90 or less, but not 0 # getprdef -r -m exptm Confirm the default expwarn is set to 14 # getprdef -r -m expwarn " AIX Confirm the following: # grep minage /etc/security/user Should be set to 2 (14 days) # grep maxage /etc/security/user Should be set to 12 (84 days) # grep pwdwarntime /etc/security/user Should be set to 14 (2 Weeks) If the System Management Interface Tool (SMIT) is used, run the following to invoke the graphical mode tool: # smit or smit -a Use SMIT to inspect the characteristics of user password attributes and check that password aging is configured properly. " Linux Confirm PASS_MIN_DAYS is set to 2 or more. # grep PASS_MIN_DAYS /etc/login.defs Confirm PASS_MAX_DAYS is set to 90 or less, but not 0. # grep PASS_MAX_DAYS /etc/login.defs Confirm PASS_WARN_DAYS is set to 14 #grep PASS_WARN_DAYS /etc/login.defs If global password configuration files are not configured per guidelines, then this is a finding. HM > Perform: # ls  lL <system directory> <system files directories are listed below> to check the owner for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/usb, /sbin, and /usr/sbin. If the files are not owned by a system account or application, then this is a finding. Note: oratab and emtab will be owned by oracle.   Check global initialization files permissions: # ls  l /etc/.login # ls  l /etc/profile # ls  l /etc/bashrc # ls  l /etc/environment # ls  l /etc/security/environ If global initialization files are more permissive than 644, then this is a finding. Note: check /etc/profile for HP-UX.  K Check global initialization files group ownership: # ls  l /etc/.login # ls  l /etc/profile # ls  l /etc/bashrc # ls  l /etc/environment # ls  l /etc/security/environ If global initialization files are not group owned b< y root, sys, bin, other, or the system default, then this is a finding. Note: check /etc/profile for HP-UX. &+  # ls  al /<usershomedirectory>/.login # ls  al /<usershomedirectory>/.cschrc # ls  al /<usershomedirectory>/.logout # ls  al /<usershomedirectory>/.profile # ls  al /<usershomedirectory>/.bash_profile # ls  al /<usershomedirectory>/.bashrc # ls  al /<usershomedirectory>/.bash_logout # ls  al /<usershomedirectory>/.env # ls  al /<usershomedirectory>/.dtprofile # ls  al /<usershomedirectory>/.dispatch # ls  al /<usershomedirectory>/.emacs # ls  al /<usershomedirectory>/.exrc Note: Can use the following style syntax: # ls  al /home/*/.login (.cshrc, etc.) If local initialization files are not owned the home directory user, then this is a finding. Local initialization files not owned by the user must be justified and documented by the ISSO  g " AIX. # more /etc/security/login.cfg For each shell listed in the /etc/security/login.cfg file: # ls  l <shell> " All Other Platforms # find / -name  *sh For each shell found: # ls  l <shell> Note: Can use the following style syntax (may vary by OS type): # find / -name "*sh" -print -exec ls -lL {} \; | grep -i rws If shell files have the suid bit set, then this is a finding. Note: The remsh command is sometimes linked to the rsh command and will have the suid bit set; in this case it is not a finding. Determine if that is the case by using ls  li to determine if they share the same inode number. The remsh command is the remote shell command and should not be considered a shell. Solaris uses the /usr/bin/rsh and the /usr/ucb/rsh commands for remote shells, and they should also be ignored here. A restricted shell also exists for bash (rbash).   " AIX. # more /etc/security/login.cfg For each shell listed in the /etc/security/login.cfg file: # ls  l <shell> " All Other Platforms # find / -name  *sh For each shell found: # ls  l <shell> Note: Can use the following style syntax (may vary by OS type): # find / -name "*sh" -print -exec ls -lL {} \; | grep -i rws Note: This is required for oracle - it is how oracle log reports run. If shell files have the sgid bit set, then this is a finding.  DI  " AIX. # more /etc/security/login.cfg For each shell listed in the /etc/security/login.cfg file: # ls  l <shell> " All Other Platforms # find / -name  *sh For each shell found: # ls  l <shell> Note: Can use the following style syntax (may vary by OS type): # find / -name "*sh" -print -exec ls -lL {} \; Note: This is required for oracle - it is how oracle log reports run. If shell files are not owned by root or bin, then this is a finding.  6;  " AIX. # more /etc/security/login.cfg For each shell listed in the /etc/security/login.cfg file: # ls  l <shell> " All Other Platforms # find / -name  *sh For each shell found: # ls  l <shell> Note: Can use the following style syntax (may vary by OS type): # find / -name "*sh" -print -exec ls -lL {} \; | grep -i rwxrwx If shell files are more permissive than 755, then this is a finding.  . Locate the sshd_config file: # find / -name sshd_config # more <sshd_config file location> Note: Can use the following style syntax (may vary by OS type): # find / -name sshd_config -print -exec grep -i protocol {} \; Examine the file. If the variables  Protocol 2,1 or,  Protocol 1 are defined on a line without a leading comment, this is a finding. If the SSH server is F-Secure, the variable name for SSH 1 compatibility is  Ssh1Compatibility , not  protocol . If the variable  Ssh1Compatiblity is set to  yes , then this is a finding. bg dChecks to see if audit trails and/or system logs are reviewed on an interval stated in local policy.DISA UNIX Security ChecklistPL-6PE-18AC-4AC-5SA-8SC-4SC-5SC-10SC-23 First M. Lastmonth d, yyyy - month d, yyyyCity, STAgency POC(s): Name: Telephone # Email Address(###) ###-#### x#####First.M.Last@xx.xxx NIST ControlAuthenticator Management Authenticator ManagementAuthenticator Feedback Flaw Remediation Time Stamps Account Management Least Privilege System Use Notification Audit Storage Capacity Auditable Events Unsuccessful Login Attempts Session Lock Access Enforcement Remote Access Least Privilege;Permitted Actions Without Identification Or Authentication Account Management Protection Of Audit Information Protection Of Audit InformationAccess EnforcementLeast Functionality Use Of CryptographyBoundary Protection Application PartitioningAudit Record Retention Use Of Cryptography < Least FunctionalityMalicious Code Protection Transmission Integrity Transmission Confidentiality Content Of Audit Records Remote AccessFlaw RemediationAuditable EventsIA-2IA-5IA-6SI-2AU-8AC-2AC-8AU-4AU-2AC-7AC-11AC-3AC-6AC-17AC-14AU-9CM-7SC-13SC-7SC-8SC-9AU-6AU-3Separation of Duties$Response to Audit Processing FailureInformation Flow Enforcement(Device Identification and Authentication#Cryptographic Module AuthenticationInformation RemnanceNetwork DisconnectmChecks to see if the information system enforces separation of duties through assigned access authorizations.Ask the administrator if separate roles have been defined for specific tasks. This can be performed using additional groups in UNIX where each role has assigned members that are responsible for a specific task. The SUDO utility, properly configured, could meet this control objective.eThe UNIX deployment makes use of roles and user assignments to those roles to perform specific tasks.Checks to see if the information system alerts appropriate organizational officials in the event of an audit processing failure and takes the following additional actions: shut down information system, overwrite oldest audit records, stop generating audit recordsAsk the administrator if the appropriate organization officials are notified if any of the following occur: Software/hardware errors, failures in the audit capturing mechanisms, or audit storage capacity being reached or exceeded_Appropriate organizational officials are notified in the event of an audit processing failure.Checks to see if the information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.}Ask the administrator about the deployment of the UNIX environment. From this information, determine the if the environment encompasses several interconnected systems. These interconnected systems could be comprised of multiple UNIX servers running SSH, Apache, or other web based service deployments. Ask if TCPwrappers, UNIX firewalls, or other similar technologies are in place.If the UNIX deployment involves several interconnected systems, access controls are in place to prevent unauthorized information flow between systems. Ask the administrator if specific hosts or devices have been determined to need to authenticate or identify themselves before a connection can be established? If so, are these hosts required to identify/authenticate by IP address, MAC Address, or via a Radius server? Example: Some UNIX servers use /etc/host.allow and /etc/host.deny files. PAM authentication is also another method.Information systems that are required to authenticate or otherwise identify themselves are using IP, MAC, RADIUS, or other well know authentication and identification methods.wChecks to see if the information system identifies and authenticates specific devices before establishing a connection.1Ask the administrator to show how strong crytography is used for authentication. This includes, sshv2, tls, and 128-bit key lengths. Old/weak ciphers or authentication such as sshv1, or ssl <=3, or account password hashes that are not hashed using a current standard hasing algorithm, blf, md5, sha, etc. <Strong cryptography is used for all forms of authentication.Checks to see if the information system employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.Many UNIX's by design, have supported the Trusted Computer System Evaluation Criteria (TCSEC) [DoD5200.28-STD]. Ask the administrator if this specific version of UNIX is not compliant or if any add on software components have been installed that would contribute to issues that arise from sharing previous resources that have not been appropriately sanitized and made available for reuse. DThe UNIX version is current enough to have been written to comply with a no object resuse principle, and no additional software that would cause unintended information transfer via shared system resources has been installed. Note: Suported versions of UNIXware, Tru64, and others, have been designed to meed these standards.~Checks to see if the information system prevents unauthorized and unintended information transfer via shared system resources.Interview the administrator to determine what service are running on the UNIX server. Services such as ssh, http, mysql, and others including web-based management interfaces should be configured with a timeout value set in accordance with the organizations policy._Services ar      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{}~e set to disconnect or timeout when a defined amount of inactivity has been reached.Checks to see if the information system terminates a network connection at the end of a session or after a organizationally defined amount of inactivity.!Ask the administrator if VPN technologies are being used to remotely access and administer the server, TLS is used for protecting the transmission of secure data during web access/management, and if ssh is used for secure access when command line utilities are needed by the administrator.Any service requiring security of communication sessions are being secured with the appropriate security technology. Examples are VPN, TLS, SSHSession AuthenticitysChecks to see if the information system provides mechanisms to protect the authenticity of communications sessions.Perform: # find / -nouser print > nousers and # find / -nogroup  print > nogroup If there are any files listed either in the nousers or nogroup files created from the above commands, then this is a finding. ,Critical sendmail log file is owned by root.Made the following revisions in response to Werner's email from 11/2/09: -Revised the command in test case #40 -Revised expected result of test case #149 -Removed duplicate test case #249 -Removed duplicate test case #251DIRECTIONS FOR SCSEM USEPass / Fail / N/A / InfoChange Log Updates (Sample): - Created new Tabs for following: Dashboard, Out of Scope Controls, and Source. Cover: - Copy/pasted Legend Box - Updated Date to  August 27, 2009 - Updated version to .4 Test Cases: a. Added new column titled  Test Method b. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status indicators. c. Added summary cells at the bottom of the checks. d. Added control names to the NIST ID cells. Reviewed Primary and Secondary controls ad selected one that best fit the criteria. e. Changed the primary control for several findings where there was a better fit than the currently assigned control: 48, 53-59, 62, 64 Out Scope Controls a. Added controls not reviewed in the test cases. b. Added a reason for why they were not included. - Minor changes to the following test cases (Reviewed and selected one control):<  a. UNIX-LINUX 001  218 b. HP-UX-SPECIFIC CHECKS 001- 005 c. LINUX-SPECIFIC CHECKS 001  023 d. SOLARIS-SPECIFIC CHECKS 001- 015 This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented common UNIX and Linux operating systems (Solaris, HP-UX, AIX, Red Hat Linux, SuSE Linux) for systems that receive, store or process or transmit Federal Tax Information (FTI). The SCSEM contains a set of test procedures applicable to all of the operating system flavors, and subsets of test cases applicable to specific operating system flavors. Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.IBM AIXHP-UXLinuxSolarisApplies to Unix Type:ALL (Generic Check)Number of test casesLast test case row: Control IDAC-21!Control not selected in Pub. 1075AC-22AU-13AU-14CM-9IA-8IR-8*Control covered in the MOT SCSEM and SDSEMPM-1PM-10PM-3PM-4Control covered in MOT SDSEMPM-5PM-6PM-7PM-8PM-9SA-12SA-13SC-16SC-25SC-26SC-27SC-28SC-29SC-30SC-31SC-32SC-33SC-34SI-13SI-7PM-11PM-2SA-14SC-2Session TerminationAC-12tChecks to see if the information system automatically terminates a remote session after a defined amount inactivity.Ask the administrator if session termination is enabled or admin consoles using X-Windows or Workstations running any UNIX utility remotely. All interactive sessions should employ a method of session termination after a period of inactivitySession termination is enabled.Audit Generation AU-12CThe hosts.lpd (or equivalent) file is not more permissive than 664.+ Checks to see if the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.Ask the administrator to demonstrate how user and group access is assigned. Find out if roles are assigned for a particular set of users and then that role/group are given only the rights that are required to perform that duty. The sudo utility could be used for this control objective.9Access to functions or areas on the UNIX system should be protected by access controls. This could be by user, group or role or a more granular approach depending on the organizations requirements. Users listed, if any, with security equal to the root user are both must be required for production and documented.Checks to see if The information system produces audit records that contain sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.xAsk the administrator if the following items are being recorded with the audit log output. Make note of any exceptions: -- (i) date and time of the event; (ii) the component of the information system (e.g., software component, hardware component) where the event occurred; (iii) type of event; (iv) user/subject identity; and (v) the outcome (success or failure) of the event.ZAuditing is configured to meet all requirements within the operating systems capabilities.?Checks to see if the grub.conf file is more permissive the 600.? Note: Applies to Solaris 10 and Linux only. Check /etc/grub.conf permissions: # ls  lL /etc/grub.conf If /etc/grub.conf is more permissive than 600, then this is a finding , U Note: Applies to Solaris 10 and SuSE or Red Hat Linux only. Solaris - Jumpstart Solaris systems utilize bootp to assist Jumpstart. Perform: # more /etc/bootptab SuSE - AutoYaST On SuSE systems tftp must be running for AutoYaST to work properly. Check for tftp: # chkconfig  -list tftp If tftp is found, as the SA if the server is configured for AutoYaST. Redhat - Kickstart Redhat systems utilize nfs and bootp to assist Kickstart. Perform: # more /etc/exports # more /etc/bootptab and ask the SA if any of the exported file systems contain Kickstart images to be installed on a client. < %Audit Review, Analysis, and Reporting8Identification and Authentication (Organizational Users)HExpected Results: The warning banner is compliant with IRS guidelines and contains the following 4 elements: - the system contains US government information - users actions are monitored and audited - unauthorized use of the system is prohibited - unauthorized use of the system is subject to criminal and civil penalties jNIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Revision 3Booz Allen Hamilton#DESCRIPTION OF SYSTEM ROLE WITH FTInProvide a narrative description of this system's role with receiving, processing, storing or transmitting FTI.[The dashboard is provided to automatically calculate test results from the Test Case tab. The 'Info' status is provided for use by the reviewer during test execution to indicate more information is needed to complete the test. It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of the review.An authoritative (U.S. IRS approved source) time-server is used. Approved sources include the US Naval Observatory NTP servers or the NIST Internet Time Service.Note: Remote access is defined as any access to an agency information system by a user communicating through an external network, for example: the Internet. [Updated SCSEM based on NIST 800-53 rev3 release. Update for new version of Publication 10752Interview the SA or ISSO and determine if a file integrity utility such as md5 or Sha is used to verify the check sums of files before and after transit. Confirm whether all FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). oInterview the SA or ISSO to determine if all connections to the server are via *HTTPS using SSL3.1 or TLS *SSH or SCP v2 only *Other communications methods using tunneling via OpenSSL or equivalent FIPS encryption. Confirm whether all FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). The organization employs cryptographic mechanisms to prevent unauthorized discl< osure of information during transmission across a WAN and the agency's LAN, unless otherwise protected by alternative physical measuresThe organization employs cryptographic mechanisms to recognize changes to information during transmission across a WAN, and the agency's LAN unless otherwise protected by alternative physical measures.NChecks to ensure the system is current with vendor released security patches.Check installed patches: " Solaris # patchadd  p |grep patch or # showrev  p | grep patch " HP-UX # swlist  l fileset | grep patch " AIX # /usr/sbin/instfix -c -i | cut -d":" -f1 " Linux # RHEL 3 & 4. If using standard Redhat Updates; have the administrator use the up2date -l command to check for new updates. # RHEL 5. If using standard Redhat Updates; have the administrator use the yum check-update command to list available updates. #ALL RHEL cat /etc/redhat-release will provide the maintenance release of the installation. It should be current with the latest maintenance patch release. # SUSE SLES-9. Have the administrator use the yast2 utility to check for updates. #ALL If regular updates are being performed, INCLUDING the kernel then the uname -r command can be run to check for kernel updates. Kernel version should be compared to the latest vendor patch list to ensure that it is a supports, secure release. Often this check will indicate if regular patching is occurring. Compare the system output with the most current vendor recommended and security patches. . Program managed specific systems should follow their configuration management cycle which may be longer than a normal vendor cycle. Perform the following to check for a security tool executing monthly: # crontab  l Check for the existence of a vulnerability assessment tool being scheduled and run monthly. If no entries exist in the crontab, ask the SA if a vulnerability tool is run monthly. In addition, if the tool is run monthly, ask to see any reports that may have been generated from the tool. If a tool is not run monthly, then this a finding. Check for the existence of an antivirus program running on the UNIX host. Popular anti-virus programs such as Mcafee's command line scanner or ClamAV should be used on UNIX servers that run file sharing services for Windows such as Samba, NFS (services for UNIX), FTP, or servers that that transmit files to Windows hosts such as SMTP/IMAP-POP servers or any other service that allows for files to be shared/stored for and by Windows users. Check if AV services are scheduled to run: For ClamAV #ps -ef |grep clamd #find / -name freshclam.conf and check for update intervals. For Mcafee command line scanner - Solaris # grep uvscan /var/spool/cron/crontabs/* - HP-UX # grep uvscan /var/spool/cron/crontabs/* - AIX # grep uvscan /var/spool/cron/crontabs/* - Linux # grep uvscan /var/spool/cron/* # grep uvscan /etc/cron.d/* # grep uvscan /etc/cron.daily/* # grep uvscan /etc/cron.hourly/* # grep uvscan /etc/cron.monthly/* # grep uvscan /etc/cron.weekly/* Perform the following to ensure the virus definition signature files are not older than 14 days. # ls  la clean.dat names.dat scan.dat If a virus scanner is not being run weekly or the virus definitions are older than 14 days, then this is a finding. m# ls  lL /etc/securetty If /etc/securetty is not group owned by root, sys, or bin, then this is a finding. wChecks to see if the Linux system is capable of booting multiple operating systems and is not documented with the ISSO./Review the applicable boot loader configuration file to ensure it is capable of booting only one operating system. For the grub boot loader, /etc/grub.conf should be reviewed. For the lilo boot loader, /etc/lilo.conf should be reviewed. Locations for these file may differ on older versions of Linux.8Perform the following to determine if ASET is being used: # crontab  l |grep aset An a returned entry would indicate ASET is being utilized. Determine if ASET is configured to check firewall settings by: # grep TASKS /usr/aset/asetenv | grep firewall If an entry is not returned, then this is a finding. UChecks to see if NIS+ is configured on the Solaris system and ypcheck is set to true.+Checks for the existence of .Forward files.QPerform the following to determine if the  anon option is set correctly for exported file systems: # exportfs  v |grep anon Each of the exported file systems should include an entry to check for the  anon=  option being set to  1 or an equivalent (60001, 65534, or 65535). Linux systems use the  anonuid opti<on instead of  anon . The IRS strongly recommends agencies test all SCSEM settings in a development/test environment prior to deploying them in operational environments because in some cases a security setting may impact a system s functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the operational system configuration. Prior to making changes to the production system agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary. The IRS welcomes feedback and suggestions from agencies in regard to individual SCSEMs.System Hostname:Safeguard Computer Security Evaluation Matrix (SCSEM) UNIX and Linux Solaris, HP-UX, AIX, Red Hat Linux, SuSE Linux Release IV July 30, 2010 Version 0.7Gu p Js P);U-`6W <BGJtNGPSc Vv ]qaf4jJ}+y Qq%[ wx !3T[| MK1"/0).v>QFBKMNSI\5l$oy;}AI̋GΏI^ЪKDx G%, >*`L :)&18a 8 BMsPX ZY Yf Z ?Z Z$Z{[Z[[@[\c\ ]bdR#fn5vB Ò!VC* z&=;/E90$ ."?2wHW}NF$.XJ~ccB  +]bd  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} $ } } $ }  } I} } $ +                           @  `                     ^       0l*2# $ % & ' ( *  # # $ $ % % & && && &  ' ' '  ( ( (  *_xL**|(   %O2 S N Group 2Horizontal Rule" `] `a~vB B >?Line 3%O]`"|B  D)?Line 4Z 22]` "  JA 1?IRS Logo`!]N``l\  $P=  Word.Document.8X>@`lbl    '' yK First.M.Last@xx.xxxyK Nmailto:First.M.Last@xx.xxxyX;H,]ą'c(( yK First.M.Last@xx.xxxyK Nmailto:First.M.Last@xx.xxxyX;H,]ą'cggD  nHr  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U     @                I  J   @0$0$0$0$$$$$$>@ "    ggD   xZ~  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX333333?333333?&43U} Y} Y} Y} $ Y} Y} Y} Y} $ Y J           0   &@   ZZZ  [ \\\ ]l ] ]k^_`ab cm+d ; PassAZ.e #DD B ^_ dn+d ; FailAZ.e #DD B ^_ fo+d ; InfoAZ.e #DD B ^_ gp*d ; N/AAZ.e #DD B ^_ dq$Bp@ ;  A[.e? #DD B ^_ dr# h  % i ^__ d# p@  % i ^ jjj  K  ZZ  p@  D[  .p@ ;@@B@[ jj&@>}}}|vSQ;J>@jj w &   ;  @@B@B@$C@Pass;  @@B@B@$C@Fail;  @@B@B@$CInfo  ;  @@B@B@$C@D{+{ {+{  {+{  {{ ;@@B@B@$C@3[ t| Sheet2ggD  ɡUew#{.4 ;SAGM+TsZ`gKmsy#kCӥc  dMbP?_*+%&?'?(?)?M \\ipp://156.80.61.26\i_A365_HP S oPXXLetterPRIV0''''T\KhC]F4TRJPHAA536406"PXX??&U} {} I{} $p}  ~} p} p} p} $p}  {} I}} $ } $ p   n o n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n A A b s# AB AC A@ A A N ~ r? r  v' ng nh n& nrr  ~ @ 3 4 % 5 6 7   ~ r@ r  t% n nE n rw  ~ @ r  n) n n nr  M  ~ r@ r  t$ n n n rr  ~ @ r  t$ n n n" rr  ~ r@ r  t$ nV nU n rw  ~  @ r  u$ n_ nb n~ rr  ~ r"@   u$ n` n: n rr ~ $@ r  t$ nc n n rr ~ r&@ r  t$ n n n rr ~ (@ r  t$ n- n n. rw ~ r*@ r  t$ n n n< rw ~ ,@ r  t$ n! n  n rw  ~ r.@ r  v' ni n n rr  ~ 0@ r  t$ n n n rr  ~ r1@   % ; < = r  ~ 2@ r  t$ n] n n rr  ~ r3@ r  n* n5 n n rr  ~ 4@ r  t$ n nK n# rr  ~ r5@ r  t$ nL  n$ rr  ~ 6@ r  t$ nM nE n% rr  ~ r7@ r  t$ nA n n& rr  ~ 8@ r  t$ n n nh rr  ~ r9@ r  t$ n nB ni rr  ~ :@ r  t$ nI n n rr  ~ r;@ r  t$ nJ n* n+ rr  ~ <@ r  t$ n n= n rr  ~ r=@ r  t$ n n n rr  ~ >@ r  t$ n nN n rr  ~ r?@ r  t$ n nO n! rr  Dll~~~~~~~~~~~~~~~~~~~~~~~~~~ n! " n# n$ n% & n' n( n) n* n+ n, n- n. n/ n0 n1 n2 n3 n4 n5 n6 n7 n8 n9 n: n; n< n= n> n? n~ @@ r  t$ nq n, n rr ~ !r@@ !r ! !t$ !nT !nt !n{ !nrr ! ~ "A@ "r " "t$ "n "n "n{ "rr " ~ #rA@ #r # #t$ #n #n$ #n| #rr # ~ $B@ $r $ $t$ $n $n% $n} $rr $ ~ %rB@ %r % %t$ %n %n %n %nrr % ~ &C@ &r & &t$ &n &n &nW &rr & ~ 'rC@ 'r ' 't$ 'n 'ns 'nX 'rr ' ~ (D@ (r ( (t$ (n (n} (nU (rr ( ~ )rD@ )r ) )t$ )n )n )nV )rr ) ~ *E@ *r * *t$ *n *n *n *rr * ~ +rE@ +r + +t$ +n +n +n{ +rr + ~ ,F@ ,r , ,t$ ,n ,n ,ng ,rr , ~ -rF@ -r - -t$ -n -n -n: -rr - ~ .G@ .r . .t$ .n .n? .n .rw . ~ /rG@ /r / /t$ /n /n /n9 /rw / ~ 0H@ 0r 0 0t$ 0n 0n  0n! 0rw 0 ~ 1rH@ 1r 1 1t$ 1n 1n" 1n 1rw 1 ~ 2I@ 2r 2 2t$ 2n 2n 2n4 2rw 2 ~ 3rI@ 3r 3 3t$ 3n 3n 3n5 3rw 3 ~ 4J@ 4r 4 4t$ 4n 4n 4n6 4rw 4 ~ 5rJ@ 5r 5 5t$ 5n 5n 5n7 5rw 5 ~ 6K@ 6r 6 6t$ 6n 6 6n 6rw 6 ~ 7rK@ 7r 7 7n& 7n 7 7n3 7rw 7 ~ 8L@ 8r 8 8u' 8n 8nA 8n+ 8rw 8 ~ 9rL@ 9r 9 9u' 9n 9n 9n 9rw 9 ~ :M@ :r : :t$ :n/ :n  :n0 :rw : ~ ;rM@ ;r ; ;t$ ;n ;n ;n? ;rw ; ~ <N@ <r < <t$ <n <n <nY <rw < ~ =rN@ =r = =t$ =n =n, =n =rw = ~ >O@ >r > >t% >n2 >nh >nr >rw > ~ ?rO@ ?r ? ?t$ ?n| ?n  ?ns ?rw ? DDl~~~~~~~~~~~~~~~~~~~~~~~~~~~~~@ nA nB nC nD nE nF nG nH nI nJ nK nL nM nN nO nP nQ nR nS nT nU nV nW nX nY nZ n[ n\ n] n^ n_ n~ @P@ @r @ @t$ @n3 @n1 @nt @rw @ ~ Ar@P@ Ar A At$ An~ An  An Arw A ~ BP@ Br B Bt$ Bn? Bn8 Bn Brw B ~ CrP@ Cr C Ct$ Cn Cnu Cn} Crw C ~ DQ@ Dr D Dt$ Dn Dn9 Dn Drw D ~ Er@Q@ Er E Et$ Enl Enk En Erw E ~ FQ@ Fr F Ft$ Fnn Fnm Fn Frw F ~ GrQ@ Gr G Gt$ Gn5 Gn> Gn Grw G ~ HR@ Hr H Ht$ Hn/ Hn. Hn Hrw H ~ Ir@R@ Ir I It$ In  In  In Irw I ~ JR@ Jr J Jt$ JnP JnO Jn Jrw J ~ KrR@ Kr K Kt$ Kn KnQ Kn Krw K ~ LS@ Lr L Lt$ Ln Ln Ln Lrw L ~ Mr@S@ Mr M Mt$ Mnw Mnv Mn Mrw M ~ NS@ Nr N Nt$ Nn NnI Nn Nrw N ~ OrS@ Or O Ot$ On4 On3 On Orw O ~ PT@ Pr P Pt$ Pnr Pnq Pn Prw P ~ Qr@T@ Qr Q Qt$ Qn7 Qn6 Qn Qrw Q ~ RT@ Rr R Rt$ Rn* Rn Rn Rrw R ~ SrT@ Sr S St$ Sn+ Sn, Sn Srw S ~ TU@ Tr T Tt$ TnL TnK Tn) Trw T ~ Ur@U@ Ur U Ut$ Un Unj U: Urw U ~ VU@ Vr V Vt$ Vn VnD Vn Vrw V ~ WrU@ Wr W Wt$ Wn WnE Wn Wrw W ~ XV@ Xr X Xt$ Xn( Xn' Xn( Xrw X ~ Yr@V@ Yr Y Yt$ Yn) Ynf Yn Yrw Y ~ ZV@ Zr Z Zt$ Zn ZnF Zn Zrw Z ~ [rV@ [r [ [t$ [nM [nz [nj [rw [ ~ \W@ \r \ \t$ \n2 \n \nl \rw \ ~ ]r@W@ ]r ] ]t$ ]n ]n ]nz ]rw ] ~ ^W@ ^r ^ ^t$ ^n ^n1 ^n ^rw ^ ~ _rW@ _r _ _t$ _nS _ _ _rw _ D@l~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` na nb nc nd ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny nz n{ n| n} n~ n n~ `X@ `r ` `t$ `\ `n `nv `rw ` ~ ar@X@ ar a at$ an an an arw a ~ bX@ br b bt$ bn bn bn brw b ~ crX@ cr c ct$ cn- cn cn crw c ~ dY@ dr d dt$ dn dnG dn drw d ~ er@Y@ er e et$ ene enW en erw e ~ fY@ fr f ft$ fn fn fn frw f ~ grY@ gr g gt$ gn gn gnv grw g ~ hZ@ hr h ht$ hn hn hn/ hrw h ~ ir@Z@ ir i it$ in in in. irw i ~ jZ@ jr j jt$ jn jn jn~ jrw j ~ krZ@ kr k kt$ kn kn kn krw k ~ l[@ lr l lt$ lnD lnC ln lrw l ~ mr@[@ mr m mt$ mn mn mnv mrw m ~ n[@ nr n nt$ nn@ n] nnq nrw n ~ or[@ or o ot$ on on on orw o ~ p\@ pr p pt$ pnO pn* pnx prw p ~ qr@\@ qr q qt$ qn% qn qnd qrw q ~ r\@ rr r rt$ rn rn rn^ rrw r ~ sr\@ sr s st$ sn sn sn] srw s ~ t]@ tr t tt$ tnI tnH tn\ trw t ~ ur@]@ ur u ut$ un un un urw u ~ v]@ vr v vt$ vn vn vn^ vrw v ~ wr]@ wr w wt$ wn wn wn] wrw w ~ x^@ xr x xt$ xA xB xnh xrw x ~ yr@^@ y y y% y y y yrw y ~ z^@ z z z% z z z zrw z ~ {r^@ { { {v* {na {n {n` {rr { ~ |_@ |r | |t' |nb |n |n# |rr | ~ }r@_@ }r } }t$ }n\ }n[ }n }rr } ~ ~_@ ~r ~ ~t$ ~n ~n ~n ~rr ~ ~ r_@ r  t$ n n n rr  D@l~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n~ `@ r  t$ n n n rr ~ r `@ r  t$ n nF n| rr ~ @`@ r  t$ n n> n rw ~ r``@ r  t$ n n n8 rw ~ `@ r  t$ n n@ n. rw ~ r`@ r  t$ n n n rw ~ `@ r  t$ n  n rw ~ r`@ r  t% n nB n rw ~ a@ r  t% n nC n rw ~ r a@ r  t$ n} no n rw ~ @a@ r  t$ n nJ n: rw ~ r`a@ r  t$ n4 np n rw ~ a@ r  t$ n' n& n rw ~ ra@ r  t$ nt ns n rw ~ a@ r  t$ n nF n rw ~ ra@ r  t$ n n nx rw ~ b@ r  t$ n n n rw ~ r b@ r  t$ n nT nu rw ~ @b@ r  t$ n n ny rw ~ r`b@ r  t$ n n0 nx rw ~ b@ r  t$ n n ny rw ~ rb@ r  t$ n nE nF rw ~ b@ r  t$ n nG nH rw ~ rb@ r  t$ nM nL np rw ~ c@ r  t$ n n n rw ~ r c@ r  t$ n nJ nK rw ~ @c@ r  t$ n nZ n[ rw ~ r`c@ r  t$ n n n rw ~ c@ r  t$ n n n rw ~ rc@ r  t$ nf nY n` rr ~ c@ r  v' nS nC n- rr ~ rc@ r  t' nd _ F rr D@l~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n~ d@ r  t$ n n n rw ~ r d@ 8 9 t% = < = rw ~ @d@ r  t$ ne n^ n, rr ~ r`d@ r  t$ n n n rr ~ d@ r  t' n n n rw ~ rd@ r  t$ n n n rw ~ d@ r  t$ n n n rw ~ rd@ r  t$ n n@ n rw ~ e@ r  t$ ni n6 n rw ~ r e@ r  t$ n9 n8 n rw ~ @e@ r  t$ n n n rw ~ r`e@   % > ? @ rr ~ e@ r  v' n) nB n rr ~ re@   %    rw ~ e@ D  t% n n{ n rw ~ re@ D  t$ n n n; rw ~ f@ r  u$ n^ na L rr ~ r f@ r  t$ n n n> rw ~ @f@ r  t$ n n1 nm rw ~ r`f@ r  t& n7 n; n rw ~ f@ r  t$ n n0 n- rw ~ rf@ r  t$ n n n rw ~ f@ r  t$ nd n n rw ~ rf@ r  t$ n n n rw ~ g@ r  t$ n n nw rw ~ r g@ r  t$ n n nn rw ~ @g@ r  t$ n nu n rw ~ r`g@ r  t$ n n n rw ~ g@ r  t$ n+ n no rw ~ rg@ r  t$ n nN nn rw ~ g@ r  t$ n n nm rw ~ rg@ r  t$ n n n rw DBl~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ n n n n n n n n n n n n n n n n n n n n n n n n n n  n n n n n~ h@ r  t$ n$ n# nk rw ~ r h@ r  t$ n n n rw ~ @h@ E  t% o< o o; ooo ~ r`h@ E  t% n n n rr ~ h@ E  u& nP n nY rr ~ rh@ E  t$ n n nb rr ~ h@   %    rw ~ rh@ r  u' n nu n rr ~ i@ r  u' n nQ rr ~ r i@ r  u' nR n n\ rr ~ @i@ r  u( nP nQ nR rr ~ r`i@ r  u% nR n nO rr ~ i@ r  t$ n n n rr ~ ri@ r  t$ n nj nD rr ~ i@ r  u% nZ n n rr ~ ri@ r  u% n' n( n rr ~ j@   %    rw ~ r j@   %    rw ~ @j@   t$ nN n nk rw ~ r`j@ r  t$ n n nG rw ~ j@ r  t$ n n nl rw ~ rj@ r  t$ n n n rw ~ j@ r 2 t$ n n n rw ~ rj@   %    rw ~ k@   %    rw ~ r k@ r  t$ n n nw rw ~ @k@ r  t$ n O R nrw ~ r`k@ r  t$ n P Q rw ~ k@ r  u' n] nA n rr ~ rk@ r  u' S T n rr ~ k@ r  t$ n n n rw ~ rk@ r  t$ n U n rw D6l~~~~~~~p~~~~~~~~~~~~~~~~~~~~~ n n n n n n n n n n n n n n n n q n n n n n n n n n n n n n n n~ l@ r  % n" V n rw ~ r l@ r  t$ n n nt rw ~ @l@ r  t$ n W n/ rw ~ r`l@ r  t$ n n n rw ~ l@ r  t$ n n n rw ~ rl@ r  t$ n  n  nz rw ~ l@ r  t$ n n0 n1 rw ~ rl@ r  t$ n n n rw ~ m@ r  t$ n ny nz rw ~ r m@ r  t$ n n2 nx rw ~ @m@ r  t$ n  n| nA rw ~ r`m@ r  t$ n  ng nj qxy ~ m@ r  t$ n2 nf ng rw ~ rm@ r  t$ n np n rw ~ m@ r  t$ n n no rw ~ rm@ r  t$ n ne n rw ~ n@ r  t$ n n n nrw ~ r n@ r  t$ n n[ n\ rw ~ @n@ r  t$ n n_ n rw ~ r`n@ r  t$ n Z n rw ~ n@ r  t$ n n~ n/ rw ~ rn@ r  t$ n ns nt rw ~ n@ r  t$ n  nr n6 rw ~ rn@ r  t$ n3 C ne rw ~ o@ r  t$ X Y n rw ~ r o@ r  t$ n nc nd rw ~ @o@ r  t$ n n nD rw ~ r`o@ r  t$ n n n rw ~ o@ r  t$ n7 n nX rw ~ ro@ r  t$ n9 n8 nc rw ~ o@ r  t$ n; n: na rw ~ ro@ r  t$ n= n< n> rw DDl~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ n n n n n n n n n  n  n                        ~ p@ r  t$ nR nQ nN rw  ~ rp@ r  t$ nT nS nM rw  ~  p@ r  t$ nU Z nL rw  ~ r0p@ r  t$ n n nK rw  ~ @p@ r  t$ [ n nI rw  ~ rPp@ r  t$ nY nX nG rw  ~ `p@ r  t$ n[ nZ n rw  ~ rpp@ r  t$ nW nV nH rw  ~ p@ r  t$ n5 n4 nJ rw  ~ rp@ E  t$ n n nw rw  ~ p@ r  t$ n? nP ny rw   pp p z{ pp pp p z{ pp pp p z{ pp ppp z{ pp ppp{|pp ppp{|pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp D l~~~~~~~~~~~4444**  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  p {}pp !p!{}pp "p"{}pp #p#{}pp $p${}pp %p%{}pp &p&{}pp 'p'{}pp (p({}pp )p){}pp *p*{}pp +p+{}pp ,p,{}pp -p-{}pp .p.{}pp /p/{}pp 0p0{}pp 1p1{}pp 2p2{}pp 3p3{}pp 4p4{}pp 5p5{}pp 6p6{}pp 7p7{}pp 8p8{}pp 9p9{}pp :p:{}pp ;p;{}pp <p<{}pp =p={}pp >p>{}pp ?p?{}pp Dl@ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ @p@{}pp ApA{}pp BpB{}pp CpC{}pp DpD{}pp EpE{}pp FpF{}pp GpG{}pp HpH{}pp IpI{}pp JpJ{}pp KpK{}pp LpL{}pp MpM{}pp NpN{}pp OpO{}pp PpP{}pp QpQ{}pp RpR{}pp SpS{}pp TpT{}pp UpU{}pp VpV{}pp WpW{}pp XpX{}pp YpY{}pp ZpZ{}pp [p[{}pp \p\{}pp ]p]{}pp ^p^{}pp _p_{}pp Dl` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~  `p`{}pp apa{}pp bpb{}pp cpc{}pp dpd{}pp epe{}pp fpf{}pp gpg{}pp hph{}pp ipi{}pp jpj{}pp kpk{}pp lpl{}pp mpm{}pp npn{}pp opo{}pp ppp{}pp qpq{}pp rpr{}pp sps{}pp tpt{}pp upu{}pp vpv{}pp wpw{}pp xpx{}pp ypy{}pp zpz{}pp {p{{}pp |p|{}pp }p}{}pp ~p~{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                     p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp  p {}pp  p {}pp  p {}pp  p {}pp  p {}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  p {}pp !p!{}pp "p"{}pp #p#{}pp $p${}pp %p%{}pp &p&{}pp 'p'{}pp (p({}pp )p){}pp *p*{}pp +p+{}pp ,p,{}pp -p-{}pp .p.{}pp /p/{}pp 0p0{}pp 1p1{}pp 2p2{}pp 3p3{}pp 4p4{}pp 5p5{}pp 6p6{}pp 7p7{}pp 8p8{}pp 9p9{}pp :p:{}pp ;p;{}pp <p<{}pp =p={}pp >p>{}pp ?p?{}pp Dl@ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ @p@{}pp ApA{}pp BpB{}pp CpC{}pp DpD{}pp EpE{}pp FpF{}pp GpG{}pp HpH{}pp IpI{}pp JpJ{}pp KpK{}pp LpL{}pp MpM{}pp NpN{}pp OpO{}pp PpP{}pp QpQ{}pp RpR{}pp SpS{}pp TpT{}pp UpU{}pp VpV{}pp WpW{}pp XpX{}pp YpY{}pp ZpZ{}pp [p[{}pp \p\{}pp ]p]{}pp ^p^{}pp _p_{}pp Dl` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~  `p`{}pp apa{}pp bpb{}pp cpc{}pp dpd{}pp epe{}pp fpf{}pp gpg{}pp hph{}pp ipi{}pp jpj{}pp kpk{}pp lpl{}pp mpm{}pp npn{}pp opo{}pp ppp{}pp qpq{}pp rpr{}pp sps{}pp tpt{}pp upu{}pp vpv{}pp wpw{}pp xpx{}pp ypy{}pp zpz{}pp {p{{}pp |p|{}pp }p}{}pp ~p~{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                     p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp  p {}pp  p {}pp  p {}pp  p {}pp  p {}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  p {}pp !p!{}pp "p"{}pp #p#{}pp $p${}pp %p%{}pp &p&{}pp 'p'{}pp (p({}pp )p){}pp *p*{}pp +p+{}pp ,p,{}pp -p-{}pp .p.{}pp /p/{}pp 0p0{}pp 1p1{}pp 2p2{}pp 3p3{}pp 4p4{}pp 5p5{}pp 6p6{}pp 7p7{}pp 8p8{}pp 9p9{}pp :p:{}pp ;p;{}pp <p<{}pp =p={}pp >p>{}pp ?p?{}pp Dl@ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ @p@{}pp ApA{}pp BpB{}pp CpC{}pp DpD{}pp EpE{}pp FpF{}pp GpG{}pp HpH{}pp IpI{}pp JpJ{}pp KpK{}pp LpL{}pp MpM{}pp NpN{}pp OpO{}pp PpP{}pp QpQ{}pp RpR{}pp SpS{}pp TpT{}pp UpU{}pp VpV{}pp WpW{}pp XpX{}pp YpY{}pp ZpZ{}pp [p[{}pp \p\{}pp ]p]{}pp ^p^{}pp _p_{}pp Dl` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~  `p`{}pp apa{}pp bpb{}pp cpc{}pp dpd{}pp epe{}pp fpf{}pp gpg{}pp hph{}pp ipi{}pp jpj{}pp kpk{}pp lpl{}pp mpm{}pp npn{}pp opo{}pp ppp{}pp qpq{}pp rpr{}pp sps{}pp tpt{}pp upu{}pp vpv{}pp wpw{}pp xpx{}pp ypy{}pp zpz{}pp {p{{}pp |p|{}pp }p}{}pp ~p~{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl                                p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp p{}pp Dl  p{}pp p{}pp `  (  R  C ]F!" d ZR  C ]F!@" d ZR  C ]F!" d ZR  C ]F!" d ZR  C ]F!" d ZR  C ]F!@" d ZR  C ]F! " d ZR  C ]F!`4 d ZR   C  ]F !@4 d ZR   C  ]F !4 d >@Z A nnnw & ;@Pass;@Fail;Info   ;     @Pass;     @Fail;     Info;@Pass;@Fail;Info!!!!;@Pass;@Fail;Info %%%%;@Pass;@Fail;Info{+{ {+{ {+{ {+{  {+{ {+{ {+{{+{{+{ {+{!!{+{!!{+{!!{+{%%{+{%%{+{%%y  Input Alert5Please enter an accepted value: Pass, Fail, N/A, InfoPassFailN/AInfoN  Sheet3ggD  (8HX  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX333333?333333?&43U} } 8} $                                                                              D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& !"#$%&'()*+,-./0123456789:;<=>?    ! !! " "" # ## $ $$ % %% & && ' '' ( (( ) )) * ** + ++ , ,, - -- . .. / // 0 00 1 11 2  22 3  33 4 44 5 55 6 66 7 77 8 88 9 99 : :: ; ;; < << = == > >> ? ??D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @ @@ A AA B BB C CC D DD E EE F FF G GG H HH I II J JJ K KK L LL M MM N NN O OO P PP Q QQ R RR S SS T TT U UU V VV W WW X XX Y YY Z/ ZZ [0 [[ \ \\ ] ]] ^ ^^ _ __D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&`abcdefghijklmnopqrstuvwxyz{|}~ ` `` a aa b bb c cc d dd e ee f ff g gg h hh i ii j jj k kk l ll m mm n nn o oo p pp q qq r  rr s! ss t1 tt u uu v vv w ww x xx y yy z zz { {{ | || } }} ~ ~~  D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&         "                      #  $  %  &  '  (  )  *  +  ,            -   Dl&&     .      d>@A w  Sheet4ggD     dMbP?_*+%&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX??&U} I_Y} $ Y k![ l[ mG[ l[ m"[ [ [x>@[Zw  Sheet5ggD     dMbP?_*+%&?'?(?)?"??&U} D} G} 1C} m}C  } C} mD} C} &E} IC} IF} AC} C} $ C ,X@X@@,K,@,@@ @ , @   HIIIC  LM Jb LcC B LCC C LfCC @ L`C C   La C C   U C C   L_ C0&:::::>@LJ J   w  Sheet6ggD     dMbP?_*+%&?'?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,??&U} $ } m(} Iw@" @b@@F      OS OT OU OVP$@Q?@ RW PHP4@Q@P@ RX PHP>@QU@ R PH Ti~ QU@ S PHVD@Wt@ XH PHV?W@ V PHPN@Q@ R PHPQ@Q@ RN PH PPRP PPRP PPRP PPRP PPRPPPRPPPRPPPRPPPRPYYY.2822282222 >@ A w  Sheet7ggD X 8Safeguard Computer Security Evaluation Matrix (SCSEM)IRSJonathan IsnerMicrosoft Excel@:@v)@7՜.+,D՜.+,x PXh px 6BA&H  CoverPurpose Dashboard DocumentSummaryInformation8CompObj r Test CasesOut Of Scope Controls Sources Legend Change Log%'Out Of Scope Controls'!Print_Titles  Worksheets Named Ranges$ 8@ _PID_HLINKSA kHmailto:First.M.Last@xx.xxxkHmailto:First.M.Last@xx.xxx F&Microsoft Office Excel 2003 WorksheetBiff8Excel.Sheet.89q