The system must not have a public Instant Messaging (IM) client installed.

From SOLARIS 10 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE

Part of GEN006000

Associated with IA controls: ECIM-1

Associated with: CCI-000366 CCI-001154

SV-41525r1_rule The system must not have a public Instant Messaging (IM) client installed.

Vulnerability discussion

Public Instant Messaging (IM) systems are not approved for use and may result in the unauthorized distribution of information. IM clients provide a way for a user to send a message to one or more other users in real time. Additional capabilities may include file transfer and support for distributed game playing. Communication between clients and associated directory services are managed through messaging servers. Commercial IM clients include AOL Instant Messenger (AIM), MSN Messenger, and Yahoo! Messenger.IM clients present a security issue when the clients route messages through public servers. The obvious implication is potentially sensitive information could be intercepted or altered in the course of transmission. This same issue is associated with the use of public email servers. In order to reduce the potential for disclosure of sensitive Government information and to ensure the validity of official government information, IM clients connecting to public IM services will not be installed. Clients used to access internal or DoD-controlled IM services are permitted.

Check content

If an IM client is installed, ask the SA if it has access to any public domain IM servers. If it does have access to public servers, this is a finding.

Fix text

Uninstall the IM client from the system, or configure the client to only connect to DoD-approved IM services.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer