Search <book_title>...

Veritas NetBackup™ Virtual Appliance Documentation

Last Published: 2021-01-22

Product(s): Appliances (3.3.0.1)

Platform: NetBackup Virtual Appliance

Getting to know the NetBackup Virtual Appliance
1. NetBackup Virtual Appliance product description
2. NetBackup Virtual Appliance supported features
3. About the NetBackup Virtual Appliance documentation
4. NetBackup Virtual Appliance 3.3.0.1 new features, enhancements, and changes
5. Known limitations of the NetBackup Virtual Appliance 3.3.0.1 release
6. Operational Notes for the NetBackup Virtual Appliance 3.3.0.1 release
Preparing to deploy the appliance
1. NetBackup Virtual Appliance product files (OVF templates)
2. NetBackup Virtual Appliance deployment methods
3. NetBackup Virtual Appliance deployment guidelines
  1. Configuration overview for NetBackup Virtual Appliance MSDP cloud applications
  2. NetBackup Virtual Appliance initial deployment checklist
Deploying and configuring the appliance
1. How to deploy and configure a NetBackup Virtual Appliance combined master and media server
2. How to deploy and configure a NetBackup Virtual Appliance media server
3. How to deploy and configure a NetBackup Virtual Appliance master server
Post initial configuration procedures
1. About modifying the NetBackup Virtual Appliance settings
2. Adding a permanent license key if an evaluation license key expires
3. Managing license keys on the NetBackup Virtual Appliance
Appliance common tasks
1. Common tasks in NetBackup Virtual Appliance
Storage management
1. About NetBackup Virtual Appliance storage configuration
2. About OpenStorage plugin installation
  1. Installing the OpenStorage plugin
  2. Uninstalling the OpenStorage plugin
Deduplication pool catalog backup and recovery
1. About the NetBackup Virtual Appliance deduplication pool catalog backup policy
2. Automatic configuration of the NetBackup Virtual Appliance deduplication pool catalog backup policy
3. Manually configuring the NetBackup Virtual Appliance deduplication pool catalog backup policy
4. Manually updating the NetBackup Virtual Appliance deduplication pool catalog backup policy
5. Recovering the NetBackup Virtual Appliance deduplication pool catalog
Network connection management
1. About IPv4-IPv6-based network support
2. Network settings for the NetBackup Virtual Appliance
3. Configuring DNS and host name mapping for the NetBackup Virtual Appliance
4. Setting the date and time on a NetBackup Virtual Appliance
5. Configuring static routes on the NetBackup Virtual Appliance
6. Expanding the bandwidth on the NetBackup Virtual Appliance
Managing users
1. About managing NetBackup Virtual Appliance users
2. About NetBackup Virtual Appliance account types
3. Adding NetBackup Virtual Appliance users
4. Deleting NetBackup Virtual Appliance users
5. Adding NetBackup Virtual Appliance user groups
6. Deleting NetBackup Virtual Appliance user groups
7. Granting roles to NetBackup Virtual Appliance users and user groups
8. Revoking roles from NetBackup Virtual Appliance users and user groups
9. About user name and password specifications
  1. About STIG-compliant password policy rules
10. Changing NetBackup Virtual Appliance user passwords
11. About password management and recovery
12. About authenticating LDAP users
13. About authenticating Active Directory users
  1. Adding an Active Directory server configuration
  2. Unconfiguring Active Directory user authentication on the NetBackup Virtual Appliance
14. About authentication using smart cards and digital certificates
15. About authenticating Kerberos-NIS users
  1. Adding a Kerberos-NIS authentication configuration on the NetBackup Virtual Appliance
  2. Unconfiguring Kerberos-NIS user authentication on the NetBackup Virtual Appliance
16. Generic user authentication guidelines
17. About user authorization on the NetBackup Virtual Appliance
18. Creating NetBackup administrator user accounts
19. Deleting NetBackup administrator user accounts
Using the appliance
1. About configuring Host parameters for your appliance on the NetBackup Virtual Appliance
2. About Copilot functionality and Share management
3. About NetBackup Virtual Appliance as a VMware backup host
  1. NetBackup Virtual Appliance as backup host: component overview
  2. Notes on NetBackup Virtual Appliance as a VMware backup host
4. About running NetBackup commands from the appliance
5. About mounting a remote NFS
  1. Mounting a remote NFS drive
  2. Unmounting an NFS drive
6. About Auto Image Replication from a NetBackup Virtual Appliance
7. Generating certificates
Monitoring the appliance
1. About NetBackup Virtual Appliance alerts
2. Setting up email notifications for a NetBackup Virtual Appliance
3. Setting up SNMP notifications for a NetBackup Virtual Appliance
4. Enabling and disabling Call Home from the appliance shell menu
5. Configuring a Call Home proxy server from the NetBackup Virtual Appliance Shell Menu
6. About SNMP
  1. About the Management Information Base (MIB)
7. About Call Home
  1. Understanding the Call Home workflow
  2. About the Product Improvement Program
8. About AutoSupport
9. About storage email alerts
Appliance security
1. About Symantec Data Center Security on the NetBackup Virtual Appliance
2. About data security
3. About data integrity
4. About data classification
5. About data encryption
6. About the NetBackup Virtual Appliance intrusion detection system
7. About the NetBackup Virtual Appliance intrusion prevention system
8. Major components of the NetBackup Virtual Appliance OS
9. OS STIG hardening for NetBackup Virtual Appliance
10. Unenforced STIG hardening rules
11. FIPS 140-2 conformance for NetBackup Virtual Appliance
12. Vulnerability scanning of the NetBackup Virtual Appliance
13. About the appliance login banner
14. Setting the appliance login banner
  1. Creating the appliance login banner
  2. Removing the appliance login banner
15. Log Forwarding feature overview
Upgrading the appliance
1. About upgrading to NetBackup Virtual Appliance software version 3.3.0.1
2. Requirements and best practices for upgrading NetBackup appliances
  1. Upgrade time estimation
3. Pre-upgrade tasks for appliance upgrades
4. Methods for downloading appliance software release updates
  1. Downloading software updates directly to a NetBackup appliance
  2. Downloading software updates to a NetBackup appliance using a client share
5. Installing a NetBackup Virtual Appliance software update using the NetBackup Virtual Appliance Shell Menu
6. Troubleshooting upgrade issues
NetBackup client upgrades with VxUpdate
1. About VxUpdate
2. VxUpdate repository management
3. Deployment policy management
4. Manually initiating upgrades from the master server using VxUpdate
5. Manually initiating upgrades from the client using VxUpdate
6. Deployment job status
Appliance restore
1. About appliance restore
2. Creating an appliance checkpoint from the appliance shell menu
3. Rollback to an appliance checkpoint from the appliance shell menu
4. About NetBackup Virtual Appliance factory reset
5. Factory reset best practices
6. How to factory reset the NetBackup Virtual Appliance
Decommissioning and Reconfiguring
1. About decommissioning a NetBackup Virtual Appliance
2. Decommissioning a NetBackup Virtual Appliance with the media server role
Troubleshooting
1. About troubleshooting the NetBackup Virtual Appliance
2. About contacting Technical Support
3. Determining the NetBackup Virtual Appliance serial number
4. About disaster recovery
  1. Recovering a NetBackup appliance master server using NetBackup catalog restore
5. About NetBackup support utilities
  1. NetBackup Domain Network Analyzer (NBDNA)
  2. NetBackup Support Utility (NBSU)
6. Troubleshooting NetBackup Virtual Appliance initial deployment issues
7. Error messages displayed on the NetBackup Virtual Appliance Shell Menu
8. NetBackup status codes applicable for NetBackup Virtual Appliance
9. Installing an EEB
10. Rolling back an EEB using the NetBackup Virtual Appliance Shell Menu
Appliance logging
1. About NetBackup Virtual Appliance log files
2. Viewing log files using the Support command
3. Where to find NetBackup Virtual Appliance log files using the Browse command
4. Enabling and disabling VxMS logging
5. Gathering device logs on a NetBackup virtual appliance
6. About forwarding logs to an external server
Commands overview
1. About the NetBackup Virtual Appliance Shell Menu
2. Logging in to the NetBackup Virtual Appliance Shell Menu
3. Using the NetBackup Virtual Appliance Shell Menu
4. About the NetBackup Virtual Appliance Shell Menu command views
Appendix A. Appliance commands
1. Appliance > Master
2. Appliance > Media
3. Appliance > ShowDedupPassword
4. Appliance > Status
5. Appliance > Configure
Appendix B. Manage commands
1. Manage > Software > Delete
2. Manage > Software > Download
3. Manage > Software > List
4. Manage > Software > Install
5. Manage > Software > Share
6. Manage > Software > Readme
7. Manage > Software > Rollback
8. Manage > Software > Cancel
9. Manage > Software > DownloadProgress
10. Manage > Software > UpgradeStatus
11. Manage > Software > VxUpdate
12. Manage > Storage > Show
13. Manage > Storage > Add
14. Manage > Storage > Create
15. Manage > Storage > Delete
16. Manage > Storage > Edit
17. Manage > Storage > Monitor
18. Manage > Storage > Move
19. Manage > Storage > Remove
20. Manage > Storage > Resize
21. Manage > Storage > Scan
22. Manage > OpenStorage > Install
23. Manage > OpenStorage > List
24. Manage > OpenStorage > Readme
25. Manage > OpenStorage > Share
26. Manage > OpenStorage > Uninstall
27. Manage > MountPoints > List
28. Manage > MountPoints > Mount
29. Manage > MountPoints > Unmount
30. Manage > License > Add
31. Manage > License > List
32. Manage > License > ListInfo
33. Manage > License > Remove
34. Manage > Certificates > Generate
35. Manage > Certificates > Delete
36. Manage > NetBackupCLI > Create
37. Manage > NetBackupCLI > Delete
38. Manage > NetBackupCLI > List
Appendix C. Monitor commands
1. Monitor > Uptime
2. Monitor > Who
3. Monitor > NetworkStatus
4. Monitor > Top
5. Monitor > MemoryStatus
6. Monitor > SDCS
7. Monitor > NetBackup
8. Monitor > Hardware
Appendix D. Network commands
1. Network > Configure
2. Network > Date
3. Network > DNS
4. Network > Gateway
5. Network > Hostname
6. Network > Hosts
7. Network > IPv4
8. Network > IPv6
9. Network > LinkAggregation
10. Network > NetStat
11. Network > NTPServer
12. Network > Ping
13. Network > SetProperty
14. Network > Show
15. Network > TimeZone
16. Network > TraceRoute
17. Network > Unconfigure
18. Network > WANOptimization
Appendix E. Reports commands
1. Reports > Deduplication
2. Reports > Process
Appendix F. Settings commands
1. Settings > Deduplication
2. Settings > LifeCycle
3. Settings > LogForwarding
4. Settings > NetBackup
5. Settings > Password
6. Settings > SystemLocale
7. Settings > Share
8. Settings > Sysctl
9. Settings > NetBackup DNAT
10. Settings > NetBackup NATServers
11. Settings > Notifications > LoginBanner
12. Settings > Security > Authentication > LDAP
13. Settings > Security > Authentication > ActiveDirectory
14. Settings > Security > Authentication > Kerberos
15. Settings > Security > Authentication > LocalUser
16. Settings > Security > Authorization
17. Main > Settings > Security > Certificate
18. Main > Settings > Security > STIG
19. Main > Settings > Security > FIPS
20. Settings > Alerts > CallHome
21. Settings > Alerts > SNMP
22. Settings > Alerts > Email
23. Settings > Alerts > Hardware
Appendix G. Support commands
1. Support > Checkpoint
2. Support > DataCollect
3. Support > Disk
4. Support > Errors
5. Support > FactoryReset
6. Support > InfraServices
7. Support > iostat
8. Support > LogBrowser
9. Support > Logs
10. Support > Maintenance
11. Support > Messages
12. Support > NBDNA
13. Support > nbperfchk
14. Support > NBSU
15. Support > Processes
16. Support > Reboot
17. Support > Service
18. Support > Shutdown
19. Support > Storage SanityCheck
20. Support > Storage Reset
21. Support > Test

OS STIG hardening for NetBackup Virtual Appliance

The Security Technical Implementation Guides (STIGs) provide technical guidance for increasing the security of information systems and software to help prevent malicious computer attacks. This type of security is also referred to as hardening.

Starting with software version 3.2, you can enable OS STIG hardening rules for increased security. These rules are based on the following profile from the Defense Information Systems Agency (DISA):

STIG for Red Hat Enterprise Linux 7 Server - Version 0.1.43

To enable these rules, use the following command:

Main_Menu > Settings > Security > Stig Enable, followed by the maintenance password.

Note the following about enabling STIG:

When the option is enabled, a list of the enforced rules appears. The command output also shows exceptions to any rules that are not enforced.
This command does not allow individual rule control.
Once the option is enabled, a factory reset is required to disable the associated rules.
If Lightweight Directory Access Protocol (LDAP) is configured, it is recommended that you set it up to use Transport Layer Security (TLS) before you enable the option.

Note:

If you have enabled the STIG feature on an appliance and you need to upgrade it or install an EEB on it, do not plan such installations during the 4:00am - 4:30am time frame. By following this best practice, you can avoid interrupting the automatic update of the AIDE database and any monitored files, which can cause multiple alert messages from the appliance.

The following describes the hardening rules that are enforced after the option is enabled. Each rule is identified by a Common Configuration Enumerator (CCE) identifier, a short rule description, and a Security Content Automation Protocol (SCAP) scanner severity level.

Rules enforced after enabling the option

CCE-27127-0: Enable randomized layout of virtual address space.
Scanner severity level: Medium
CCE-26900-1: Disable core dumps for SUID programs.
Scanner severity level: Low
CCE-27050-4: Restrict access to kernel message buffer.
Scanner severity level: Low
CCE-80258-7: Disable the kdump kernel crash analyzer.
Scanner severity level: Medium
CCE-27220-3: Build and test AIDE database.
Scanner severity level: Medium
CCE-26952-2: Configure periodic execution of AIDE.
Scanner severity level: Medium
CCE-27303-7: Modify the system login banner.
Scanner severity level: Medium
CCE-27386-2: Ensure that the default SNMP password is not used.
Scanner severity level: High
Note:
The SNMP password is changed to the fully qualified domain name (FQDN) of the appliance.
CCE-27082-7: Set SSH client alive account.
Scanner severity level: Medium
CCE-27314-4: Enable SSH warning banner.
Scanner severity level: Medium
CCE-27437-3: Ensure that auditd collects information on the use of privileged commands.
Scanner severity level: Medium
CCE-27309: Set boot loader password.
Scanner severity level: High
CCE-80374-2: Configure notification of AIDE scan results.
Scanner security level: Medium
CCE-80375-9: Configure AIDE to verify Access Control Lists (ACLs).
Scanner severity level: Medium
CCE-80376-7: Configure AIDE to verify extended attributes.
Scanner severity level: Medium
CCE-27375-5: Configure auditd_space_left_action on low disk space.
Scanner severity level: Medium
CCE-27341-7: Configure auditd to use audispd_syslog_plugin.
Scanner security level: Medium
CCE-27353-2: Record events that modify the system discretionary access controls (fremovexattr).
Scanner severity level: Medium
CCE-27410-0: Record events that modify the system discretionary access controls (lremovexattr).
Scanner severity level: Medium
CCE-27367-2: Record events that modify the system discretionary access controls (removexattr).
Scanner severity level: Medium
CCE-27204-7: Record attempts to alter the logon and logout events.
Scanner severity level: Medium
CCE-27347-4: Ensure that auditd collects unauthorized access attempts to files.
Scanner severity level: Medium
CCE-27447-2: Ensure that auditd collects information on successful exporting to media.
Scanner severity level: Medium
CCE-27206-2: Ensure that auditd collects file deletion events by the user.
Scanner severity level: Medium
CCE-27129-6: Ensure that auditd collects information on kernel module loading and unloading.
Scanner severity level: Medium
CCE-27333-4: Set the password rule for maximum consecutive repeating characters.
Scanner severity level: Medium
CCE-27512-3: Set the password rule for maximum consecutive repeating characters from the same character class.
Scanner severity level: Medium
CCE-27214-6: Set the password strength for minimum digit (numeric) characters.
Scanner severity level: Medium
CCE-27293-0: Set the password rule for minimum length.
Scanner severity level: Medium
CCE-27200-5: Set the password strength for minimum uppercase characters.
Scanner severity level: Medium
CCE-27360-7: Set the password strength for minimum special characters.
Scanner severity level: Medium
CCE-27345-8: Set the password strength for minimum lowercase characters.
Scanner severity level: Medium
CCE-26631-2: Set the password strength for minimum different characters.
Scanner severity level: Medium
CCE-27115-5: Disable modprobe loading of the USB storage driver.
Scanner severity level: Medium
CCE-27350-8: Set the number of failed password attempts to deny access.
Scanner severity level: Medium
CCE-80353-6: Configure the root account for failed password attempts.
Scanner severity level: Medium
CCE-27297-1: Set the interval for counting failed password attempts.
Scanner severity level: Medium
CCE-27002-5: Set the password minimum age.
Scanner severity level: Medium
CCE-27051-2: Set the password maximum age.
Scanner security level: Medium
CCE-27081-9: Limit the number of concurrent login sessions allowed for each user.
Scanner severity level: Low
CCE-80522-6: Set the maximum age (period of time after which the set password expires and must be changed) for the existing password.
Scanner severity level: Medium
CCE-80521-8: Set the minimum age (period of time a password must be used before it can be changed) for the existing password .
Scanner severity level: Medium
CCE-27339-1: Record the events that modify the system's discretionary access controls (chmod).
Scanner severity level: Medium
CCE-27364-9: Record the events that modify the system's discretionary access controls (chown).
Scanner severity level: Medium
CCE-27393-8: Record the events that modify the system's discretionary access controls (fchmod).
Scanner severity level: Medium
CCE-27388-8: Record the events that modify the system's discretionary access controls (fchmodat).
Scanner severity level: Medium
CCE-27356-5: Record the events that modify the system's discretionary access controls (fchown).
Scanner severity level: Medium
CCE-27387-0: Record the events that modify the system's discretionary access controls (fchownat).
Scanner severity level: Medium
CCE-27389-6: Record the events that modify the system's discretionary access controls (fsetxattr).
Scanner severity level: Medium
CCE-27083-5: Record the events that modify the system's discretionary access controls (lchown).
Scanner severity level: Medium
CCE-27280-7: Record the events that modify the system's discretionary access controls (lsetxattr).
Scanner severity level: Medium
CCE-27213-8: Record the events that modify the system's discretionary access controls (setxattr).
Scanner severity level: Medium
CCE-27206-2: Ensure that auditd collects file deletion events executed by the user (rename).
Scanner severity level: Medium
CCE-80413-8: Ensure that auditd collects file deletion events executed by the user (renameat).
Scanner severity level: Medium
CCE-80412-0: Ensure that auditd collects file deletion events executed by the user (rmdir).
Scanner severity level: Medium
CCE-27206-2: Ensure that auditd collects file deletion events executed by the user (unlink).
Scanner severity level: Medium
CCE-80662-0: Ensure that auditd collects file deletion events executed by the user (unlinkat).
Scanner severity level: Medium
CCE-80446-8: Ensure that auditd collects information on kernel module loading (insmod).
Scanner severity level: Medium
CCE-80417-9: Ensure that auditd collects information on kernel module loading and unloading (modprobe).
Scanner severity level: Medium
CCE-80416-1: Ensure that auditd collects information on kernel module unloading (rmmod).
Scanner severity level: Medium
CCE-80384-1: Record attempts to alter logon and logout events (lastlog).
Scanner severity level: Medium
CCE-80382-5: Record attempts to alter logon and logout events (tallylog).
Scanner severity level: Medium
CCE-80398-1: Ensure that auditd collects information on the use of privileged commands (chage).
Scanner severity level: Medium
CCE-80404-7: Ensure that auditd collects information on the use of privileged commands (chsh).
Scanner severity level: Medium
CCE-80410-4: Ensure that auditd collects information on the use of privileged commands (crontab).
Scanner severity level: Medium
CCE-80397-3: Ensure that auditd collects information on the use of privileged commands (gpasswd).
Scanner severity level: Medium
CCE-80403-9: Ensure that auditd collects information on the use of privileged commands (newgrp).
Scanner severity level: Medium
CCE-80411-2: Ensure that auditd collects information on the use of privileged commands (pam_timestamp_check).
Scanner severity level: Medium
CCE-80395-7: Ensure that auditd collects information on the use of privileged commands (passwd).
Scanner severity level: Medium
CCE-80406-2: Ensure that auditd collects information on the use of privileged commands (postdrop).
Scanner severity level: Medium
CCE-80407-0: Ensure that auditd collects information on the use of privileged commands (postqueue).
Scanner severity level: Medium
CCE-80408-8: Ensure that auditd collects information on the use of privileged commands (ssh-keysign).
Scanner severity level: Medium
CCE-80400-5: Ensure that auditd collects information on the use of privileged commands (su).
Scanner severity level: Medium
CCE-80401-3: Ensure that auditd collects information on the use of privileged commands (sudo).
Scanner severity level: Medium
CCE-80405-4: Ensure that auditd collects information on the use of privileged commands (umount).
Scanner severity level: Medium
CCE-80396-5: Ensure that auditd collects information on the use of privileged commands (unix_chkpwd).
Scanner severity level: Medium
CCE-80399-9: Ensure that auditd collects information on the use of privileged commands (userhelper).
Scanner severity level: Medium
CCE-27461-3: Ensure that auditd collects system administrator actions.
Scanner severity level: Medium
CCE-80433-6: Record the events that modify user/group information (/etc/group).
Scanner severity level: Medium
CCE-80432-8: Record the events that modify user/group information (/etc/gshadow).
Scanner severity level: Medium
CCE-80430-2: Record the events that modify user/group information (/etc/security/opasswd).
Scanner severity level: Medium
CCE-80435-1: Record the events that modify user/group information (/etc/passwd).
Scanner severity level: Medium
CCE-80431-0: Record the events that modify user/group information (/etc/shadow).
Scanner severity level: Medium
CCE-27309-4: Set boot loader password in grub2.
Scanner severity level: High
CCE-80377-5: Configure aide to use fips 140-2 for validating hashes.
Scanner severity level: Medium
CCE-80226-4: Enable encrypted X11 forwarding.
Scanner severity level: High
CCE-80393-2: Record any attempts to run chcon.
Scanner severity level: Medium
CCE-80391-6: Record any attempts to run semanage.
Scanner severity level: Medium
CCE-80660-4: Record any attempts to run setfiles.
Scanner severity level: Medium
CCE-80392-4: Record any attempts to run setsebool.
Scanner severity level: Medium
CCE-80385-8: Record unauthorized (unsuccessful) access attempts to files (create).
Scanner severity level: Medium
CCE-80390-8: Record unauthorized (unsuccessful) access attempts to files (ftruncate).
Scanner severity level: Medium
CCE-80386-6: Record unauthorized (unsuccessful) access attempts to files (open).
Scanner severity level: Medium
CCE-80388-2: Record unauthorized (unsuccessful) access attempts to files (open_by_handle_at).
Scanner severity level: Medium
CCE-80387-4: Record unauthorized (unsuccessful) access attempts to files (openat).
Scanner severity level: Medium
CCE-80389-0: Record unauthorized (unsuccessful) access attempts to files (truncate).
Scanner severity level: Medium
CCE-80402-1: Ensure that auditd collects information on the use of privileged commands (sudoedit).
Scanner severity level: Medium
CCE-80661-2: Ensure that auditd collects information on kernel module loading (create_module).
Scanner severity level: Medium
CCE-80415-3: Ensure that auditd collects information on kernel module unloading (delete_module).
Scanner severity level: Medium
CCE-80547-3: Ensure that auditd collects information on kernel module loading and unloading (finit_module).
Scanner severity level: Medium
CCE-80414-6: Ensure that auditd collects information on kernel module loading (init_module).
Scanner severity level: Medium
CCE-80537-4: Configure auditd space_left on Low Disk Space.
Scanner severity level: Medium

Rules always enforced

The following rules are always enforced and cannot be disabled. Hardening of these rules complies with the specifications described in "NIST Special Publication 800-123". For more information, refer to the following:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

CCE-80165-4: Configure the kernel parameter to ignore ICMP broadcast echo requests.
Scanner severity level: Medium
CCE-80156-3: Disable the kernel parameter for sending ICMP redirects by default.
Scanner severity level: Medium
CCE-80156-3: Disable the kernel parameter for sending ICMP redirects for all interfaces.
Scanner severity level: Medium
CCE-26828-4: Disable support for DCCP.
Scanner severity level: Medium
CCE-27212-0: Enable auditing for the processes that start before the audit daemon.
Scanner severity level: Medium
CCE-26957-1: Ensure that the Red Hat GPG key is installed.
Scanner severity level: High
CCE-27096-7: Ensure that the AIDE package is installed.
Scanner severity level: Medium
CCE-27351-6: Install the screen package.
Scanner severity level: Medium
CCE-27268-2: Restrict serial port root logins.
Scanner severity level: Low
CCE-27318-5: Restrict virtual console root logins.
Scanner severity level: Medium
CCE-27401-9: Disable telnet service
Scanner severity level: High
CCE-27471-2: Disable SSH access without a password.
Scanner severity level: High
CCE-27286-4: Prevent login to accounts without a password.
Scanner severity level: High
CCE-27511-5: Disable Ctrl-Alt-Del reboot activation.
Scanner severity level: High
CCE-27320-1: Allow only SSH protocol version 2.
Scanner severity level: High
CCE-27294-8: Do not allow direct root logins.
Scanner severity level: Medium
CCE-80157-1: Disable the kernel parameter for IP forwarding.
Scanner severity level: Medium
CCE-80158-9: Configure the kernel parameter for accepting ICMP redirects for all interfaces.
Scanner severity level: Medium
CCE-80163-9: Configure the kernel parameter for accepting ICMP redirects by default.
Scanner severity level: Medium
CCE-27327-6: Disable the Bluetooth kernel modules.
Scanner severity level: Medium
CCE-80179-5: Configure the kernel parameter for accepting source-routed packets for all interfaces.
Scanner severity level: Medium
CCE-80220-7: Disable the GSSAPI authentication.
Scanner severity level: Medium
CCE-80221-5: Disable the Kerberos authentication.
Scanner severity level: Medium
CCE-80222-3: Enable the use of strict mode checking.
Scanner severity level: Medium
CCE-80224-9: Disable compression or set compression to delayed.
Scanner severity level: Medium
CCE-27455-5: Use only FIPS approved MACs.
Scanner severity level: Medium
CCE-80378-3: Verify the user that owns /etc/cron.allow.
Scanner severity level: Medium
CCE-80379-1: Verify the group that owns /etc/cron.allow.
Scanner severity level: Medium
CCE-80372-6: Disable SSH support for user-known hosts.
Scanner severity level: Medium
CCE-80373-4: Disable SSH support for rhosts RSA authentication.
Scanner severity level: Medium
CCE-27363-1: Do not allow SSH environment options.
Scanner severity level: Medium
CCE-26989-4: Ensure that gpgcheck is globally activated.
Scanner severity level: High
CCE-80349--4: Ensure that the installed OS is certified.
Scanner severity level: High
CCE-27175-9: No UID except zero.
Scanner severity level: High
CCE-27498-5: Disable the auto-mounter.
Scanner severity level: Medium
CCE-80134-0: No files not owned by user.
Scanner severity level: Medium
CCE-80135-7: No file permissions not owned by group.
Scanner severity level: Medium
CCE-27211-2: sysctl_kernal_exec_shield.
Scanner severity level: Medium
CCE-27352-4: Verify that all account password hashes are shadowed.
Scanner severity level: Medium
CCE-27104-9: Set the password hashing algorithm systemauth.
Scanner severity level: Medium
CCE-27124-7: Set the password hashing algorithm logindefs.
Scanner severity level: Medium
CCE-27053-8: Set the password hashing algorithm libusercon.
Scanner severity level: Medium
CCE-27078-5: Disable pre-linking software.
Scanner severity level: Low
CCE-27116-3: Install the PAE kernel on supported 32-bit x86 systems.
Scanner severity level: Low
CCE-27503-2: All GIDs referenced in /etc/password must be defined in /etc/group.
Scanner severity level: Low
CCE-27160-1: Password pam retry.
Scanner severity level: Low
CCE-27275-7: Display login attempts.
Scanner severity level: Low
CCE-80350-2: Remove no_authenticate on sudo.
Scanner severity level: Medium
CCE-26961-3: Ensure that SELinux is not disabled in /etc/default/grub.
Scanner severity level: Medium
CCE-80245-4: Uninstall the vsftpd package.
Scanner severity level: High
CCE-80216-5: Enable the OpenSSH service.
Scanner severity level: Medium
CCE-27407-6: Enable the auditd service.
Scanner severity level: Medium
CCE-27361-5: Verify that firewalld is enabled.
Scanner severity level: Medium
CCE-80544-0: Ensure that users cannot change GNOME3 session idle settings.
Scanner severity level: Medium
CCE-80371-8: Ensure that users cannot change GNOME3 screensaver settings.
Scanner severity level: Medium
CCE-80563-0: Ensure that users cannot change GNOME3 screensaver lock after idle period.
Scanner severity level: Medium
CCE-80112-6: Enable GNOME3 screensaver lock after idle period.
Scanner severity level: Medium
CCE-80370-0: Set GNOME3 screensaver lock delay after activation period.
Scanner severity level: Medium
CCE-80110-0: Set GNOME3 screensaver inactivity timeout.
Scanner severity level: Medium
CCE-80564-8: Ensure that users cannot change the GNOME3 screensaver idle activation.
Scanner severity level: Medium
CCE-80162-1: Configure the kernel parameter for accepting source-routed packets by default.
Scanner severity level: Medium
CCE-80111-8: Enable GNOME3 screensaver idle activation.
Scanner severity level: Medium
CCE-80105-0: Disable GDM guest login.
Scanner severity level: High
CCE-80104-3: Disable GDM automatic login.
Scanner severity level: High
CCE-80108-4: Enable the GNOME3 login smartcard authentication.
Scanner severity level: Medium
CCE-27279-9: Configure the SELinux policy.
Scanner severity level: High
CCE-80148-0: Add the nosuid option to removable media partitions.
Scanner severity level: Low
CCE-80136-5: Ensure that all world-writable directories are owned by a system account.
Scanner severity level: Low
CCE-80174-6: Ensure that the system is not acting as a network sniffer.
Scanner severity level: Medium
CCE-80438-5: Configure multiple DNS servers in /etc/resolv.conf.
Scanner severity level: Low
CCE-27358-1: Deactivate wireless network interfaces.
Scanner severity level: Medium
CCE-27287-2: Require authentication for Single User mode.
Scanner severity level: Medium
CCE-27434-0: Configure the kernel parameter for accepting IPv4 source-routed packets for all interfaces.
Scanner severity level: Medium
CCE-80380-9: Ensure that cron is able to log in to Rsyslog.
Scanner severity level: Medium
CCE-80354-4: Set the UEFI boot loader password.
Scanner severity level: Medium
CCE-80517-6: Boat loader is not installed on removeable media.
Scanner severity level: Medium
CCE-27394-6: Configure the auditd mail_acct action on low disk space.
Scanner severity level: Medium
CCE-80434-4: Ensure that home directories are created for new users.
Scanner severity level: Medium
CCE-80536-6: Ensure that the default umask is set correctly for interactive users.
Scanner severity level: Medium
CCE-26923-3: Limit password reuse.
Scanner severity level: Medium
CCE-26892-0: Set the GNOME3 login warning banner text.
Scanner severity level: Medium
CCE-26970-4: Enable GNOME3 login warning banner.
Scanner severity level: Medium
CCE-27218-7: Remove the X Windows package group.
Scanner severity level: Medium
CCE-80215-7: Install the OpenSSH server package.
Scanner severity level: Medium
CCE-27311-0: Verify Permissions on SSH Server public *.pub key files.
Scanner severity level: Medium
CCE-27485-2: Verify Permissions on SSH Server private *_key key files.
Scanner severity level: Medium
CCE-80223-1: Enable Use of Privilege Separation.
Scanner severity level: Medium
CCE-27295-5: Use Only FIPS 140-2 Validated Ciphers.
Scanner severity level: Medium
CCE-80225-6: Enable SSH Print Last Log.
Scanner severity level: Medium
CCE-27445-6: Disable SSH root login.
Scanner severity level: Medium
CCE-27377-1: Disable SSH support for .rhosts files.
Scanner severity level: Medium
CCE-27413-4: Disable host-based authentication.
Scanner severity level: Medium
CCE-27458-9: Mount remote file systems with Kerberos Security.
Scanner severity level: Medium
CCE-80214-0: Ensure tftp daemon uses secure mode.
Scanner severity level: Medium
CCE-80213-2: Uninstall the tftp-server package.
Scanner severity level: High
CCE-27165-0: Uninstall the telnet-server package.
Scanner severity level: High
CCE-27342-5: Uninstall the rsh-server package.
Scanner severity level: High
CCE-80514-3: Remove user host-based authentication files.
Scanner severity level: High
CCE-80513-5: Remove host-based authentication files.
Scanner severity level: High
CCE-27399-5: Uninstall the ypserv package.
Scanner severity level: High
CCE-80240-5: Mount remote file systems with nosuid.
Scanner severity level: Medium
CCE-80436-9: Mount remote file systems with noexec.
Scanner severity level: Medium
CCE-80205-8: Ensure that the default umask is set correctly in login.defs.
Scanner severity level: Medium

See Unenforced STIG hardening rules.