{"stig":{"title":"Solaris 11 SPARC Security Technical Implementation Guide","version":"3","release":"5"},"checks":[{"vulnId":"V-216246","ruleId":"SV-216246r986419_rule","severity":"medium","ruleTitle":"The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.","description":"Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone to be secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report the following, this is a finding.\n\naudit condition = auditing","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone to be secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-001487","CCI-004188"]},{"vulnId":"V-216249","ruleId":"SV-216249r958430_rule","severity":"medium","ruleTitle":"The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.","description":"Without an audit reporting capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000158"]},{"vulnId":"V-216251","ruleId":"SV-216251r958446_rule","severity":"medium","ruleTitle":"The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.\n\nWithout accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked.\n\nWithout an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000172"]},{"vulnId":"V-216253","ruleId":"SV-216253r958412_rule","severity":"medium","ruleTitle":"Audit records must include what type of events occurred.","description":"Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000130"]},{"vulnId":"V-216254","ruleId":"SV-216254r958414_rule","severity":"medium","ruleTitle":"Audit records must include when (date and time) the events occurred.","description":"Without accurate time stamps malicious activity cannot be accurately tracked.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000131"]},{"vulnId":"V-216255","ruleId":"SV-216255r958416_rule","severity":"medium","ruleTitle":"Audit records must include where the events occurred.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.\n\nWithout accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked.\n\nWithout an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000132"]},{"vulnId":"V-216256","ruleId":"SV-216256r958418_rule","severity":"medium","ruleTitle":"Audit records must include the sources of the events that occurred.","description":"Without accurate source information malicious activity cannot be accurately tracked.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000133"]},{"vulnId":"V-216257","ruleId":"SV-216257r958420_rule","severity":"medium","ruleTitle":"Audit records must include the outcome (success or failure) of the events that occurred.","description":"Tracking both the successful and unsuccessful attempts aids in identifying threats to the system.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000134"]},{"vulnId":"V-216258","ruleId":"SV-216258r959010_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit file deletions.","description":"Without auditing, malicious activity cannot be detected.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version you are currently securing.\n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active |cut -f2 -d=\n\nIf \"fd\" audit flag is not included in output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"fd\" audit flag is not included in output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000366"]},{"vulnId":"V-216259","ruleId":"SV-216259r958368_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit account creation.","description":"Without auditing, malicious activity cannot be detected.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"ps\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000018"]},{"vulnId":"V-216260","ruleId":"SV-216260r958590_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit account modification.","description":"Without auditing, malicious activity cannot be detected.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"ps\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-001403"]},{"vulnId":"V-216261","ruleId":"SV-216261r958592_rule","severity":"medium","ruleTitle":"The operating system must automatically audit account disabling actions.","description":"Without auditing, malicious activity cannot be detected.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"ps\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-001404"]},{"vulnId":"V-216262","ruleId":"SV-216262r958594_rule","severity":"medium","ruleTitle":"The operating system must automatically audit account termination.","description":"Without auditing, malicious activity cannot be detected.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"ps\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-001405"]},{"vulnId":"V-216263","ruleId":"SV-216263r959010_rule","severity":"medium","ruleTitle":"The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.","description":"Without auditing, malicious activity cannot be detected.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"as\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000366"]},{"vulnId":"V-216264","ruleId":"SV-216264r959010_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit all administrative, privileged, and security actions.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"as\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000366"]},{"vulnId":"V-216265","ruleId":"SV-216265r958406_rule","severity":"low","ruleTitle":"The audit system must be configured to audit login, logout, and session initiation.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"The Audit Configuration profile is required.\n\nCheck that the audit flag for auditing login and logout is enabled.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version you are currently securing.\n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"lo\" audit flag is not included in output, this is a finding\n\n# pfexec auditconfig -getnaflags | grep active | cut -f2 -d=\n\nIf \"na\" and \"lo\" audit flags are not included in output, this is a finding\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa\" or if the \"ft,lo,ap,ss,as,ua,pe” audit flag(s) are not included in output, this is a finding\n\n# pfexec auditconfig -t -getnaflags | cut -f2 -d=\n\nIf \"na\" and \"lo\" audit flags are not included in output, this is a finding\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n# pfexec auditconfig -setnaflags lo,na\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n# pfexec auditconfig -setnaflags lo,na\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000067"]},{"vulnId":"V-216268","ruleId":"SV-216268r959010_rule","severity":"low","ruleTitle":"The audit system must be configured to audit failed attempts to access files and programs.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"The Audit Configuration profile is required.\n\nCheck that the audit flag for auditing file access is enabled.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version you are currently securing.\n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"-fa\" and \"-ps\" audit flags are not displayed, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"-fa\", \"-ex\", and \"-ps\" audit flags are not displayed, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000366"]},{"vulnId":"V-216269","ruleId":"SV-216269r958440_rule","severity":"low","ruleTitle":"The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.","description":"Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood of an individual being able to deny performing an action.\n\nSolaris has supported rsyslog since version 11.1 and the differences between syslog and rsyslog are numerous. Solaris 11.4 installs rsyslog by default, but previous versions require a manual installation. When establishing a rsyslog server to forward to, it is important to consider the network requirements for this action. Note the following configuration options:\nThere are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nPlease note that a port number was given as there is no standard port for RELP.","checkContent":"Audit Configuration rights profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck that the syslog audit plugin is enabled.\n\n# pfexec auditconfig -getplugin | grep audit_syslog\n\nIf \"inactive\" appears, this is a finding.\n\nDetermine which system-log service instance is online.\n\n# pfexec svcs system-log\n\nCheck that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:\n\n# grep audit.notice /etc/syslog.conf\nor\n# grep @@ /etc/rsyslog.conf\n\nIf \naudit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)\nor\n*.* @@remotesystemname (rsyslog configuration)\npoints to an invalid remote system or is commented out, this is a finding.\n\nIf no output is produced, this is a finding.\n\nCheck the remote syslog host to ensure that audit records can be found for this host.","fixText":"Service Management, Audit Configuration and Audit Control rights profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nConfigure Solaris 11 to use the syslog audit plugin\n\n# pfexec auditconfig -setplugin audit_syslog active \n\nDetermine which system-log service instance is online.\n\n# pfexec svcs system-log\n\nIf the default system-log service is online:\n\n# pfedit /etc/syslog.conf \n\nAdd the line:\n\naudit.notice @[remotesystemname]\nor\naudit.notice ![remotesystemname]\n\nReplacing the remote system name with the correct hostname.\n\nIf the rsyslog service is online, modify the /etc/rsyslog.conf file.\n\n# pfedit /etc/rsyslog.conf\n\nAdd the line:\n\n*.* @@[remotesystemname]\nOr \n*.* :omrelp:[remotesystemname]:[designatedportnumber]\n\nReplacing the remote system name with the correct hostname.\n\nCreate the log file on the remote system\n\n# touch /var/adm/auditlog\n\nRefresh the syslog service\n\n# pfexec svcadm refresh system/system-log:default\n\nor\n\n# pfexec svcadm refresh system/system-log:rsyslog\n\nRefresh the audit service\n\n# pfexec audit -s","ccis":["CCI-000166"]},{"vulnId":"V-216270","ruleId":"SV-216270r959010_rule","severity":"low","ruleTitle":"The auditing system must not define a different auditing level for specific users.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nFor each user on the system (not including root), check to see if special auditing flag configurations are set.\n\n# userattr audit_flags [username]\n\nIf any flags are returned, this is a finding.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor each user on the system, remove all special audit configuration flags.\n\n# usermod -K audit_flags= [username]","ccis":["CCI-000366"]},{"vulnId":"V-216273","ruleId":"SV-216273r958424_rule","severity":"high","ruleTitle":"The operating system must alert designated organizational officials in the event of an audit processing failure.","description":"Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe root role is required.\n\nVerify the presence of an audit_warn entry in /etc/mail/aliases.\n# /usr/lib/sendmail -bv audit_warn\nIf the response is:\naudit_warn... User unknown\n\nthis is a finding.\n\nReview the output of the command and verify that the audit_warn alias notifies the appropriate users in this form:\n\naudit_warn:user1,user2\n\nIf an appropriate user is not listed, this is a finding.","fixText":"The root role is required. \n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nAdd an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s).\n\n# pfedit /etc/mail/aliases\n\nInsert a line in the form:\naudit_warn:user1,user2\n\nPut the updated aliases file into service.\n# newaliases","ccis":["CCI-000139"]},{"vulnId":"V-216276","ruleId":"SV-216276r1038966_rule","severity":"medium","ruleTitle":"The operating system must shut down by default upon audit failure (unless availability is an overriding concern).","description":"Continuing to operate a system without auditing working properly can result in undocumented access or system changes.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\n# pfexec auditconfig -getpolicy | grep ahlt\n\nIf the output does not include \"ahlt\" as an active audit policy, this is a finding.\n\n# pfexec auditconfig -getpolicy | grep active | grep cnt\n\nIf the output includes \"cnt\" as an active audit policy, this is a finding.","fixText":"The Audit Configuration profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nSet audit policy to halt and suspend on failure.\n\n# pfexec auditconfig -setpolicy +ahlt\n# pfexec auditconfig -setpolicy -cnt","ccis":["CCI-000140"]},{"vulnId":"V-216277","ruleId":"SV-216277r958434_rule","severity":"medium","ruleTitle":"The operating system must protect audit information from unauthorized access.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. \n\nTo ensure the veracity of audit data, the operating system must protect audit information from unauthorized access.\n\nSatisfies: SRG-OS-000057, SRG-OS-000058, SRG-OS-000059","checkContent":"The root role is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck that the directory storing the audit files is owned by root and has permissions 750 or less.\n\nNote: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.\n\nDetermine the location of the audit trail files\n# pfexec auditconfig -getplugin audit_binfile\n\nThe output will appear in this form:\n\nPlugin: audit_binfile (active)\nAttributes: p_dir=/var/audit;p_fsize=0;p_minfree=1\n\nThe p_dir attribute defines the location of the audit directory.\n# ls -ld /var/share/audit\n\nCheck the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.","fixText":"Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.\n\nThe root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDetermine the location of the audit trail files\n# pfexec auditconfig -getplugin audit_binfile|\n\nThe output will appear in this form:\n\nPlugin: audit_binfile (active)\nAttributes: p_dir=/var/audit;p_fsize=0;p_minfree=1\n\nThe p_dir attribute defines the location of the audit directory.\n\n# chown root [directory]\n# chgrp root [directory]\n# chmod 750 [directory]","ccis":["CCI-000162","CCI-000163"]},{"vulnId":"V-216280","ruleId":"SV-216280r959010_rule","severity":"medium","ruleTitle":"The System packages must be up to date with the most recent vendor updates and security fixes.","description":"Failure to install security updates can provide openings for attack.","checkContent":"The Software Installation Profile is required.\n\nAn up-to-date Solaris repository must be accessible to the system. Enter the command:\n\n# pkg publisher\n\nto determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured.\n\nCheck for Solaris software package updates:\n\n# pfexec pkg update -n\n\nIf the command does not report \"No updates available for this image,\" this is a finding.","fixText":"The Software Installation Profile is required.\n\nAn up-to-date Solaris repository must be accessible to the system. Enter the command:\n\n# pkg publisher\n\nto determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured.\n\nUpdate system packages to the current version.\n\n# pfexec pkg update\n\nA reboot may be required for the updates to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-216282","ruleId":"SV-216282r958610_rule","severity":"medium","ruleTitle":"The operating system must protect audit tools from unauthorized access.","description":"Failure to maintain system configurations may result in privilege escalation.","checkContent":"The Software Installation Profile is required.\n\nDetermine what the signature policy is for pkg publishers:\n\n# pkg property | grep signature-policy\n\nCheck that output produces:\n\nsignature-policy verify\n\nIf the output does not confirm that signature-policy verify is active, this is a finding.\n\nCheck that package permissions are configured and signed per vendor requirements.\n\n# pkg verify\n\nIf the command produces any output unrelated to STIG changes, this is a finding.\n\nThere is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.","fixText":"The Software Installation Profile is required.\n\nConfigure the package system to ensure that digital signatures are verified.\n\n# pfexec pkg set-property signature-policy verify\n\nCheck that package permissions are configured per vendor requirements.\n\n# pfexec pkg verify\n\nIf any errors are reported unrelated to STIG changes, use:\n\n# pfexec pkg fix\n\nto bring configuration settings and permissions into factory compliance.","ccis":["CCI-001493"]},{"vulnId":"V-216283","ruleId":"SV-216283r958612_rule","severity":"medium","ruleTitle":"The operating system must protect audit tools from unauthorized modification.","description":"Failure to maintain system configurations may result in privilege escalation.","checkContent":"The Software Installation Profile is required.\n\nDetermine what the signature policy is for pkg publishers:\n\n# pkg property | grep signature-policy\n\nCheck that output produces:\n\nsignature-policy verify\n\nIf the output does not confirm that signature-policy verify is active, this is a finding.\n\nCheck that package permissions are configured and signed per vendor requirements.\n\n# pkg verify\n\nIf the command produces any output unrelated to STIG changes, this is a finding.\n\nThere is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.","fixText":"The Software Installation Profile is required.\n\nConfigure the package system to ensure that digital signatures are verified.\n\n# pfexec pkg set-property signature-policy verify\n\nCheck that package permissions are configured per vendor requirements.\n\n# pfexec pkg verify\n\nIf any errors are reported unrelated to STIG changes, use:\n\n# pfexec pkg fix\n\nto bring configuration settings and permissions into factory compliance.","ccis":["CCI-001494"]},{"vulnId":"V-216284","ruleId":"SV-216284r958614_rule","severity":"medium","ruleTitle":"The operating system must protect audit tools from unauthorized deletion.","description":"Failure to maintain system configurations may result in privilege escalation.","checkContent":"The Software Installation Profile is required.\n\nDetermine what the signature policy is for pkg publishers:\n\n# pkg property | grep signature-policy\n\nCheck that output produces:\n\nsignature-policy verify\n\nIf the output does not confirm that signature-policy verify is active, this is a finding.\n\nCheck that package permissions are configured and signed per vendor requirements.\n\n# pkg verify\n\nIf the command produces any output unrelated to STIG changes, this is a finding.\n\nThere is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.","fixText":"The Software Installation Profile is required.\n\nConfigure the package system to ensure that digital signatures are verified.\n\n# pfexec pkg set-property signature-policy verify\n\nCheck that package permissions are configured per vendor requirements.\n\n# pfexec pkg verify\n\nIf any errors are reported unrelated to STIG changes, use:\n\n# pfexec pkg fix\n\nto bring configuration settings and permissions into factory compliance.","ccis":["CCI-001495"]},{"vulnId":"V-216285","ruleId":"SV-216285r958634_rule","severity":"medium","ruleTitle":"System packages must be configured with the vendor-provided files, permissions, and ownerships.","description":"Failure to maintain system configurations may result in privilege escalation.","checkContent":"The Software Installation Profile is required.\n\nDetermine what the signature policy is for pkg publishers:\n\n# pkg property | grep signature-policy\n\nCheck that output produces:\n\nsignature-policy verify\n\nIf the output does not confirm that signature-policy verify is active, this is a finding.\n\nCheck that package permissions are configured and signed per vendor requirements.\n\n# pkg verify\n\nIf the command produces any output unrelated to STIG changes, this is a finding.\n\nThere is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.","fixText":"The Software Installation Profile is required.\n\nConfigure the package system to ensure that digital signatures are verified.\n\n# pfexec pkg set-property signature-policy verify\n\nCheck that package permissions are configured per vendor requirements.\n\n# pfexec pkg verify\n\nIf any errors are reported unrelated to STIG changes, use:\n\n# pfexec pkg fix\n\nto bring configuration settings and permissions into factory compliance.","ccis":["CCI-001496"]},{"vulnId":"V-216286","ruleId":"SV-216286r959010_rule","severity":"low","ruleTitle":"The finger daemon package must not be installed.","description":"Finger is an insecure protocol.","checkContent":"Determine if the finger package is installed.\n\n# pkg list service/network/finger\n\nIf an installed package named service/network/finger is listed, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall service/network/finger","ccis":["CCI-000366"]},{"vulnId":"V-216287","ruleId":"SV-216287r959010_rule","severity":"medium","ruleTitle":"The legacy remote network access utilities daemons must not be installed.","description":"Legacy remote access utilities allow remote control of a system without proper authentication.","checkContent":"Determine if the legacy remote access package is installed.\n\n# pkg list service/network/legacy-remote-utilities\n\nIf an installed package named service/network/legacy-remote-utilities is listed, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall service/network/legacy-remote-utilities","ccis":["CCI-000366"]},{"vulnId":"V-216288","ruleId":"SV-216288r959010_rule","severity":"high","ruleTitle":"The NIS package must not be installed.","description":"NIS is an insecure protocol.","checkContent":"Determine if the NIS package is installed.\n\n# pkg list service/network/nis\n\nIf an installed package named \"service/network/nis\" is listed, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall service/network/nis","ccis":["CCI-000366"]},{"vulnId":"V-216289","ruleId":"SV-216289r959010_rule","severity":"low","ruleTitle":"The pidgin IM client package must not be installed.","description":"Instant messaging is an insecure protocol.","checkContent":"Determine if the pidgin package is installed.\n\n# pkg list communication/im/pidgin\n\nIf an installed package named communication/im/pidgin is listed, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall communication/im/pidgin","ccis":["CCI-000366"]},{"vulnId":"V-216290","ruleId":"SV-216290r959010_rule","severity":"high","ruleTitle":"The FTP daemon must not be installed unless required.","description":"FTP is an insecure protocol.","checkContent":"Determine if the FTP package is installed.\n\n# pkg list service/network/ftp\n\nIf an installed package named \"service/network/ftp\" is listed and not required for operations, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall service/network/ftp","ccis":["CCI-000366"]},{"vulnId":"V-216291","ruleId":"SV-216291r959010_rule","severity":"high","ruleTitle":"The TFTP service daemon must not be installed unless required.","description":"TFTP is an insecure protocol.","checkContent":"Determine if the TFTP package is installed.\n\n# pkg list service/network/tftp\n\nIf an installed package named \"/service/network/tftp\" is listed and not required for operations, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall install/installadm\n# pfexec pkg uninstall service/network/tftp","ccis":["CCI-000366"]},{"vulnId":"V-216292","ruleId":"SV-216292r959010_rule","severity":"high","ruleTitle":"The telnet service daemon must not be installed unless required.","description":"Telnet is an insecure protocol.","checkContent":"Determine if the telnet daemon package in installed.\n\n# pkg list service/network/telnet\n\nIf an installed package named \"service/network/telnet\" is listed and vntsd is not in use for LDoms, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall service/network/telnet","ccis":["CCI-000366"]},{"vulnId":"V-216293","ruleId":"SV-216293r959010_rule","severity":"low","ruleTitle":"The UUCP service daemon must not be installed unless required.","description":"UUCP is an insecure protocol.","checkContent":"Determine if the UUCP package is installed.\n\n# pkg list /service/network/uucp\n\nIf an installed package named \"/service/network/uucp\" is listed, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall /service/network/uucp","ccis":["CCI-000366"]},{"vulnId":"V-216294","ruleId":"SV-216294r959010_rule","severity":"medium","ruleTitle":"The rpcbind service must be configured for local only services unless organizationally defined.","description":"The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using remote procedure calls (RPCs). The organization may define and document the limited use of services (for example NFS) that may use these services with approval from their Authorizing Official.","checkContent":"Check the status of the rpcbind service local_only property.\n# svcprop -p config/local_only network/rpc/bind\n\nIf the state is not \"true\", this is a finding, unless it is required for system operations, then this is not a finding.","fixText":"The Service Management profile is required.\n\nIf services such as portmap or rpcbind are required for system operations, the operator must document the services used and obtain approval from their Authorizing Official. They should also document the method(s) of blocking all other remote accesses through tools like a firewall or tcp_wrappers.\nOtherwise, configure the rpc/bind service for local only access. \n\n# svccfg -s network/rpc/bind setprop config/local_only=true","ccis":["CCI-000366"]},{"vulnId":"V-216295","ruleId":"SV-216295r959010_rule","severity":"medium","ruleTitle":"The VNC server package must not be installed unless required.","description":"The VNC service uses weak authentication capabilities and provides the user complete graphical system access.","checkContent":"Determine if the VNC server package is installed.\n\n# pkg list x11/server/xvnc\n\nIf an installed package named \"x11/server/xvnc is listed\" is listed, this is a finding.","fixText":"The Software Installation Profile is required.\n\n# pfexec pkg uninstall x11/server/xvnc","ccis":["CCI-000366"]},{"vulnId":"V-216297","ruleId":"SV-216297r958478_rule","severity":"medium","ruleTitle":"The operating system must be configured to provide essential capabilities.","description":"Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.","checkContent":"Identify the packages installed on the system. \n\n# pkg list\n\nAny unauthorized software packages listed in the output are a finding.","fixText":"The Software Installation profile is required.\n\nIdentify packages installed on the system:\n\n# pkg list\n\nuninstall unauthorized packages:\n\n# pfexec pkg uninstall [ package name]","ccis":["CCI-000381"]},{"vulnId":"V-216299","ruleId":"SV-216299r959010_rule","severity":"medium","ruleTitle":"All run control scripts must have mode 0755 or less permissive.","description":"If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.","checkContent":"Check run control script modes.\n\n# ls -lL /etc/rc* /etc/init.d /lib/svc/method\n\nIf any run control script has a mode more permissive than 0755, this is a finding.","fixText":"Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why.\n\nProcedure: \n\n# chmod go-w ","ccis":["CCI-000366"]},{"vulnId":"V-216300","ruleId":"SV-216300r959010_rule","severity":"medium","ruleTitle":"All run control scripts must have no extended ACLs.","description":"If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.","checkContent":"Verify run control scripts have no extended ACLs.\n\n# ls -lL /etc/rc* /etc/init.d\n\nIf the permissions include a \"+\", the file has an extended ACL and this is a finding.","fixText":"Remove the extended ACL from the file.\n\n# chmod A- [run control script with extended ACL]","ccis":["CCI-000366"]},{"vulnId":"V-216301","ruleId":"SV-216301r959010_rule","severity":"medium","ruleTitle":"Run control scripts executable search paths must contain only authorized paths.","description":"The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.","checkContent":"Verify run control scripts' executable search paths. \n\nProcedure: \n\n# find /etc/rc* /etc/init.d /lib/svc/method -type f -print | xargs grep -i PATH\n\nThis variable is formatted as a colon-separated list of directories.\n\nIf there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. \n\nIf an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.","fixText":"Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO.\n \nEdit the run control script and remove any empty path entries from the file.","ccis":["CCI-000366"]},{"vulnId":"V-216302","ruleId":"SV-216302r959010_rule","severity":"medium","ruleTitle":"Run control scripts library search paths must contain only authorized paths.","description":"The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.","checkContent":"Verify run control scripts' library search paths. \n\n# find /etc/rc* /etc/init.d -type f -print | xargs grep LD_LIBRARY_PATH\n\nThis variable is formatted as a colon-separated list of directories.\n\nIf there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. \n\nIf an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.","fixText":"Edit the run control script and remove the relative path entries from the library search path variables that have not been documented with the ISSO. \n\nEdit the run control script and remove any empty path entries from the file.","ccis":["CCI-000366"]},{"vulnId":"V-216303","ruleId":"SV-216303r959010_rule","severity":"medium","ruleTitle":"Run control scripts lists of preloaded libraries must contain only authorized paths.","description":"The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries to the current working directory that have not been authorized, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with a slash (/) are absolute paths.","checkContent":"Verify run control scripts' library preload list. \n\nProcedure:\n\n# find /etc/rc* /etc/init.d -type f -print | xargs grep LD_PRELOAD\n\nThis variable is formatted as a colon-separated list of paths.\n\nIf there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. \n\nIf an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.","fixText":"Edit the run control script and remove the relative path entries from the library preload variables that have not been documented with the ISSO. \n\nEdit the run control script and remove any empty path entries from the file.","ccis":["CCI-000366"]},{"vulnId":"V-216304","ruleId":"SV-216304r959010_rule","severity":"medium","ruleTitle":"Run control scripts must not execute world writable programs or scripts.","description":"World writable files could be modified accidentally or maliciously to compromise system integrity.","checkContent":"Check the permissions on the files or scripts executed from system startup scripts to see if they are world writable.\n\nCreate a list of all potential run command level scripts.\n\n# ls -l /etc/init.d/* /etc/rc* | tr '\\011' ' ' | tr -s ' ' | cut -f 9,9 -d \" \"\n\nCreate a list of world writable files.\n\n# find / -perm -002 -type f >> WorldWritableFileList\n\nDetermine if any of the world writeable files in \"WorldWritableFileList\" are called from the run command level scripts.\n\nNote: Depending upon the number of scripts vs. world writable files, it may be easier to inspect the scripts manually.\n\n# more `ls -l /etc/init.d/* /etc/rc* | tr '\\011' ' ' | tr -s ' ' | cut -f 9,9 -d \" \"`\n\nIf any system startup script executes any file or script that is world writable, this is a finding.","fixText":"Remove the world writable permission from programs or scripts executed by run control scripts.\n\nProcedure:\n\n# chmod o-w ","ccis":["CCI-000366"]},{"vulnId":"V-216305","ruleId":"SV-216305r959010_rule","severity":"medium","ruleTitle":"All system start-up files must be owned by root.","description":"System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.","checkContent":"Check run control scripts' ownership.\n\n# ls -lL /etc/rc* /etc/init.d\n\nIf any run control script is not owned by root, this is a finding.","fixText":"Change the ownership of the run control script(s) with incorrect ownership.\n\n# chown root ","ccis":["CCI-000366"]},{"vulnId":"V-216306","ruleId":"SV-216306r959010_rule","severity":"medium","ruleTitle":"All system start-up files must be group-owned by root, sys, or bin.","description":"If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.","checkContent":"Check run control scripts' group ownership.\n\nProcedure:\n# ls -lL /etc/rc* /etc/init.d\n\nIf any run control script is not group-owned by root, sys, or bin, this is a finding.","fixText":"Change the group ownership of the run control script(s) with incorrect group ownership.\n\nProcedure:\n\n# chgrp root ","ccis":["CCI-000366"]},{"vulnId":"V-216307","ruleId":"SV-216307r959010_rule","severity":"medium","ruleTitle":"System start-up files must only execute programs owned by a privileged UID or an application.","description":"System start-up files executing programs owned by other than root (or another privileged user) or an application indicates the system may have been compromised.","checkContent":"Determine the programs executed by system start-up files. Determine the ownership of the executed programs. \n\n# cat /etc/rc* /etc/init.d/* | more\n\nCheck the ownership of every program executed by the system start-up files.\n\n# ls -l \n\nIf any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.","fixText":"Change the ownership of the file executed from system startup scripts to root, bin, or sys.\n\n# chown root ","ccis":["CCI-000366"]},{"vulnId":"V-216308","ruleId":"SV-216308r959010_rule","severity":"medium","ruleTitle":"Any X Windows host must write .Xauthority files.","description":".Xauthority files ensure the user is authorized to access the specific X Windows host. If .Xauthority files are not used, it may be possible to obtain unauthorized access to the X Windows host.","checkContent":"If X Display Manager (XDM) is not used on the system, this is not applicable.\n\nDetermine if XDM is running.\nProcedure:\n# ps -ef | grep xdm\n\nIf X Display Manager (XDM) is not used on the system, this is not applicable.\n\nDetermine if XDM is running.\nProcedure:\n# ps -ef | grep xdm\n\nCheck for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X.\n\nProcedure:\n# cd ~someuser\n# ls -la .Xauthority\n\nIf the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.","fixText":"Ensure the X Windows host is configured to write .Xauthority files into user home directories. \n\nEdit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.","ccis":["CCI-000297","CCI-000366"]},{"vulnId":"V-216309","ruleId":"SV-216309r959010_rule","severity":"medium","ruleTitle":"All .Xauthority files must have mode 0600 or less permissive.","description":".Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.","checkContent":"If X Display Manager (XDM) is not used on the system, this is not applicable.\n\nDetermine if XDM is running. \n\nProcedure:\n# ps -ef | grep xdm\n\nCheck the file permissions for the .Xauthority files in the home directories of users of X. Procedure:\n# cd ~\n# ls -lL .Xauthority\n\nIf the file mode is more permissive than 0600, this is finding.","fixText":"Change the mode of the .Xauthority files.\n\nProcedure:\n# chmod 0600 .Xauthority","ccis":["CCI-000366","CCI-000225"]},{"vulnId":"V-216310","ruleId":"SV-216310r959010_rule","severity":"medium","ruleTitle":"The .Xauthority files must not have extended ACLs.","description":".Xauthority files ensure the user is authorized to access the specific X Windows host. Extended ACLs may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.","checkContent":"If X Display Manager (XDM) is not used on the system, this is not applicable.\n\nDetermine if XDM is running. \n\nProcedure:\n# ps -ef | grep xdm\n\nCheck the file permissions for the .Xauthority files. \n# ls -lL .Xauthority\n\nIf the permissions include a \"+\", the file has an extended ACL and this is a finding.","fixText":"Remove the extended ACL from the file.\n\n# chmod A- .Xauthority","ccis":["CCI-000225","CCI-000366"]},{"vulnId":"V-216311","ruleId":"SV-216311r959010_rule","severity":"high","ruleTitle":"X displays must not be exported to the world.","description":"Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.","checkContent":"If X Windows is not used on the system, this is not applicable.\n\nCheck the output of the xhost command from an X terminal.\n\nProcedure:\n$ xhost\nIf the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.\n\nNOTE: It may be necessary to define the display if the command reports it cannot open the display. \n\nProcedure:\n$ DISPLAY=MachineName:0.0; export DISPLAY\nMachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.","fixText":"If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.","ccis":["CCI-000225","CCI-000366"]},{"vulnId":"V-216312","ruleId":"SV-216312r959010_rule","severity":"medium","ruleTitle":".Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.","description":"If access to the X server is not restricted, a user's X session may be compromised.","checkContent":"If X Display Manager (XDM) is not used on the system, this is not applicable.\n\nDetermine if XDM is running. \n\nProcedure:\n# ps -ef | grep xdm\n\nDetermine if xauth is being used. \n\nProcedure:\n# xauth \nxauth> list\n\nIf the above command sequence does not show any host other than the localhost, then xauth is not being used.\n\nSearch the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. \n\nIf no files are found, X*.hosts files are not being used. \n\nIf the X*.hosts files contain any unauthorized hosts, this is a finding.\n\nIf both xauth and X*.hosts files are not being used, this is a finding.","fixText":"Create an X*.hosts file, where * is a display number that may be used to limit X window connections. \n\nAdd the list of authorized X clients to the file.","ccis":["CCI-000297","CCI-000366"]},{"vulnId":"V-216313","ruleId":"SV-216313r959010_rule","severity":"medium","ruleTitle":"The .Xauthority utility must only permit access to authorized hosts.","description":"If unauthorized clients are permitted access to the X server, a user's X session may be compromised.","checkContent":"If X Display Manager (XDM) is not used on the system, this is not applicable.\n\nDetermine if XDM is running. \n\nProcedure:\n# ps -ef | grep xdm\n\nCheck the X Window system access is limited to authorized clients. \n\nProcedure:\n# xauth \nxauth> list\n\nAsk the SA if the clients listed are authorized. \n\nIf any are not, this is a finding.","fixText":"Remove unauthorized clients from the xauth configuration.\n\nProcedure:\n# xauth remove ","ccis":["CCI-000366","CCI-000225"]},{"vulnId":"V-216314","ruleId":"SV-216314r959010_rule","severity":"medium","ruleTitle":"X Window System connections that are not required must be disabled.","description":"If unauthorized clients are permitted access to the X server, a user's X session may be compromised.","checkContent":"Determine if the X Window system is running.\n\nProcedure:\n# ps -ef |grep X\n\nAsk the SA if the X Window system is an operational requirement. If it is not, this is a finding.","fixText":"Disable the X Windows server on the system.","ccis":["CCI-000366"]},{"vulnId":"V-216315","ruleId":"SV-216315r959010_rule","severity":"medium","ruleTitle":"The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.","description":"Externally accessible graphical desktop software may open the system to remote attacks.","checkContent":"Determine if the X11 server system is providing remote services on the network.\n\n# svcprop -p options/tcp_listen svc:/application/x11/x11-server\n\nIf the output of the command is \"true\" and network access to graphical user login is not required, this is a finding.","fixText":"The System Administrator profile is required:\n\nConfigure the X11 server for local system only graphics access.\n\n# pfexec svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen=false","ccis":["CCI-000366"]},{"vulnId":"V-216316","ruleId":"SV-216316r959010_rule","severity":"low","ruleTitle":"Generic Security Services (GSS) must be disabled.","description":"This service should be disabled if it is not required.","checkContent":"Determine the status of the Generic Security Services.\n\n# svcs -Ho state svc:/network/rpc/gss\n\nIf the GSS service is reported as online, this is a finding.","fixText":"The Service Management profile is required:\n\nDisable the GSS service.\n\n# pfexec svcadm disable svc:/network/rpc/gss","ccis":["CCI-000366"]},{"vulnId":"V-216317","ruleId":"SV-216317r959010_rule","severity":"low","ruleTitle":"Systems services that are not required must be disabled.","description":"Services that are enabled but not required by the mission may provide excessive access or additional attack vectors to penetrate the system.","checkContent":"Determine all of the systems services that are enabled on the system.\n\n# svcs -a | grep online\n\nDocument all enabled services and disable any that are not required.","fixText":"The Service Management profile is required:\n\nDisable any other service not required. \n\n# pfexec svcadm disable [service name]","ccis":["CCI-000366"]},{"vulnId":"V-216318","ruleId":"SV-216318r959010_rule","severity":"medium","ruleTitle":"TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.","description":"TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.","checkContent":"Check that TCP Wrappers are enabled and the host.deny and host.allow files exist.\n\n# inetadm -p | grep tcp_wrappers\n\nIf the output of this command is \"tcp_wrappers=FALSE\", this is a finding.\n\n# ls /etc/hosts.deny\n/etc/hosts.deny\n# ls /etc/hosts.allow\n/etc/hosts.allow\n\nIf these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.","fixText":"The root role is required.\n\nTo enable TCP Wrappers, run the following commands:\n\n1. Create and customize your policy in /etc/hosts.allow:\n# echo \"ALL: [net]/[mask], [net]/[mask], ...\" > /etc/hosts.allow \n\nwhere each [net>/[mask> combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system.\n\n2. Create a default deny policy in /etc/hosts.deny: \n\n# echo \"ALL: ALL\" >/etc/hosts.deny\n\n3. Enable TCP Wrappers for all services started by inetd:\n\n# inetadm -M tcp_wrappers=TRUE\n\nThe versions of SunSSH (0.5.11) and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists.\n\nThe use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. \n\nSunSSH is removed starting with Solaris 11.4.","ccis":["CCI-000366"]},{"vulnId":"V-216321","ruleId":"SV-216321r1038967_rule","severity":"medium","ruleTitle":"User passwords must be changed at least every 60 days.","description":"Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.\n\nSolaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a password change every 60 days.","checkContent":"The root role is required.\n\nDetermine if user passwords are properly configured to be changed every 60 days.\n\nDetermine the OS version to be secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n\n# logins -ox |awk -F: '( $1 != \"root\" && $8 != \"LK\" && $8 != \"NL\" && ( $11 > “56\" || $11 < “1\" )) { print }'\n\nIf output is returned and the listed account is accessed via direct logon, this is a finding.\n\nCheck that /etc/default/password is configured to enforce password expiration every eight weeks or less.\n\n# grep \"^MAXWEEKS=\" /etc/default/passwd \n\nIf the command does not report MAXWEEKS=8 or less, this is a finding.\n\nFor Solaris 11.4 or newer:\n\n# logins -ox |awk -F: '( $1 != \"root\" && $8 != \"LK\" && $8 != \"NL\" && ($11 > \"60\"|| $11 < \"1\")) { print }'\n\nIf output is returned and the listed account is accessed via direct logon, this is a finding.\n\nCheck that /etc/default/password is configured to enforce password expiration every 60 days or less.\nNote: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.\n\n# grep \"^MAXDAYS=\" /etc/default/passwd \n\nIf the command does not report MAXDAYS=60 or less, this is a finding.\n\n# grep \"^MAXWEEKS=\" /etc/default/passwd \n\nIf output is returned, this is a finding.","fixText":"The User Security role is required.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n\nChange each username to enforce 56 day password changes.\n\n# pfexec passwd -x 56 [username]\n\n# pfedit /etc/default/passwd \n\nSearch for MAXWEEKS. Change the line to read:\n\nMAXWEEKS=8\n\nFor Solaris 11.4 or newer:\n\nChange each username to enforce 60 day password changes.\n\n# pfexec passwd -x 60 [username]\n\n# pfedit /etc/default/passwd \nNote: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.\n\nSearch for MAXDAYS. Change the line to read:\n\nMAXDAYS=60\n\nSearch for MAXWEEKS. Change the line to read:\n\n#MAXWEEKS=","ccis":["CCI-004066","CCI-000199"]},{"vulnId":"V-216322","ruleId":"SV-216322r958364_rule","severity":"low","ruleTitle":"The operating system must automatically terminate temporary accounts within 72 hours.","description":"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. \n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. \n\nIf temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nWhen temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists.\n\nTo address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after 72 hours. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.","checkContent":"The root role is required.\n\nDetermine if an expiration date is set for temporary accounts.\n\n# logins -aox |awk -F: '($14 == \"0\") {print}'\n\nThis command produces a list of accounts with no expiration date set. If any of these accounts are temporary accounts, this is a finding.\n\n# logins -aox |awk -F: '($14 != \"0\") {print}'\n\nThis command produces a list of accounts with an expiration date set as defined in the last field. If any accounts have a date that is not within 72 hours, this is a finding.","fixText":"The User Security role is required.\n\nApply an expiration date to temporary users.\n\n# pfexec usermod -e \"[date]\" [username]\n\nEnter the date in the form mm/dd/yyyy such that it is within 72 hours.","ccis":["CCI-000016"]},{"vulnId":"V-216323","ruleId":"SV-216323r1016269_rule","severity":"medium","ruleTitle":"The operating system must enforce minimum password lifetime restrictions.","description":"Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse.\n\nSolaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.","checkContent":"The root role is required.\n\nCheck whether the minimum time period between password changes for each user account is 1 day or greater. \n\nDetermine the OS version to be secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n\n# logins -ox |awk -F: '( $1 != \"root\" && $8 != \"LK\" && $8 != \"NL\" && $10 < \"1\" ) { print }'\n\nIf output is returned and the listed account is accessed via direct logon, this is a finding.\n\nCheck that /etc/default/password is configured to minimum password change time of one week.\n\n# grep \"^MINWEEKS=\" /etc/default/passwd \n\nIf the command does not report MINWEEKS=1 or more, this is a finding.\n\nFor Solaris 11.4 or newer:\n\n# logins -ox |awk -F: '( $1 != \"root\" && $8 != \"LK\" && $8 != \"NL\" && $10 < \"1\" ) { print }'\n\nIf output is returned and the listed account is accessed via direct logon, this is a finding.\n\nCheck that /etc/default/password is configured to minimum password change time of 1 day.\nNote: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.\n\n# grep \"^MINDAYS=\" /etc/default/passwd \n\nIf the command does not report MINDAYS=1 or more, this is a finding.\n\n# grep \"^MINWEEKS=\" /etc/default/passwd \n\nIf output is returned, this is a finding.","fixText":"The root role is required.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n\n# pfedit /etc/default/passwd file.\n\nLocate the line containing:\n\nMINWEEKS\n\nChange the line to read: \n\nMINWEEKS=1\n\nSet the per-user minimum password change times by using the following command on each user account. \n\n# passwd -n [number of days] [accountname]\n\nFor Solaris 11.4 or newer:\n\n# pfedit /etc/default/passwd file.\nNote: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.\n\nSearch for MINDAYS. Change the line to read: \n\nMINDAYS=1\n\nSearch for MINWEEKS. Change the line to read: \n\n#MINWEEKS=\n\nSet the per-user minimum password change times by using the following command on each user account. \n\n# passwd -n [number of days] [accountname]","ccis":["CCI-004066","CCI-000198"]},{"vulnId":"V-216324","ruleId":"SV-216324r1016270_rule","severity":"medium","ruleTitle":"User passwords must be at least 15 characters in length.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. \n\nPassword length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Check the system password length setting.\n\n# grep ^PASSLENGTH /etc/default/passwd\n\nIf PASSLENGTH is not set to 15 or more, this is a finding.","fixText":"The root role is required.\n\n# pfedit /etc/default/passwd \n\nLocate the line containing:\n\nPASSLENGTH\n\nChange the line to read:\n\nPASSLENGTH=15","ccis":["CCI-004066","CCI-000205"]},{"vulnId":"V-216326","ruleId":"SV-216326r1016271_rule","severity":"medium","ruleTitle":"The system must require at least eight characters be changed between the old and new passwords during a password change.","description":"To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.","checkContent":"Check /etc/default/passwd to verify the MINDIFF setting.\n\n# grep ^MINDIFF /etc/default/passwd\n\nIf the setting is not present, or is less than 8, this is a finding.","fixText":"The root role is required.\n\n# pfedit /etc/default/passwd \n\nSearch for MINDIFF. Change the line to read:\n\nMINDIFF=8","ccis":["CCI-004066","CCI-000195"]},{"vulnId":"V-216327","ruleId":"SV-216327r1016272_rule","severity":"medium","ruleTitle":"The system must require passwords to contain at least one uppercase alphabetic character.","description":"Complex passwords can reduce the likelihood of success of automated password-guessing attacks.","checkContent":"Check the MINUPPER setting.\n\n# grep ^MINUPPER /etc/default/passwd\n\nIf MINUPPER is not set to 1 or more, this is a finding.","fixText":"The root role is required.\n# pfedit /etc/default/passwd \n\nLocate the line containing:\n\nMINUPPER\n\nChange the line to read:\n\nMINUPPER=1","ccis":["CCI-004066","CCI-000192"]},{"vulnId":"V-216328","ruleId":"SV-216328r1016273_rule","severity":"medium","ruleTitle":"The operating system must enforce password complexity requiring that at least one lowercase character is used.","description":"Complex passwords can reduce the likelihood of success of automated password-guessing attacks.","checkContent":"Check the MINLOWER setting.\n\n# grep ^MINLOWER /etc/default/passwd\n\nIf MINLOWER is not set to 1 or more, this is a finding.","fixText":"The root role is required.\n# pfedit /etc/default/passwd \n\nLocate the line containing:\n\nMINLOWER\n\nChange the line to read:\n\nMINLOWER=1","ccis":["CCI-004066","CCI-000193"]},{"vulnId":"V-216329","ruleId":"SV-216329r1016274_rule","severity":"medium","ruleTitle":"The system must require passwords to contain at least one numeric character.","description":"Complex passwords can reduce the likelihood of success of automated password-guessing attacks.","checkContent":"Check the MINDIGIT setting.\n\n# grep ^MINDIGIT /etc/default/passwd\n\nIf the MINDIGIT setting is less than 1, this is a finding.","fixText":"The root role is required.\n# pfedit /etc/default/passwd \n\nLocate the line containing: \n\nMINDIGIT\n\nChange the line to read:\n\nMINDIGIT=1","ccis":["CCI-004066","CCI-000194"]},{"vulnId":"V-216330","ruleId":"SV-216330r1016275_rule","severity":"medium","ruleTitle":"The system must require passwords to contain at least one special character.","description":"Complex passwords can reduce the likelihood of success of automated password-guessing attacks.","checkContent":"Check the MINSPECIAL setting.\n\n# grep ^MINSPECIAL /etc/default/passwd\n\nIf the MINSPECIAL setting is less than 1, this is a finding.","fixText":"The root role is required.\n# pfedit /etc/default/passwd a\n\nLocate the line containing: \n\nMINSPECIAL\n\nChange the line to read:\n\nMINSPECIAL=1","ccis":["CCI-004066","CCI-001619"]},{"vulnId":"V-216331","ruleId":"SV-216331r959010_rule","severity":"low","ruleTitle":"The system must require passwords to contain no more than three consecutive repeating characters.","description":"Complex passwords can reduce the likelihood of success of automated password-guessing attacks.","checkContent":"Check the MAXREPEATS setting.\n\n# grep ^MAXREPEATS /etc/default/passwd\n\nIf the MAXREPEATS setting is greater than 3, this is a finding.","fixText":"The root role is required.\n# pfedit /etc/default/passwd \n\nLocate the line containing:\n\nMAXREPEATS\n\nChange the line to read: \n\nMAXREPEATS=3","ccis":["CCI-000366"]},{"vulnId":"V-216332","ruleId":"SV-216332r959010_rule","severity":"medium","ruleTitle":"The system must not have accounts configured with blank or null passwords.","description":"Complex passwords can reduce the likelihood of success of automated password-guessing attacks.","checkContent":"The root role is required.\n\nDetermine if accounts with blank or null passwords exist.\n\n# logins -po\n\nIf any account is listed, this is a finding.","fixText":"The root role is required.\n\nRemove, lock, or configure a password for any account with a blank password.\n\n# passwd [username]\nor\nUse the passwd -l command to lock accounts that are not permitted to execute commands. \nor\nUse the passwd -N command to set accounts to be non-login.","ccis":["CCI-000366"]},{"vulnId":"V-216333","ruleId":"SV-216333r1016276_rule","severity":"medium","ruleTitle":"Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.","description":"Cryptographic hashes provide quick password authentication while not actually storing the password.","checkContent":"Determine which cryptographic algorithms are configured.\n\n# grep ^CRYPT /etc/security/policy.conf\n\nIf the command output does not include the lines, this is a finding.\n\nCRYPT_DEFAULT=6\nCRYPT_ALGORITHMS_ALLOW=5,6","fixText":"The root role is required.\n\nConfigure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash.\n\n# pfedit /etc/security/policy.conf\n\nCheck that the following lines exist and are not commented out:\nCRYPT_DEFAULT=6\nCRYPT_ALGORITHMS_ALLOW=5,6","ccis":["CCI-004062","CCI-000196"]},{"vulnId":"V-216334","ruleId":"SV-216334r958388_rule","severity":"medium","ruleTitle":"The system must disable accounts after three consecutive unsuccessful login attempts.","description":"Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.","checkContent":"Verify RETRIES is set in the login file.\n\n# grep ^RETRIES /etc/default/login\n\nIf the output is not RETRIES=3 or fewer, this is a finding.\n\nVerify the account locks after invalid login attempts.\n\n# grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf\n\nIf the output is not LOCK_AFTER_RETRIES=YES, this is a finding.\n\nFor each user in the system, use the command:\n\n# userattr lock_after_retries [username]\n\nto determine if the user overrides the system value. If the output of this command is \"no\", this is a finding.","fixText":"The root role is required.\n\n# pfedit /etc/default/login\n\nChange the line:\n\n#RETRIES=5\n\nto read\n\nRETRIES=3 \n\npfedit /etc/security/policy.conf\n\nChange the line containing\n\n#LOCK_AFTER_RETRIES \n\nto read:\n\nLOCK_AFTER_RETRIES=YES\n\n\nIf a user has lock_after_retries set to \"no\", update the user's attributes using the command:\n\n# usermod -K lock_after_retries=yes [username]","ccis":["CCI-000044"]},{"vulnId":"V-216335","ruleId":"SV-216335r959010_rule","severity":"medium","ruleTitle":"The delay between login prompts following a failed login attempt must be at least 4 seconds.","description":"As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.","checkContent":"Check the SLEEPTIME parameter in the /etc/default/login file.\n\n# grep ^SLEEPTIME /etc/default/login\n\nIf the output is not SLEEPTIME=4 or more, this is a finding.","fixText":"The root role is required.\n\n# pfedit the /etc/default/login \n\nLocate the line containing:\n\nSLEEPTIME\n\nChange the line to read:\n\nSLEEPTIME=4","ccis":["CCI-000366"]},{"vulnId":"V-216336","ruleId":"SV-216336r958400_rule","severity":"medium","ruleTitle":"The system must require users to re-authenticate to unlock a graphical desktop environment.","description":"Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.","checkContent":"If the system is not running XWindows, this check does not apply.\n\nDetermine if the screen saver timeout is configured properly.\n\n# grep \"^\\*timeout:\" /usr/share/X11/app-defaults/XScreenSaver\n\nIf the output is not:\n*timeout: 0:15:00\nor a shorter time interval, this is a finding.\n\n# grep \"^\\*lockTimeout:\" /usr/share/X11/app-defaults/XScreenSaver\n\nIf the output is not:\n*lockTimeout: 0:00:05\nor a shorter time interval, this is a finding.\n\n# grep \"^\\*lock:\" /usr/share/X11/app-defaults/XScreenSaver\n\nIf the output is not:\n*lock: True\nthis is a finding.\n\nFor each existing user, check the configuring of their personal .xscreensaver file.\n\n# grep \"^timeout:\" $HOME/.xscreensaver\n\nIf the output is not:\ntimeout: 0:15:00\nor a shorter time interval, this is a finding.\n\n# grep \"^lockTimeout:\" $HOME/.xscreensaver\n\nIf the output is not:\nlockTimeout: 0:00:05\nor a shorter time interval, this is a finding.\n\n# grep \"^lock:\" $HOME/.xscreensaver\n\nIf the output is not:\nlock: True\nthis is a finding.","fixText":"The root role is required.\n\nEdit the global screensaver configuration file to ensure 15 minute screen lock.\n\n# pfedit /usr/share/X11/app-defaults/XScreenSaver\n\nFind the timeout control lines and change them to read:\n\n*timeout: 0:15:00\n*lockTimeout: 0:00:05\n*lock: True\n\nFor each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values.\n\n# pfedit $HOME/.xscreensaver\n\nFind the timeout control lines and change them to read:\n\ntimeout: 0:15:00\nlockTimeout: 0:00:05\nlock: True","ccis":["CCI-000056"]},{"vulnId":"V-216337","ruleId":"SV-216337r958402_rule","severity":"medium","ruleTitle":"Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.","description":"Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.","checkContent":"If the system is not running XWindows, this check does not apply.\n\nDetermine if the screen saver timeout is configured properly.\n\n# grep \"^\\*timeout:\" /usr/share/X11/app-defaults/XScreenSaver\n\nIf the output is not:\n*timeout: 0:15:00\nthis is a finding.\n\n# grep \"^\\*lockTimeout:\" /usr/share/X11/app-defaults/XScreenSaver\n\nIf the output is not:\n*lockTimeout: 0:00:05\nthis is a finding.\n\n# grep \"^\\*lock:\" /usr/share/X11/app-defaults/XScreenSaver\n\nIf the output is not:\n*lock: True\nthis is a finding.\n\nFor each existing user, check the configuration of their personal .xscreensaver file.\n# grep \"^lock:\" $HOME/.xscreensaver\n\nIf the output is not:\n*lock: True\nthis is a finding.\n\ngrep \"^lockTimeout:\" $HOME/.xscreensaver\nIf the output is not:\n*lockTimeout: 0:00:05\nthis is a finding.","fixText":"The root role is required.\n\nEdit the global screensaver configuration file to ensure 15 minute screen lock.\n\n# pfedit /usr/share/X11/app-defaults/XScreenSaver\n\nFind the timeout control lines and change them to read:\n\n*timeout: 0:15:00\n*lockTimeout:0:00:05\n*lock: True\n\nFor each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values.\n\n# pfedit $HOME/.xscreensaver\n\nFind the timeout control lines and change them to read:\n\ntimeout: 0:15:00\nlockTimeout:0:00:05\nlock: True","ccis":["CCI-000057"]},{"vulnId":"V-216338","ruleId":"SV-216338r959010_rule","severity":"medium","ruleTitle":"The system must prevent the use of dictionary words for passwords.","description":"The use of common words in passwords simplifies password-cracking attacks.","checkContent":"Check /etc/default/passwd for dictionary check configuration.\n\n# grep ^DICTION /etc/default/passwd\n\nIf the DICTIONLIST or DICTIONDBDIR settings are not present and are not set to:\n\nDICTIONLIST=/usr/share/lib/dict/words\nDICTIONDBDIR=/var/passwd\n\nthis is a finding.\n\nDetermine if the target files exist.\n\n# ls -l /usr/share/lib/dict/words /var/passwd\n\nIf the files defined by DICTIONLIST or DICTIONBDIR are not present or are empty, this is a finding.","fixText":"The root role is required.\n\n# pfedit /etc/default/passwd\n\nInsert the lines:\n\nDICTIONLIST=/usr/share/lib/dict/words\nDICTIONDBDIR=/var/passwd\n\nGenerate the password dictionary by running the mkpwdict command.\n\n# mkpwdict -s /usr/share/lib/dict/words","ccis":["CCI-000366"]},{"vulnId":"V-216340","ruleId":"SV-216340r1016277_rule","severity":"medium","ruleTitle":"The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.","description":"Allowing any user to elevate their privileges can allow them excessive control of the system tools.","checkContent":"Verify the root user is configured as a role, rather than a normal user. \n\n# userattr type root\n\nIf the command does not return the word \"role\", this is a finding.\n\nVerify at least one local user has been assigned the root role.\n\n# grep '[:;]roles=root[^;]*' /etc/user_attr\n\nIf no lines are returned, or no users are permitted to assume the root role, this is a finding.","fixText":"The root role is required.\n\nConvert the root user into a role. \n\n# usermod -K type=role root\n\nAdd the root role to authorized users' logins. \n\n# usermod -R +root [username]\n\nRemove the root role from users who should not be authorized to assume it.\n\n# usermod -R -root [username]","ccis":["CCI-004045","CCI-000770"]},{"vulnId":"V-216341","ruleId":"SV-216341r959010_rule","severity":"medium","ruleTitle":"The default umask for system and users must be 077.","description":"Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.","checkContent":"The root role is required.\n\nDetermine if the default umask is configured properly.\n\n# grep -i \"^UMASK=\" /etc/default/login\n\nIf \"UMASK=077\" is not displayed, this is a finding.\n\nCheck local initialization files:\n# cut -d: -f1 /etc/passwd | xargs -n1 -iUSER sh -c \"grep umask ~USER/.*\"\n\nIf this command does not output a line indicating \"umask 077\" for each user, this is a finding.","fixText":"The root role is required.\n\nEdit local and global initialization files containing \"umask\" and change them to use 077.\n\n# pfedit /etc/default/login\n\nInsert the line\nUMASK=077\n\n# pfedit [user initialization file]\n\nInsert the line\numask 077","ccis":["CCI-000366"]},{"vulnId":"V-216342","ruleId":"SV-216342r959010_rule","severity":"low","ruleTitle":"The default umask for FTP users must be 077.","description":"Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.","checkContent":"The package service/network/ftp must be installed for this check.\n\n# pkg list service/network/ftp\n\nIf the output of this command is:\n\npkg list: no packages matching 'service/network/ftp' installed\n\nno further action is required.\n\nDetermine if the FTP umask is set to 077.\n\n# egrep -i \"^UMASK\" /etc/proftpd.conf | awk '{ print $2 }'\n\nIf 077 is not displayed, this is a finding.","fixText":"The root role is required.\n\n# pkg list service/network/ftp\n\nIf the output of this command is:\n\npkg list: no packages matching 'service/network/ftp' installed\n\nno further action is required. Otherwise, edit the FTP configuration file.\n\n# pfedit /etc/proftpd.conf\n\nLocate the line containing:\n\nUmask\n\nChange the line to read:\n\nUmask 077","ccis":["CCI-000366"]},{"vulnId":"V-216343","ruleId":"SV-216343r959010_rule","severity":"low","ruleTitle":"The value mesg n must be configured as the default setting for all users.","description":"The \"mesg n\" command blocks attempts to use the \"write\" or \"talk\" commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's TTY device.","checkContent":"Determine if \"mesg n\" is the default for users.\n\n# grep \"^mesg\" /etc/.login\n\n# grep \"^mesg\" /etc/profile\n\nIf either of these commands produces a line:\nmesg y\n\nthis is a finding.\n\nFor each existing user on the system, enter the command:\n\n# mesg\n\nIf the command output is:\nis y\n\nthis is a finding.","fixText":"The root role is required.\n\nEdit the default profile configuration files.\n\n# pfedit /etc/profile \n# pfedit /etc/.login\n\nIn each file add a new line:\n\nmesg n\n\nFor each user on the system, enter the command:\n\n# mesg n","ccis":["CCI-000366"]},{"vulnId":"V-216344","ruleId":"SV-216344r1016278_rule","severity":"medium","ruleTitle":"User accounts must be locked after 35 days of inactivity.","description":"Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise.\n\nThis policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local logon accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations.\n\nSatisfies: SRG-OS-000003, SRG-OS-000118","checkContent":"Determine whether the 35-day inactivity lock is configured properly.\n\n# useradd -D | xargs -n 1 | grep inactive |\\\nawk -F= '{ print $2 }'\n\nIf the command returns a result other than 35, this is a finding.\n\nThe root role is required for the \"logins\" command.\n\nFor each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.\n\n# logins -axo -l [username] | awk -F: '{ print $13 }'\n\n\nIf these commands provide output other than 35, this is a finding.","fixText":"The root role is required.\n\nPerform the following to implement the recommended state:\n\n# useradd -D -f 35\n\nTo set this policy on a user account, use the command(s):\n\n# usermod -f 35 [username]\n\nTo set this policy on a role account, use the command(s):\n\n# rolemod -f 35 [name]","ccis":["CCI-000017","CCI-003627","CCI-003628","CCI-000795"]},{"vulnId":"V-216347","ruleId":"SV-216347r959010_rule","severity":"medium","ruleTitle":"Login services for serial ports must be disabled.","description":"Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.","checkContent":"Determine if terminal login services are disabled.\n\n# svcs -Ho state svc:/system/console-login:terma\n# svcs -Ho state svc:/system/console-login:termb\n\nIf the system/console-login services are not \"disabled\", this is a finding.","fixText":"The Service Operator profile is required.\n\nDisable serial terminal services.\n\n# pfexec svcadm disable svc:/system/console-login:terma\n# pfexec svcadm disable svc:/system/console-login:termb","ccis":["CCI-000366"]},{"vulnId":"V-216348","ruleId":"SV-216348r959010_rule","severity":"medium","ruleTitle":"Access to a domain console via telnet must be restricted to the local host.","description":"Telnet is an insecure protocol.","checkContent":"This action applies only to the control domain. \n\nDetermine the domain that you are currently securing.\n\n# virtinfo \nDomain role: LDoms control I/O service root\nThe current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.\n\nIf the current domain is not the control domain, this check does not apply.\n\nDetermine if vnsd is in use.\n\n# svcs vntsd\nSTATE STIME FMRI\nonline Oct_08 svc:/ldoms/vntsd:default\n\nIf the state is not \"online\", this is not applicable.\n\nDetermine if a role has been created for domain console access.\n\n# cat /etc/user_attr | grep solaris.vntsd.consoles\nrolename::::type=role;auths=solaris.vntsd.consoles;profiles=All;roleauth=role\n\nIf a role for \"vntsd.consoles\" is not established, this is a finding.","fixText":"The root role is required. This action applies only to the control domain. \n\nDetermine the domain that you are currently securing.\n\n# virtinfo \nDomain role: LDoms control I/O service root\nThe current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.\n\nIf the current domain is not the control domain, this action does not apply.\n\nCreate a password-controlled role that has the solaris.vntsd.consoles authorization, which permits access to all domain consoles.\n\n# roleadd -A solaris.vntsd.consoles [role-name]\n# passwd [role-name]\n\nAssign the new role to a user.\n# usermod -R [role-name] [username]","ccis":["CCI-000366"]},{"vulnId":"V-216349","ruleId":"SV-216349r959010_rule","severity":"medium","ruleTitle":"Access to a logical domain console must be restricted to authorized users.","description":"A logical domain is a discrete, logical grouping with its own operating system, resources, and identity within a single computer system. Access to the logical domain console provides system-level access to the OBP of the domain.","checkContent":"The root role is required. This action applies only to the control domain. \n\nDetermine the domain that you are currently securing.\n\n# virtinfo \nDomain role: LDoms control I/O service root\nThe current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.\n\nIf the current domain is not the control domain, this check does not apply.\n\nDetermine if the vntsd service is online.\n\n# pfexec svcs vntsd\n\nIf the service is not \"online\", this is not applicable.\n\nCheck the status of the vntsd authorization property.\n\n# svcprop -p vntsd/authorization vntsd\n\nIf the state is not true, this is a finding.","fixText":"The root role is required. This action applies only to the control domain. \n\nDetermine the domain that you are currently securing.\n\n# virtinfo \nDomain role: LDoms control I/O service root\nThe current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.\n\nIf the current domain is not the control domain, this action does not apply.\n\nConfigure the vntsd service to require authorization.\n\n# svccfg -s vntsd setprop vntsd/authorization = true\n\nThe vntsd service must be restarted for the changes to take effect.\n\n# svcadm restart vntsd","ccis":["CCI-000366"]},{"vulnId":"V-216350","ruleId":"SV-216350r959010_rule","severity":"medium","ruleTitle":"The nobody access for RPC encryption key storage service must be disabled.","description":"If login by the user \"nobody\" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the \"nobody\" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.","checkContent":"Determine if the rpc-authdes package is installed:\n\n# pkg list solaris/legacy/security/rpc-authdes\n\nIf the output of this command is:\n\npkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed\n\nno further action is required.\n\nDetermine if \"nobody\" access for keyserv is enabled.\n\n# grep \"^ENABLE_NOBODY_KEYS=\" /etc/default/keyserv \n\nIf the output of the command is not:\n\nENABLE_NOBODY_KEYS=NO\n\nthis is a finding.","fixText":"Determine if the rpc-authdes package is installed:\n\n# pkg list solaris/legacy/security/rpc-authdes\n\nIf the output of this command is:\n\npkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed\n\nno further action is required.\n\nThe root role is required.\n\nModify the /etc/default/keyserv file.\n\n# pfedit /etc/default/keyserv\n\nLocate the line:\n\n#ENABLE_NOBODY_KEYS=YES\n\nChange it to:\n\nENABLE_NOBODY_KEYS=NO","ccis":["CCI-000366"]},{"vulnId":"V-216351","ruleId":"SV-216351r959010_rule","severity":"medium","ruleTitle":"X11 forwarding for SSH must be disabled.","description":"As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.","checkContent":"Determine if X11 Forwarding is enabled.\n\n# grep \"^X11Forwarding\" /etc/ssh/sshd_config\n\nIf the output of this command is not:\n\nX11Forwarding no\n\nthis is a finding.","fixText":"The root role is required.\n\nModify the sshd_config file.\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the line containing:\n\nX11Forwarding \n\nChange it to:\n\nX11Forwarding no\n\nRestart the SSH service.\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-000366"]},{"vulnId":"V-216352","ruleId":"SV-216352r1155799_rule","severity":"low","ruleTitle":"Consecutive login attempts for SSH must be limited to 3.","description":"Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.","checkContent":"Determine if consecutive login attempts are limited to 3, and that they are logged.\n\n# grep \"^MaxAuthTries\" /etc/ssh/sshd_config\n\nIf the output of this command is not \"MaxAuthTries 6\" and \"MaxAuthTriesLog 6\" this is a finding.\n\nNote: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.","fixText":"The root role is required.\n\nModify the sshd_config file.\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the lines containing:\n\nMaxAuthTries\nMaxAuthTriesLog\n\nChange them to:\n\nMaxAuthTries 6\nMaxAuthTriesLog 6\n\nRestart the SSH service.\n\n# svcadm restart svc:/network/ssh\n\nNote: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.","ccis":["CCI-000366"]},{"vulnId":"V-216353","ruleId":"SV-216353r959010_rule","severity":"medium","ruleTitle":"The rhost-based authentication for SSH must be disabled.","description":"Setting this parameter forces users to enter a password when authenticating with SSH.","checkContent":"Determine if rhost-based authentication is enabled.\n\n# grep \"^IgnoreRhosts\" /etc/ssh/sshd_config\n\nIf the output is produced and it is not:\n\nIgnoreRhosts yes\n\nthis is a finding.\n\nIf the IgnoreRhosts line does not exist in the file, the default setting of \"Yes\" is automatically used and there is no finding.","fixText":"The root role is required.\n\nModify the sshd_config file\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the line containing:\n\nIgnoreRhosts\n\nChange it to:\n\nIgnoreRhosts yes\n\nRestart the SSH service.\n\n# svcadm restart svc:/network/ssh\n\n\nThis action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of \"Yes\" is automatically used, so no additional changes are needed.","ccis":["CCI-000366"]},{"vulnId":"V-216354","ruleId":"SV-216354r959010_rule","severity":"medium","ruleTitle":"Direct root account login must not be permitted for SSH access.","description":"The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.","checkContent":"Determine if root login is disabled for the SSH service.\n\n# grep \"^PermitRootLogin\" /etc/ssh/sshd_config\n\nIf the output of this command is not:\n\nPermitRootLogin no\n\nthis is a finding.","fixText":"The root role is required.\n\nModify the sshd_config file\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the line containing:\n\nPermitRootLogin\n\nChange it to:\n\nPermitRootLogin no\n\nRestart the SSH service.\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-000366"]},{"vulnId":"V-216355","ruleId":"SV-216355r959010_rule","severity":"high","ruleTitle":"Login must not be permitted with empty/null passwords for SSH.","description":"Permitting login without a password is inherently risky.","checkContent":"Determine if empty/null passwords are allowed for the SSH service.\n\n# grep \"^PermitEmptyPasswords\" /etc/ssh/sshd_config\n\nIf the output of this command is not:\n\nPermitEmptyPasswords no\n\nthis is a finding.","fixText":"The root role is required.\n\nModify the sshd_config file\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the line containing:\n\nPermitEmptyPasswords\n\nChange it to:\n\nPermitEmptyPasswords no\n\nRestart the SSH service.\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-000366"]},{"vulnId":"V-216356","ruleId":"SV-216356r970703_rule","severity":"low","ruleTitle":"The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.","description":"This requirement applies to both internal and external networks. \n\nTerminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level.\n\nThe time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.","checkContent":"Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity.\n\n# grep ClientAlive /etc/ssh/sshd_config\n\nIf the output of this command is not:\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nthis is a finding.","fixText":"The root role is required.\n\nConfigure the system to disconnect SSH sessions after 10 minutes of inactivity.\n\nModify the sshd_config file:\n\n# pfedit /etc/ssh/sshd_config\n\nModify or add the lines containing:\n\nClientAliveInterval\nClientAliveCountMax \n\nChange them to:\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nRestart the SSH service:\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-001133"]},{"vulnId":"V-216357","ruleId":"SV-216357r959010_rule","severity":"medium","ruleTitle":"Host-based authentication for login-based services must be disabled.","description":"The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.","checkContent":"Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.\n\nDetermine if host-based authentication services are enabled.\n\n# grep 'pam_rhosts_auth.so.1' /etc/pam.conf /etc/pam.d/*| grep -vc '^#'\n\nIf the returned result is not 0 (zero), this is a finding.","fixText":"Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.\n\nThe root role is required.\n\n# ls -l /etc/pam.d\nto identify the various configuration files used by PAM.\n\nSearch each file for the pam_rhosts_auth.so.1 entry.\n\n# grep pam_rhosts_auth.so.1 [filename]\n\nIdentify the file with the line pam_hosts_auth.so.1 in it.\n\n# pfedit [filename]\n\nInsert a comment character (#) at the beginning of the line containing \"pam_hosts_auth.so.1\".","ccis":["CCI-000366"]},{"vulnId":"V-216358","ruleId":"SV-216358r959010_rule","severity":"medium","ruleTitle":"The use of FTP must be restricted.","description":"FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user \"oracle\" and the account which the web server process runs under.","checkContent":"The root role is required.\n\nDetermine if the FTP server package is installed:\n\n# pkg list service/network/ftp\n\nIf the output of this command is:\n\npkg list: no packages matching 'service/network/ftp' installed\n\nno further action is required.\n\nIf the FTP server is installed, determine if FTP access is restricted.\n\n# for user in `logins -s | awk '{ print $1 }'` \\\naiuser noaccess nobody nobody4; do\ngrep -w \"${user}\" /etc/ftpd/ftpusers >/dev/null 2>&1\nif [ $? != 0 ]; then\necho \"User '${user}' not in /etc/ftpd/ftpusers.\"\nfi\ndone\n\nIf output is returned, this is a finding.","fixText":"The root role is required.\n\nDetermine if the FTP server package is installed:\n\n# pkg list service/network/ftp\n\nIf the output of this command is:\n\npkg list: no packages matching 'service/network/ftp' installed\n\nno further action is required.\n\n# for user in `logins -s | awk '{ print $1 }'` \\\naiuser noaccess nobody nobody4; do\n$(echo $user >> /etc/ftpd/ftpusers)\ndone\n# sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp\n# mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers","ccis":["CCI-000366"]},{"vulnId":"V-216359","ruleId":"SV-216359r959010_rule","severity":"high","ruleTitle":"The system must not allow autologin capabilities from the GNOME desktop.","description":"As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf.","checkContent":"Determine if autologin is enabled for the GNOME desktop.\n\n# egrep \"auth|account\" /etc/pam.d/gdm-autologin | grep -vc ^#\n\nIf the command returns other than \"0\", this is a finding.","fixText":"The root role is required.\n\nModify the /etc/pam.d/gdm-autologin file.\n\n# pfedit /etc/pam.d/gdm-autologin\n\nLocate the lines:\n\nauth required pam_unix_cred.so.1\nauth sufficient pam_allow.so.1\naccount sufficient pam_allow.so.1\n\nChange the lines to read:\n\n#auth required pam_unix_cred.so.1\n#auth sufficient pam_allow.so.1\n#account sufficient pam_allow.so.1","ccis":["CCI-000366"]},{"vulnId":"V-216360","ruleId":"SV-216360r959010_rule","severity":"medium","ruleTitle":"Unauthorized use of the at or cron capabilities must not be permitted.","description":"On many systems, only the system administrator needs the ability to schedule jobs.\n\nEven though a given user is not listed in the \"cron.allow\" file, cron jobs can still be run as that user. The \"cron.allow\" file only controls administrative access to the \"crontab\" command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).","checkContent":"Check that \"at\" and \"cron\" users are configured correctly.\n\n# ls /etc/cron.d/cron.deny\n\nIf cron.deny exists, this is a finding.\n\n# ls /etc/cron.d/at.deny\n\nIf at.deny exists, this is a finding.\n\n# cat /etc/cron.d/cron.allow\n\ncron.allow should have a single entry for \"root\", or the cron.allow file is removed if using RBAC. \n \nIf any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding.\n\n# wc -l /etc/cron.d/at.allow | awk '{ print $1 }'\n\nIf the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.","fixText":"The root role is required.\n\nModify the cron configuration files.\n\n# mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp\n# mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp\n\nSkip the remaining steps only if using the “solaris.jobs.user” RBAC role.\n\n# echo root > /etc/cron.d/cron.allow\n# cp /dev/null /etc/cron.d/at.allow\n# chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow\n# chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow","ccis":["CCI-000366"]},{"vulnId":"V-216361","ruleId":"SV-216361r959010_rule","severity":"medium","ruleTitle":"Logins to the root account must be restricted to the system console only.","description":"Use an authorized mechanism such as RBAC and the \"su\" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine if root login is restricted to the console.\n\n# grep \"^CONSOLE=/dev/console\" /etc/default/login\n\nIf the output of this command is not:\n\nCONSOLE=/dev/console\n\nthis is a finding.","fixText":"The root role is required.\n\nModify the /etc/default/login file\n\n# pfedit /etc/default/login\n\nLocate the line containing:\n\nCONSOLE\n\nChange it to read:\n\nCONSOLE=/dev/console","ccis":["CCI-000366"]},{"vulnId":"V-216362","ruleId":"SV-216362r987814_rule","severity":"low","ruleTitle":"The operating system, upon successful logon, must display to the user the date and time of the last logon (access).","description":"Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.","checkContent":"Determine if last login will be printed for SSH users.\n\n# grep PrintLastLog /etc/ssh/sshd_config\n\nIf PrintLastLog is found, not preceded with a \"#\" sign, and is set to \"no\", this is a finding.\n\nPrintLastLog should either not exist (defaulting to yes) or exist and be set to yes.","fixText":"The root role is required for this action.\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the line containing:\n\nPrintLastLog no\n\nand place a comment sign (\"# \")at the beginning of the line or delete the line\n\n# PrintLastLog no\n\nRestart the ssh service\n\n# pfexec svcadm restart svc:/network/ssh","ccis":["CCI-000052"]},{"vulnId":"V-216363","ruleId":"SV-216363r1016279_rule","severity":"medium","ruleTitle":"The operating system must provide the capability for users to directly initiate session lock mechanisms.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. \n\nRather than be forced to wait for a period of time to expire before the user session can be locked, the operating system needs to provide users with the ability to manually invoke a session lock so users may secure their account should the need arise for them to temporarily vacate the immediate physical vicinity.","checkContent":"Determine whether the lock screen function works correctly.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\nIn the GNOME 2 desktop System >> Lock Screen.\n\nFor Solaris 11.4 or newer:\nIn the GNOME 3 desktop Status Menu (top right corner) >> Lock Icon, check that the screen locks and displays the \"password\" prompt.\n\nCheck that \"Disable Screensaver\" is not selected in the GNOME Screensaver preferences. \n\nIf the screen does not lock or the \"Disable Screensaver\" option is selected, this is a finding.","fixText":"User-initiated session lock is accessible from the GNOME graphical desktop menu GNOME 2: System >> Lock Screen.\n\nGNOME 3: Status Menu (top right corner) >> Lock Icon.\n\nHowever, the user has the option to disable screensaver lock.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\nIn the GNOME 2 desktop: System >> Preferences >> Screensaver.\n\nFor Solaris 11.4 or newer:\nIf using the default GNOME desktop: Activities >> Show Applications >> select \"Screensaver\" icon.\n\nIf using the GNOME Classic desktop: Applications >> Other >> Screensaver.\n\nEnsure that \"Mode\" is set to \"Blank Screen only\".","ccis":["CCI-000057","CCI-000058"]},{"vulnId":"V-216364","ruleId":"SV-216364r958404_rule","severity":"medium","ruleTitle":"The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. \n\nThe session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.","checkContent":"For Solaris 11, 11.1, 11.2, and 11.3:\nIn the GNOME 2 desktop System >> Preferences >> Screensaver.\n\nFor Solaris 11.4 or newer:\nIf using the default GNOME desktop: Activities >> Show Applications >> select \"Screensaver\" icon.\n\nIf using the GNOME Classic desktop: Applications >> Other >> Screensaver menu item the user can select other screens or disable screensaver.\n\nCheck that \"Disable Screensaver\" is not selected in the Gnome Screensaver preferences. \n\nIf \"Disable Screensaver\" is selected or \"Blank Screen Only\" is not selected, this is a finding.","fixText":"For Solaris 11, 11.1, 11.2, and 11.3:\nIn the GNOME 2 desktop: System >> Preferences >> Screensaver.\n\nFor Solaris 11.4 or newer:\nIf using the default GNOME desktop: Activities >> Show Applications >> select “Screensaver” icon.\n\nIf using the GNOME Classic desktop: Applications >> Other >> Screensaver.\n\nClick on Mode's pull-down.\n\nSelect: \"Blank Screen Only\". \n\nEnsure that \"Blank Screen Only\" is selected.","ccis":["CCI-000060"]},{"vulnId":"V-216365","ruleId":"SV-216365r959010_rule","severity":"high","ruleTitle":"The operating system must not allow logins for users with blank passwords.","description":"If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.","checkContent":"Determine if the system is enforcing a policy that passwords are required.\n\n# grep ^PASSREQ /etc/default/login\n\nIf the command does not return:\n\nPASSREQ=YES\n\nthis is a finding.","fixText":"The root role is required.\n\nModify the /etc/default/login file.\n\n# pfedit /etc/default/login\n\nInsert the line:\n\nPASSREQ=YES","ccis":["CCI-000366"]},{"vulnId":"V-216366","ruleId":"SV-216366r959010_rule","severity":"medium","ruleTitle":"The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.","description":"This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of the system and to communicate with local resources, such as a printer or file server. The remote device, when connected by a non-remote connection, becomes an extension of the information system allowing dual communications paths, such as split-tunneling, in effect allowing unauthorized external connections into the system. This is a split-tunneling requirement that can be controlled via the operating system by disabling interfaces.","checkContent":"Determine if the \"RestrictOutbound\" profile is configured properly:\n\n# profiles -p RestrictOutbound info\n\nIf the output is not:\nname=RestrictOutbound\ndesc=Restrict Outbound Connections\nlimitpriv=zone,!net_access\n\nthis is a finding.\n\n\nFor users who are not allowed external network access, determine if a user is configured with the \"RestrictOutbound\" profile.\n\n# profiles -l [username]\n\nIf the output does not include:\n\n[username]:\nRestrictOutbound\n\nthis is a finding.","fixText":"The root Role is required.\n\nRemove net_access privilege from users who may be accessing the systems externally.\n\n1. Create an RBAC Profile with net_access restriction\n\n# profiles -p RestrictOutbound\nprofiles:RestrictOutbound> set desc=\"Restrict Outbound Connections\"\nprofiles:RestrictOutbound> set limitpriv=zone,!net_access\nprofiles:RestrictOutbound> exit\n\n\n2. Assign the RBAC Profile to a user\n\n# usermod -P +RestrictOutbound [username]\n\nThis prevents the user from initiating any outbound network connections.","ccis":["CCI-000366"]},{"vulnId":"V-216367","ruleId":"SV-216367r958398_rule","severity":"low","ruleTitle":"The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.","description":"Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. The organization may define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or by a combination thereof. \n\nThis requirement addresses concurrent sessions for a single information system account and does not address concurrent sessions by a single user via multiple accounts.","checkContent":"Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.\n\nFor each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username.\n\n# projects [username] | grep user\n\nIf the output does not include the project user.[username], this is a finding.\n\nDetermine the project membership for the user.\n\n# projects [username]\n\nIf the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding.\n\nDetermine whether the max-tasks resource control is enabled properly.\n\n# projects -l user.[username] | grep attribs\n\nIf the output does not include the text:\n\nattribs: project.max-tasks=(privileged,[MAX],deny)\n\nwhere [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.","fixText":"Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.\n\nThe Project Management profile is required.\n\nFor each user requiring concurrent session restrictions, add the user to the special user.[username] project where [username] is the user's account username where [MAX] is equal to the organizational requirement.\n\n# pfexec projadd -K 'project.max-tasks=(privileged,[MAX],deny)' user.[username]\n\nDetermine the project membership for the user.\n\n# projects [username]\n\nIf the user is a member of any projects other than default, group.[groupname], or user.[username], remove that project from the user's account.\n\nThe root role is required.\n\n# pfedit /etc/user_attr\n\nLocate the line containing the user's username. Remove any project=[projectname] entries from the fifth field.\n\n# pfedit /etc/project\n\nLocate the line containing the user's username in a project other than default, group.[groupname], or user.[username], and remove the user from the project's entry or entries from the fourth field.","ccis":["CCI-000054"]},{"vulnId":"V-216368","ruleId":"SV-216368r959010_rule","severity":"low","ruleTitle":"The system must disable directed broadcast packet forwarding.","description":"This parameter must be disabled to reduce the risk of denial of service attacks.","checkContent":"Determine if directed broadcast packet forwarding is disabled.\n\n# ipadm show-prop -p _forward_directed_broadcasts -co current ip\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable directed broadcast packet forwarding.\n\n# pfexec ipadm set-prop -p _forward_directed_broadcasts=0 ip","ccis":["CCI-000366"]},{"vulnId":"V-216369","ruleId":"SV-216369r959010_rule","severity":"low","ruleTitle":"The system must not respond to ICMP timestamp requests.","description":"By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.","checkContent":"Determine if ICMP time stamp responses are disabled.\n\n# ipadm show-prop -p _respond_to_timestamp -co current ip\n\n\nIf the output of both commands is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable source respond to timestamp.\n\n# pfexec ipadm set-prop -p _respond_to_timestamp=0 ip","ccis":["CCI-000366"]},{"vulnId":"V-216370","ruleId":"SV-216370r959010_rule","severity":"low","ruleTitle":"The system must not respond to ICMP broadcast timestamp requests.","description":"By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.","checkContent":"Determine if response to ICMP broadcast timestamp requests is disabled.\n\n# ipadm show-prop -p _respond_to_timestamp_broadcast -co current ip\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable respond to timestamp broadcasts.\n\n# pfexec ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip","ccis":["CCI-000366"]},{"vulnId":"V-216371","ruleId":"SV-216371r959010_rule","severity":"low","ruleTitle":"The system must not respond to ICMP broadcast netmask requests.","description":"By determining the netmasks of various computers in your network, an attacker can better map your subnet structure and infer trust relationships.","checkContent":"Determine if the response to address mask broadcast is disabled.\n\n# ipadm show-prop -p _respond_to_address_mask_broadcast -co current ip\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable responses to address mask broadcast.\n\n# pfexec ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip","ccis":["CCI-000366"]},{"vulnId":"V-216372","ruleId":"SV-216372r959010_rule","severity":"medium","ruleTitle":"The system must not respond to broadcast ICMP echo requests.","description":"ICMP echo requests can be useful for reconnaissance of systems and for denial of service attacks.","checkContent":"Determine if ICMP echo requests response is disabled.\n\n# ipadm show-prop -p _respond_to_echo_broadcast -co current ip\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable respond to echo broadcast.\n\n# pfexec ipadm set-prop -p _respond_to_echo_broadcast=0 ip","ccis":["CCI-000366"]},{"vulnId":"V-216373","ruleId":"SV-216373r959010_rule","severity":"low","ruleTitle":"The system must not respond to multicast echo requests.","description":"Multicast echo requests can be useful for reconnaissance of systems and for denial of service attacks.","checkContent":"Determine if response to multicast echo requests is disabled.\n\n# ipadm show-prop -p _respond_to_echo_multicast -co current ipv4\n# ipadm show-prop -p _respond_to_echo_multicast -co current ipv6\n\n\nIf the output of all commands is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable respond to echo multi-cast for IPv4 and IPv6.\n\n# pfexec ipadm set-prop -p _respond_to_echo_multicast=0 ipv4\n# pfexec ipadm set-prop -p _respond_to_echo_multicast=0 ipv6","ccis":["CCI-000366"]},{"vulnId":"V-216374","ruleId":"SV-216374r959010_rule","severity":"low","ruleTitle":"The system must ignore ICMP redirect messages.","description":"Ignoring ICMP redirect messages reduces the likelihood of denial of service attacks.","checkContent":"Determine if ICMP redirect messages are ignored.\n\n# ipadm show-prop -p _ignore_redirect -co current ipv4\n# ipadm show-prop -p _ignore_redirect -co current ipv6\n\nIf the output of all commands is not \"1\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable ignore redirects for IPv4 and IPv6.\n\n# pfexec ipadm set-prop -p _ignore_redirect=1 ipv4\n# pfexec ipadm set-prop -p _ignore_redirect=1 ipv6","ccis":["CCI-000366"]},{"vulnId":"V-216375","ruleId":"SV-216375r959010_rule","severity":"medium","ruleTitle":"The system must set strict multihoming.","description":"These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface.\n\nThis rule is NA for documented systems that have interfaces that cross strict networking domains (for example, a firewall, a router, or a VPN node).","checkContent":"Determine if strict multihoming is configured.\n\n# ipadm show-prop -p _strict_dst_multihoming -co current ipv4\n# ipadm show-prop -p _strict_dst_multihoming -co current ipv6\n\nIf the output of all commands is not \"1\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable strict multihoming for IPv4 and IPv6.\n\n# pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv4\n# pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv6","ccis":["CCI-000366"]},{"vulnId":"V-216376","ruleId":"SV-216376r959010_rule","severity":"low","ruleTitle":"The system must disable ICMP redirect messages.","description":"A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system.","checkContent":"Determine the version of Solaris 11 in use.\n\n# cat /etc/release\n\nIf the version of Solaris is earlier than Solaris 11.2, determine if ICMP redirect messages are disabled.\n\n# ipadm show-prop -p _send_redirects -co current ipv4\n# ipadm show-prop -p _send_redirects -co current ipv6\n\nIf the output of all commands is not \"0\", this is a finding.\n\nIf the version of Solaris is Solaris 11.2 or later, determine if ICMP redirect messages are disabled.\n\n# ipadm show-prop -p send_redirects -co current ipv4\n# ipadm show-prop -p send_redirects -co current ipv6\n\nIf the output of all commands is not \"off\", this is a finding.","fixText":"The Network Management profile is required.\n\nIf the version of Solaris is earlier than Solaris 11.2, disable send redirects for IPv4 and IPv6.\n\n# pfexec ipadm set-prop -p _send_redirects=0 ipv4\n# pfexec ipadm set-prop -p _send_redirects=0 ipv6 \n\nIf the version of Solaris is Solaris 11.2 or later, disable send redirects for IPv4 and IPv6.\n\n# pfexec ipadm set-prop -p send_redirects=off ipv4\n# pfexec ipadm set-prop -p send_redirects=off ipv6","ccis":["CCI-000366"]},{"vulnId":"V-216377","ruleId":"SV-216377r959010_rule","severity":"low","ruleTitle":"The system must disable TCP reverse IP source routing.","description":"If enabled, reverse IP source routing would allow an attacker to more easily complete a three-way TCP handshake and spoof new connections.","checkContent":"Determine if TCP reverse IP source routing is disabled. \n\n# ipadm show-prop -p _rev_src_routes -co current tcp\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable reverse source routing.\n\n# pfexec ipadm set-prop -p _rev_src_routes=0 tcp","ccis":["CCI-000366"]},{"vulnId":"V-216378","ruleId":"SV-216378r959010_rule","severity":"medium","ruleTitle":"The system must set maximum number of half-open TCP connections to 4096.","description":"This setting controls how many half-open connections can exist for a TCP port.\n\nIt is necessary to control the number of completed connections to the system to provide some protection against denial of service attacks.","checkContent":"Determine if the number of half open TCP connections is set to 4096.\n\n# ipadm show-prop -p _conn_req_max_q0 -co current tcp\n\nIf the value of \"4096\" is not returned, this is a finding.","fixText":"The Network Management profile is required\n\nConfigure maximum TCP connections for IPv4 and IPv6.\n\n# pfexec ipadm set-prop -p _conn_req_max_q0=4096 tcp","ccis":["CCI-000366"]},{"vulnId":"V-216379","ruleId":"SV-216379r959010_rule","severity":"low","ruleTitle":"The system must set maximum number of incoming connections to 1024.","description":"This setting controls the maximum number of incoming connections that can be accepted on a TCP port limiting exposure to denial of service attacks.","checkContent":"Determine if the maximum number of incoming connections is set to 1024.\n\n# ipadm show-prop -p _conn_req_max_q -co current tcp\n\nIf the value returned is smaller than \"1024\", this is a finding. \n\nIn environments where connection numbers are high, such as a busy web server, this value may need to be increased.","fixText":"The Network Management profile is required.\n\nConfigure maximum number of incoming connections.\n\n# pfexec ipadm set-prop -p _conn_req_max_q=1024 tcp","ccis":["CCI-000366"]},{"vulnId":"V-216380","ruleId":"SV-216380r959010_rule","severity":"medium","ruleTitle":"The system must disable network routing unless required.","description":"The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.\nRouting Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses, including a lack of authentication, zoning, pruning, etc.","checkContent":"Determine if routing is disabled. \n\n# routeadm -p | egrep \"routing |forwarding\" | grep enabled\n\nIf the command output includes \"persistent=enabled\" or \"current=enabled\", this is a finding.","fixText":"The Network Management profile is required.\n\nDisable routing for IPv4 and IPv6.\n\n# pfexec routeadm -d ipv4-forwarding -d ipv4-routing\n# pfexec routeadm -d ipv6-forwarding -d ipv6-routing\n\nTo apply these changes to the running system, use the command:\n\n# pfexec routeadm -u","ccis":["CCI-000366"]},{"vulnId":"V-216381","ruleId":"SV-216381r959010_rule","severity":"low","ruleTitle":"The system must implement TCP Wrappers.","description":"TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provides logging information via syslog about both successful and unsuccessful connections.\n\nTCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts.","checkContent":"Determine if TCP Wrappers is configured.\n\n# inetadm -p | grep tcp_wrappers\n\nIf the output of this command is \"FALSE\", this is a finding.\n\nThe above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris\n11.3. SunSSH is removed starting with Solaris 11.4.\n\nIndividual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to \"FALSE\". To check the status of individual inetd services, use the command:\n\n\n# for svc in `inetadm | awk '/svc:\\// { print $NF }'`; do\nval=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE`\nif [ ${val} -eq 1 ]; then\necho \"TCP Wrappers enabled for ${svc}\"\nfi\ndone\n\nIf the required services are not configured to use TCP Wrappers, this is finding.\n\n# ls /etc/hosts.deny\n# ls /etc/hosts.allow\n\nIf these files are not found, this is a finding.","fixText":"The root role is required.\n\nConfigure allowed and denied hosts per organizational policy.\n\n1. Create and customize the policy in /etc/hosts.allow:\n\n# echo \"ALL: [net]/[mask] , [net]/[mask], ...\" > /etc/hosts.allow\n\nwhere each [net>/[mask> combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by the organization that requires access to this system.\n\n2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny\n\n3. Enable TCP Wrappers for all services started by inetd: \n\n# inetadm -M tcp_wrappers=TRUE","ccis":["CCI-000366"]},{"vulnId":"V-216387","ruleId":"SV-216387r1045450_rule","severity":"medium","ruleTitle":"The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).","description":"A firewall that relies on a deny all, permit by exception strategy requires all traffic to have explicit permission before traversing an interface on the host. The firewall must incorporate stateful packet filtering and logging.\n\nNonlocal maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending nonlocal maintenance and diagnostic communications through encrypted channels enforced via firewall configurations.\n\nSatisfies: SRG-OS-000074, SRG-OS-000096, SRG-OS-000112, SRG-OS-000113, SRG-OS-000125, SRG-OS-000250, SRG-OS-000393","checkContent":"Ensure that either the IP Filter or Packet Filter Firewall is installed correctly.\n\nDetermine the OS version to be secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, the IP Filter Management profile is required.\n\nCheck that the IP Filter firewall is enabled and configured so that only authorized sessions are allowed.\n\n# svcs ipfilter\n\nIf ipfilter is not listed with a state of online, this is a finding.\n\nThe IP Filter Management profile is required.\n\nCheck that the filters are configured properly.\n\n# ipfstat -io\n\nIf the output of this command does not include the following lines, this is a finding.\n\nblock out log all keep state keep frags\nblock in log all\nblock in log from any to 255.255.255.255/32\nblock in log from any to 127.0.0.1/32\n\nEven if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding.\n\nFor Solaris 11.3 or newer, that use Packet Filter, the Network Firewall Management rights profile is required.\n\nCheck that the Packet Filter firewall is enabled and configured so that only authorized sessions are allowed.\n# svcs firewall:default\n\nIf firewall is not listed with a state of \"online\", this is a finding.\n\nThe Network Firewall Management rights profile is required.\nCheck that the filters are configured properly.\n# pfctl -s rules\n\nIf the output of this command does not include a line to block and log all traffic as in the following line, this is a finding (does not have to be exactly like the example).\n\nblock drop log (to pflog0) all\n\nCheck that the Packet Filter firewall logging daemon is enabled.\nsvcs firewall/pflog:default\n\nIf pflog is not listed with a state of \"online\", this is a finding.","fixText":"The root role is required.\n\nFor Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, configure and enable the IP Filters policy.\n\n# pfedit /etc/ipf/ipf.conf. \n\nAdd the following lines to the file:\n\n# Do not allow all outbound traffic, keep state, and log\nblock out log all keep state keep frags\n# Block and log everything else that comes in\nblock in log all\nblock in log from any to 255.255.255.255\nblock in log from any to 127.0.0.1/32\n\nEnable ipfilter.\n\n# svcadm enable ipfilter\n\nNotify ipfilter to use the new configuration file.\n\n# ipf -Fa -f /etc/ipf/ipf.conf\n\nFor Solaris 11.3 or newer, that use Packet Filter, configure and enable the Packet Filter’s policy.\n# pfedit /etc/firewall/pf.conf.\n\nAdd either of the following lines to the file:\n\n# Block and log all traffic on all interfaces in either direction from anywhere to anywhere\nblock log all\n -or-\n# Drop traffic and log it to a fllog interface for more detailed inspection or analysis using tools like tcpdump\nblock drop log (to pflog0) all\n\nEnable Packet Filter.\n# svcadm enable firewall:default\nEnable Packet Filter logging daemon.\n# svcadm enable firewall/pflog:default\n\nNote: Because the default firewall rules block all network access to the system, ensure that there is still a method to access the system such as SSH or console access prior to activating the firewall rules. Operational requirements may dictate the addition of protocols such as SSH, DNS, NTP, HTTP, and HTTPS to be allowed.","ccis":["CCI-000197","CCI-000366","CCI-000877","CCI-000382","CCI-001453","CCI-001941","CCI-002890","CCI-001942"]},{"vulnId":"V-216394","ruleId":"SV-216394r959010_rule","severity":"low","ruleTitle":"The system must prevent local applications from generating source-routed packets.","description":"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.","checkContent":"Determine the OS version you are currently securing.\n# uname –v\n\nSolaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required.\n\nCheck the system for an IPF rule blocking outgoing source-routed packets.\n\n# ipfstat -o\n\nExamine the list for rules such as: \nblock out log quick from any to any with opt lsrr\nblock out log quick from any to any with opt ssrr\n\nIf the listed rules do not block both lsrr and ssrr options, this is a finding.\n\nFor Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required.\n\nEnsure that IP Options are not in use:\n# pfctl -s rules | grep allow-opts\n\nIf any output is returned, this is a finding.","fixText":"The root role is required.\n\n# pfedit /etc/ipf/ipf.conf \n\nFor Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter dd rules to block outgoing source-routed packets, such as:\n\nblock out log quick all with opt lsrr \nblock out log quick all with opt ssrr\n\nReload the IPF rules.\n\n# ipf -Fa -A -f /etc/ipf/ipf.conf \n\nFor Solaris 11.3 or newer that use Packet Filter remove or modify any rules that include \"allow-opts\".\n\nReload the Packet Filter rules:\n# svcadm refresh firewall:default","ccis":["CCI-000366"]},{"vulnId":"V-216395","ruleId":"SV-216395r1184793_rule","severity":"low","ruleTitle":"The operating system must display the DOD-approved system use notification message or banner before granting access to the system for general system logons.","description":"Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.","checkContent":"Review the contents of these two files and check that the proper DOD banner message is configured.\n\n# cat /etc/motd\n# cat /etc/issue\n\nIf the DOD-approved banner text is not in the files, this is a finding.","fixText":"The root role is required.\n\nEdit the contents of these two files and ensure that the proper DOD banner message is viewable.\n\n# pfedit /etc/motd\n# pfedit /etc/issue\n\nThe DOD required text is:\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.","ccis":["CCI-000048"]},{"vulnId":"V-216396","ruleId":"SV-216396r958390_rule","severity":"low","ruleTitle":"The operating system must display the DoD approved system use notification message or banner for SSH connections.","description":"Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.","checkContent":"Check SSH configuration for banner message:\n\n# grep \"^Banner\" /etc/ssh/sshd_config\n\nIf the output is not:\nBanner /etc/issue\nand /etc/issue does not contain the approved banner text, this is a finding.","fixText":"The root role is required.\n\nEdit the SSH configuration file.\n\n# pfedit /etc/ssh/sshd_config\n\nLocate the file containing:\n\nBanner\n\nChange the line to read:\n\nBanner /etc/issue\n\nEdit the /etc/issue file\n\n# pfedit /etc/issue\n\nThe DoD required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nRestart the SSH service\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-000048"]},{"vulnId":"V-216397","ruleId":"SV-216397r1184796_rule","severity":"low","ruleTitle":"The GNOME service must display the DOD-approved system use notification message or banner before granting access to the system.","description":"Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.","checkContent":"This item does not apply if a graphic login is not configured.\n\nLog in to the Gnome Graphical interface. If the approved banner message does not appear, this is a finding.\n\n# cat /etc/issue\n\n# grep /etc/gdm/Init/Default zenity\n\nIf /etc/issue does not contain that DOD-approved banner message or /etc/gdm/Init/Default does not contain the line:\n\n/usr/bin/zenity --text-info --width=800 --height=300 \\\n--title=\"Security Message\" --filename=/etc/issue\n\nthis is a finding.","fixText":"The root role is required.\n\nIf the system does not use XWindows, this is not applicable.\n\n# pfedit /etc/issue \n\nInsert the proper DOD banner message text. The DOD required text is:\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n# pfedit /etc/gdm/Init/Default\n\nAdd the following content before the \"exit 0\" line of the file.\n\n/usr/bin/zenity --text-info --width=800 --height=300 \\\n--title=\"Security Message\" --filename=/etc/issue","ccis":["CCI-000048","CCI-000050"]},{"vulnId":"V-216398","ruleId":"SV-216398r1184798_rule","severity":"low","ruleTitle":"The FTP service must display the DOD-approved system use notification message or banner before granting access to the system.","description":"Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.","checkContent":"Determine if the FTP server package is installed:\n\n# pkg list service/network/ftp \n\nIf the package is not installed, this check does not apply.\n\n# grep DisplayConnect /etc/proftpd.conf\n\nIf:\n\nDisplayConnect /etc/issue\n\ndoes not appear, this is a finding.\n\nIf /etc/issue does not contain the approved DOD text, this is a finding.","fixText":"The root role is required. \n\nThe package: pkg:/service/network/ftp must be installed.\n\n# pfedit /etc/issue \n\nInsert the proper DOD banner message text. The DOD required text is:\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n# echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf\n\n# svcadm restart ftp","ccis":["CCI-000048"]},{"vulnId":"V-216399","ruleId":"SV-216399r986416_rule","severity":"medium","ruleTitle":"The operating system must terminate all sessions and network connections when nonlocal maintenance is completed.","description":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. \n\nThe operating system needs to ensure all sessions and network connections are terminated when nonlocal maintenance is completed.","checkContent":"Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity.\n\n# grep ClientAlive /etc/ssh/sshd_config\n\nIf the output of this command is not the following, this is a finding.\n\nClientAliveInterval 600\nClientAliveCountMax 0","fixText":"The root role is required.\n\nConfigure the system to disconnect SSH sessions after 10 minutes of inactivity.\n\n# pfedit /etc/ssh/sshd_config\n\nInsert the two lines:\n\nClientAliveInterval 600\nClientAliveCountMax 0\n\nRestart the SSH service with the new configuration.\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-001133"]},{"vulnId":"V-216400","ruleId":"SV-216400r959010_rule","severity":"medium","ruleTitle":"The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.","description":"Manipulation of IP addresses can allow untrusted systems to appear as trusted hosts, bypassing firewall and other security mechanism and resulting in system penetration.","checkContent":"Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", then only the \"phys\" and \"SR-IOV\" interfaces assigned to the global zone require inspection. If using a non-Global zone, then all \"phys\" and \"SR-IOV\" interfaces assigned to the zone require inspection.\n\nIdentify if this system has physical interfaces. \n\n# dladm show-link -Z | grep -v vnic \nLINK ZONE CLASS MTU STATE OVER\nnet0 global phys 1500 unknown --\ne1000g0 global phys 1500 up --\ne1000g1 global phys 1500 up --\nzoneD/net2 zoneD iptun 65515 up --\n\nIf \"phys\" appears in the third column, then the interface is physical. \n\nFor each physical interface, determine if the network interface is Ethernet or InfiniBand:\n\n# dladm show-phys [interface name]\nLINK MEDIA STATE SPEED DUPLEX DEVICE\n[name] Ethernet unknown 0 half dnet0\n\nThe second column indicates either \"Ethernet\" or \"Infiniband\".\n\nFor each physical interface, determine if the host is using ip-forwarding:\n\n# ipadm show-ifprop [interface name] | grep forwarding\n[name] forwarding ipv4 rw off -- off on,off\n[name] forwarding ipv6 rw off -- off on,off\n\nIf \"on\" appears in the fifth column, then the interface is using ip-forwarding.\n\nFor each interface, determine if the host is using SR-IOV’s Virtual Function (VF) driver:\n\n# dladm show-phys [interface name] | grep vf\n\nIf the sixth column includes 'vf' in its name, it is using SR-IOV (ex: ixgbevf0).\n\nFor each physical and SR-IOV interface, determine if network link protection capabilities are enabled.\n\n# dladm show-linkprop -p protection\nLINK PROPERTY PERM VALUE DEFAULT POSSIBLE\nnet0 protection rw mac-nospoof, -- mac-nospoof,\n restricted, restricted,\n ip-nospoof, ip-nospoof,\n dhcp-nospoof dhcp-nospoof\n\nIf the interface uses Infiniband and if restricted, ip-nospoof, and dhcp-nospoof do not appear in the \"VALUE\" column, this is a finding.\n\nIf the interface uses ip-forwarding and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the \"VALUE\" column, this is a finding.\n\nIf the interface uses SR-IOV and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the \"VALUE\" column, this is a finding.\n\nIf the interface uses Ethernet without IP forwarding and if mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the \"VALUE\" column, this is a finding.","fixText":"Determine the name of the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", then only the \"phys\" and \"SR-IOV\" interfaces assigned to the global zone require configuration. If using a non-Global zone, then all \"phys\" and \"SR-IOV\" interfaces assigned to the zone require configuration.\n\nThe Network Link Security profile is required.\n\nDetermine which network interfaces are available and what protection modes are enabled and required.\n\nEnable link protection based on each configured network interface type.\n\nFor InfiniBand:\n# pfexec dladm set-linkprop -p protection=restricted,ip-nospoof,dhcp-nospoof [interface name] \n\nFor IP forwarding:\n# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] \n\nFor SR-IOV:\n# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] \n\nFor Ethernet without IP forwarding:\n# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name]","ccis":["CCI-000366"]},{"vulnId":"V-216401","ruleId":"SV-216401r958358_rule","severity":"medium","ruleTitle":"Wireless network adapters must be disabled.","description":"The use of wireless networking can introduce many different attack vectors into the organization’s network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial-of-service to valid network resources.","checkContent":"This is N/A for systems that do not have wireless network adapters.\n\nVerify that there are no wireless interfaces configured on the system:\n\n# ifconfig -a\n\n\neth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5 \n inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0\n inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB)\n Interrupt:17 \n\nlo Link encap:Local Loopback \n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1/128 Scope:Host\n UP LOOPBACK RUNNING MTU:16436 Metric:1\n RX packets:2849 errors:0 dropped:0 overruns:0 frame:0\n TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0 \n RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB)\n\n\nIf a wireless interface is configured, it must be documented and approved by the local Authorizing Official.\n\nIf a wireless interface is configured and has not been documented and approved, this is a finding.","fixText":"Configure the system to disable all wireless network interfaces.","ccis":["CCI-002418","CCI-001443","CCI-001444"]},{"vulnId":"V-216402","ruleId":"SV-216402r958358_rule","severity":"medium","ruleTitle":"The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.","description":"Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. \n\nApplications utilizing encryption are required to use approved encryption modules meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance. \n\nFIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.\n\nSatisfies: SRG-OS-000120, SRG-OS-000169","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe Crypto Management profile is required to execute this command.\n\nCheck to ensure that FIPS-140 encryption mode is enabled.\n\n# cryptoadm list fips-140| grep -c \"is disabled\"\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Crypto Management profile is required to execute this command.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nEnable FIPS-140 mode.\n\n# pfexec cryptoadm enable fips-140\n\nReboot the system as requested.","ccis":["CCI-000803"]},{"vulnId":"V-216410","ruleId":"SV-216410r958408_rule","severity":"medium","ruleTitle":"The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.","description":"Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. \n\nUsing cryptography ensures confidentiality of the remote access connections.\n\nThe system will attempt to use the first cipher presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest cipher available to secure the SSH connection.\n\nNote: SSH in Solaris 11.GA-11.3 used Sun Microsystem’s proprietary SUNWssh. In Solaris 11.3 OpenSSH was offered as optional software and in Solaris 11.4 OpenSSH is the only SSH offered. Both use the same /etc/ssh/sshd_config file and both, by default do not include the ciphers line.","checkContent":"Check the SSH daemon configuration for allowed ciphers.\n \n# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#’ \nCiphers aes256-ctr,aes192-ctr,aes128-ctr \n \nIf any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the \"Ciphers\" keyword is missing, or is commented out, this is a finding.","fixText":"The root role is required. \n\nModify the sshd_config file. \n\n# pfedit /etc/ssh/sshd_config \n\nChange or set the ciphers line to the following:\n\nciphers aes256-ctr,aes192-ctr,aes128-ctr \n\nRestart the SSH service. \n\n# svcadm restart svc:/network/ssh","ccis":["CCI-000068"]},{"vulnId":"V-216411","ruleId":"SV-216411r959010_rule","severity":"medium","ruleTitle":"The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.","description":"When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. \n\nAn organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. \n\nOrganizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. \n\nIn these situations, it is assumed the physical access controls where the media resides provide adequate protection. The employment of cryptography is at the discretion of the information owner/steward. \n\nWhen the organization has determined the risk warrants it, data written to portable digital media must be encrypted.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the logical node of all attached removable media:\n\n# rmformat\n\nThis command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0\n\nDetermine which zpool is mapped to the device:\n\n# zpool status\n\nDetermine the file system names of the portable digital media:\n\n# zfs list | grep [poolname]\n\nUsing the file system name, determine if the removal media is encrypted:\n\n# zfs get encryption [filesystem] \n\nIf \"encryption off\" is listed, this is a finding.","fixText":"The root role is required.\n\nFormat a removable device as a ZFS encrypted file system.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nThe ZFS File System Management and ZFS Storage management profiles are required.\n\nInsert the removable device:\n\n# rmformat\n\nThis command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0\n\nCreate an encrypted zpool on this device using a poolname of your choice:\n\n# pfexec zpool create -O encryption=on [poolname] c8t0d0p0\n\nEnter a passphrase and confirm the passphrase. Keep the passphrase secure.\n\nExport the zpool before removing the media:\n\n# pfexec export [poolname]\n\nIt will be necessary to enter the passphrase when inserting and importing the removable media zpool:\nInsert the removable media\n# pfexec import [poolname]\n\nOnly store data in the encrypted file system.","ccis":["CCI-000366"]},{"vulnId":"V-216413","ruleId":"SV-216413r958552_rule","severity":"low","ruleTitle":"The operating system must protect the confidentiality and integrity of information at rest.","description":"When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. \n\nAn organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. \n\nFewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.","checkContent":"Determine if file system encryption is required by your organization. If not required, this item does not apply.\n\nDetermine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.\n\n# zfs list \n\nUsing the file system name, determine if the file system is encrypted:\n\n# zfs get encryption [filesystem] \n\nIf \"encryption off\" is listed, this is a finding.","fixText":"The ZFS file system management profile is required.\n\nZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created.\n\nFirst, stop running applications using the file systems, archive the data, unmount, and then remove the file system.\n\n# umount [file system name]\n# zfs destroy [file system name]\n\nWhen creating ZFS file systems, ensure that they are created as encrypted file systems.\n\n# pfexec zfs create -o encryption=on [file system name]\nEnter passphrase for '[file system name]': xxxxxxx\nEnter again: xxxxxxx\n\nStore the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.","ccis":["CCI-001199"]},{"vulnId":"V-216415","ruleId":"SV-216415r958576_rule","severity":"low","ruleTitle":"The operating system must use cryptographic mechanisms to protect the integrity of audit information.","description":"Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data.","checkContent":"The Audit Configuration and the Audit Control profiles are required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine if audit log encryption is required by your organization. If not required, this check does not apply.\n\nDetermine where the audit logs are stored and whether the file system is encrypted.\n\n# pfexec auditconfig -getplugin audit_binfile\n\nThe p_dir attribute lists the location of the audit log filesystem. \n\nThe default location for Solaris 11.1 is /var/audit. /var/audit is a link to /var/share/audit which, by default, is mounted on rpool/VARSHARE.\n\nDetermine if this is encrypted:\n\n# zfs get encryption rpool/VARSHARE\n\nIf the file system where audit logs are stored reports \"encryption off\", this is a finding.","fixText":"The ZFS File System Management and ZFS Storage Management profiles are required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nThe Audit Configuration and the Audit Control profiles are required.\n\nIf necessary, create a new ZFS pool to store the encrypted audit logs.\n\n# pfexec zpool create auditp mirror [device] [device]\n\nCreate an encryption key:\n\n# pktool genkey keystore=file outkey=/[filename] keytype=aes keylen=256\n\nCreate a new file system to store the audit logs with encryption enabled. Use the file name created in the previous step as the keystore.\n\n# pfexec zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///[filename] -o compression=on -o mountpoint=/audit auditp/auditf\n\nConfigure auditing to use this encrypted directory.\n\n# pfexec auditconfig -setplugin audit_binfile p_dir=/audit/\n\nRefresh the audit service for the setting to be applied:\n\n# pfexec audit -s","ccis":["CCI-001350"]},{"vulnId":"V-216417","ruleId":"SV-216417r959010_rule","severity":"medium","ruleTitle":"The sticky bit must be set on all world writable directories.","description":"Files in directories that have had the \"sticky bit\" enabled can only be deleted by users that have both write permissions for the directory in which the file resides, as well as ownership of the file or directory, or have sufficient privileges. As this prevents users from overwriting each others' files, whether it be accidental or malicious, it is generally appropriate for most world-writable directories (e.g., /tmp).","checkContent":"The root role is required.\n\nIdentify all world-writable directories without the \"sticky bit\" set.\n\n# find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs \\\n -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \\\n -o -fstype proc \\) -prune -o -type d \\( -perm -0002 \\\n -a ! -perm -1000 \\) -ls\n\nOutput of this command identifies world-writable directories without the \"sticky bit\" set. If output is created, this is a finding.","fixText":"The root role is required.\n\nEnsure that the \"sticky bit\" is set on any directories identified during the check steps.\n\n# chmod +t [directory name]","ccis":["CCI-000366"]},{"vulnId":"V-216418","ruleId":"SV-216418r959010_rule","severity":"medium","ruleTitle":"Permissions on user home directories must be 750 or less permissive.","description":"Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.","checkContent":"The root role is required.\n\nCheck that the permissions on users' home directories are 750 or less permissive.\n\n# for dir in `logins -ox |\\\nawk -F: '($8 == \"PS\") { print $6 }'`; do\nfind ${dir} -type d -prune \\( -perm -g+w -o \\\n-perm -o+r -o -perm -o+w -o -perm -o+x \\) -ls\ndone\n\nIf output is created, this is finding.","fixText":"The root role is required. \n\nChange the permissions on users' directories to 750 or less permissive.\n\n# chmod 750 [directory name]","ccis":["CCI-000366"]},{"vulnId":"V-216419","ruleId":"SV-216419r959010_rule","severity":"medium","ruleTitle":"Permissions on user . (hidden) files must be 750 or less permissive.","description":"Group-writable or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges.","checkContent":"The root role is required.\n\nEnsure that the permissions on user \".\" files are 750 or less permissive.\n\n# for dir in \\\n`logins -ox | awk -F: '($8 == \"PS\") { print $6 }'`; do\nfind ${dir}/.[A-Za-z0-9]* \\! -type l \\\n\\( -perm -0001 -o -perm -0002 -o -perm -0004 -o -perm -0020 \\) -ls\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required. \n\nChange the permissions on users' \".\" files to 750 or less permissive.\n\n# chmod 750 [file name]","ccis":["CCI-000366"]},{"vulnId":"V-216420","ruleId":"SV-216420r959010_rule","severity":"medium","ruleTitle":"Permissions on user .netrc files must be 750 or less permissive.","description":".netrc files may contain unencrypted passwords that can be used to attack other systems.","checkContent":"The root role is required.\n\nCheck that permissions on user .netrc files are 750 or less permissive.\n\n# for dir in \\\n`logins -ox | awk -F: '($8 == \"PS\") { print $6 }'`; do\nfind ${dir}/.netrc -type f \\( \\\n-perm -g+r -o -perm -g+w -o -perm -g+x -o \\\n-perm -o+r -o -perm -o+w -o -perm -o+x \\) \\\n-ls 2>/dev/null\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required. \n\nChange the permissions on users' .netrc files to 750 or less permissive.\n\n# chmod 750 [file name]","ccis":["CCI-000366"]},{"vulnId":"V-216421","ruleId":"SV-216421r959010_rule","severity":"high","ruleTitle":"There must be no user .rhosts files.","description":"Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.","checkContent":"The root role is required.\n\nCheck for the presence of .rhosts files.\n\n# for dir in \\\n`logins -ox | awk -F: '($8 == \"PS\") { print $6 }'`; do\nfind ${dir}/.rhosts -type f -ls 2>/dev/null\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nRemove any .rhosts files found.\n\n# rm [file name]","ccis":["CCI-000366"]},{"vulnId":"V-216422","ruleId":"SV-216422r959010_rule","severity":"medium","ruleTitle":"Groups assigned to users must exist in the /etc/group file.","description":"Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.","checkContent":"The root role is required.\n\nCheck that groups are configured correctly.\n\n# logins -xo | awk -F: '($3 == \"\") { print $1 }'\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.","ccis":["CCI-000366"]},{"vulnId":"V-216423","ruleId":"SV-216423r959010_rule","severity":"low","ruleTitle":"Users must have a valid home directory assignment.","description":"All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.","checkContent":"The root role is required.\n\nDetermine if each user has a valid home directory.\n\n# logins -xo | while read line; do\n user=`echo ${line} | awk -F: '{ print $1 }'`\n home=`echo ${line} | awk -F: '{ print $6 }'`\n if [ -z \"${home}\" ]; then\n echo ${user}\n fi\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the check step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy. This generally means deleting the user or creating a valid home directory.","ccis":["CCI-000366"]},{"vulnId":"V-216424","ruleId":"SV-216424r959010_rule","severity":"low","ruleTitle":"All user accounts must be configured to use a home directory that exists.","description":"If the user's home directory does not exist, the user will be placed in \"/\" and will not be able to write any files or have local environment variables set.","checkContent":"The root role is required.\n\nCheck if a GUI is installed.\n\nDetermine the OS version you are currently securing:. \n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pkg info gdm\n# pkg info coherence-26\n# pkg info coherence-27\n\nIf none of these packages are installed on the system, then no GUI is present.\nFor Solaris 11.4 or newer:\n# pkg info gdm\n\nIf gdm is not installed on the system, then no GUI is present.\n\n# pkg info uucp\n\nuucp is no longer installed by default starting in 11.4 and is deprecated. \n\nFor all versions, check that all users' home directories exist.\n\n# pwck\n\nAccounts with no home directory will output \"Login directory not found\".\n\nIf no GUI is present, then \"gdm\" and \"upnp\" accounts should generate errors. On all systems, with uucp package installed, the \"uucp\" and \"nuucp\" accounts should generate errors.\n\nIf users' home directories do not exist, this is a finding.","fixText":"The root role is required.\n\nWork with users identified in the check step to determine the best course of action in accordance with site policy. This generally means deleting the user account or creating a valid home directory.","ccis":["CCI-000366"]},{"vulnId":"V-216425","ruleId":"SV-216425r959010_rule","severity":"medium","ruleTitle":"All home directories must be owned by the respective user assigned to it in /etc/passwd.","description":"Since the user is accountable for files stored in the user's home directory, the user must be the owner of the directory.","checkContent":"The root role is required.\n\nCheck that home directories are owned by the correct user.\n\n# export IFS=\":\"; logins -uxo | while read user uid group gid gecos home rest; do result=$(find ${home} -type d -prune \\! -user $user -print 2>/dev/null); \nif [ ! -z \"${result}\" ]; then \necho \"User: ${user}\\tOwner: $(ls -ld $home | awk '{ print $3 }')\";\nfi;\ndone\n\nIf any output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect the owner of any directory that does not match the password file entry for that user.\n\n# chown [user] [home directory]","ccis":["CCI-000366"]},{"vulnId":"V-216426","ruleId":"SV-216426r958482_rule","severity":"medium","ruleTitle":"Duplicate User IDs (UIDs) must not exist for users within the organization.","description":"Users within the organization must be assigned unique UIDs for accountability and to ensure appropriate access protections.","checkContent":"The root role is required.\n\nCheck that there are no duplicate UIDs.\n\n# logins -d\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nDetermine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy.\nChange user account names and UID or delete accounts, so each account has a unique name and UID.","ccis":["CCI-000764"]},{"vulnId":"V-216427","ruleId":"SV-216427r958504_rule","severity":"medium","ruleTitle":"Duplicate UIDs must not exist for multiple non-organizational users.","description":"Non-organizational users must be assigned unique UIDs for accountability and to ensure appropriate access protections.","checkContent":"The root role is required.\n\nCheck that there are no duplicate UIDs.\n\n# logins -d\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nDetermine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy.\nChange user account names and UID or delete accounts, so each account has a unique name and UID.","ccis":["CCI-000804"]},{"vulnId":"V-216428","ruleId":"SV-216428r959010_rule","severity":"medium","ruleTitle":"Duplicate Group IDs (GIDs) must not exist for multiple groups.","description":"User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections.","checkContent":"The root role is required.\n\nCheck that group IDs are unique.\n\n# getent group | cut -f3 -d\":\" | sort -n | uniq -c |\\\nwhile read x ; do\n[ -z \"${x}\" ] && break\nset - $x\nif [ $1 -gt 1 ]; then\ngrps=`getent group | nawk -F: '($3 == n) { print $1\n}' n=$2 | xargs`\necho \"Duplicate GID ($2): ${grps}\"\nfi\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nWork with each respective group owner to remediate this issue and ensure that the group ownership of their files are set to an appropriate value.","ccis":["CCI-000366"]},{"vulnId":"V-216429","ruleId":"SV-216429r959010_rule","severity":"medium","ruleTitle":"Reserved UIDs 0-99 must only be used by system accounts.","description":"If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.","checkContent":"The root role is required.\n\nCheck that reserved UIDs are not assigned to non-system users.\n\nDetermine the OS version you are currently securing:\n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# logins -so | awk -F: '{ print $1 }' | while read user; do\nfound=0\nfor tUser in root daemon bin sys adm dladm netadm netcfg \\\nftp dhcpserv sshd smmsp gdm zfssnap aiuser \\\npolkitd ikeuser lp openldap webservd unknown \\\nuucp nuucp upnp xvm mysql postgres svctag \\\npkg5srv nobody noaccess nobody4; do\nif [ ${user} = ${tUser} ]; then\nfound=1 \nfi\ndone\nif [ $found -eq 0 ]; then\necho \"Invalid User with Reserved UID: ${user}\"\nfi\ndone\n\nIf output is produced without justification and documentation in accordance with site policy, this is a finding.\n\nFor Solaris 11.4 or newer:\n# logins -so | awk -F: '{ print $1 }' | while read user; do\nfound=0\nfor tUser in root daemon bin sys adm dladm netadm \\\nnetcfg dhcpserv sshd smmsp gdm zfssnap aiuser _polkitd \\\nikeuser lp openldap webservd unknown \\\nuucp nuucp upnp xvm mysql postgres svctag \\\npkg5srv nobody noaccess nobody4 _ntp; do\nif [ ${user} = ${tUser} ]; then\nfound=1\nfi\ndone\nif [ $found -eq 0 ]; then\necho \"Invalid User with Reserved UID: ${user}\"\nfi\ndone\n\nIf output is produced without justification and documentation in accordance with site policy, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the Check step. Determine if there are any accounts using these reserved UIDs, and work with their owners to determine the best course of action in accordance with site policy. This may require deleting users or changing UIDs for users.","ccis":["CCI-000366"]},{"vulnId":"V-216430","ruleId":"SV-216430r959010_rule","severity":"medium","ruleTitle":"Duplicate user names must not exist.","description":"If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in passwd.","checkContent":"The root role is required.\n\nIdentify any duplicate user names.\n\n# getent passwd | awk -F: '{print $1}' | uniq -d\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the Check step. Determine if there are any duplicate user names, and work with their respective owners to determine the best course of action in accordance with site policy. Delete or change the user name of duplicate users.","ccis":["CCI-000366"]},{"vulnId":"V-216431","ruleId":"SV-216431r959010_rule","severity":"medium","ruleTitle":"Duplicate group names must not exist.","description":"If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in group. Effectively, the GID is shared, which is a security risk.","checkContent":"The root role is required.\n\nCheck for duplicate group names.\n\n# getent group | cut -f1 -d\":\" | sort -n | uniq -d\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the Check step. Determine if there are any duplicate group names, and work with their respective owners to determine the best course of action in accordance with site policy. Delete or change the group name of duplicate groups.","ccis":["CCI-000366"]},{"vulnId":"V-216432","ruleId":"SV-216432r959010_rule","severity":"medium","ruleTitle":"User .netrc files must not exist.","description":"The .netrc file presents a significant security risk since it stores passwords in unencrypted form.","checkContent":"The root role is required.\n\nCheck for the presence of user .netrc files.\n\n# for dir in \\\n`logins -ox | awk -F: '($8 == \"PS\") { print $6 }'`; do\nls -l ${dir}/.netrc 2>/dev/null\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nDetermine if any .netrc files exist, and work with the owners to determine the best course of action in accordance with site policy.","ccis":["CCI-000366"]},{"vulnId":"V-216433","ruleId":"SV-216433r959010_rule","severity":"medium","ruleTitle":"The system must not allow users to configure .forward files.","description":"Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.","checkContent":"The root role is required.\n\n# for dir in \\\n`logins -ox | awk -F: '($8 == \"PS\") { print $6 }'`; do\nls -l ${dir}/.forward 2>/dev/null\ndone\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nRemove any .forward files that are found.\n\n# pfexec rm [filename]","ccis":["CCI-000366"]},{"vulnId":"V-216434","ruleId":"SV-216434r959010_rule","severity":"medium","ruleTitle":"World-writable files must not exist.","description":"Data in world-writable files can be read, modified, and potentially compromised by any user on the system. World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.","checkContent":"The root role is required.\n\nCheck for the existence of world-writable files.\n\n# find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs \\\n-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \\\n-o -fstype proc \\) -prune -o -type f -perm -0002 -print\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nChange the permissions of the files identified in the check step to remove the world-writable permission.\n\n# pfexec chmod o-w [filename]","ccis":["CCI-000366"]},{"vulnId":"V-216435","ruleId":"SV-216435r959010_rule","severity":"low","ruleTitle":"All valid SUID/SGID files must be documented.","description":"There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate.","checkContent":"The root role is required.\n\n# find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs \\\n-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \\\n-o -fstype proc \\) -prune -o -type f -perm -4000 -o \\\n-perm -2000 -print\n\nOutput should only be Solaris-provided files and approved customer files.\n\nSolaris-provided SUID/SGID files can be listed using the command: \n\n# pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode\n\nDigital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example:\n\n# elfsign verify -e /usr/bin/su\nelfsign: verification of /usr/bin/su passed.\n\nThis message indicates that the binary is properly signed.\n\nIf non-vendor provided or non-approved files are included in the list, this is a finding.","fixText":"The root role is required.\n\nDetermine the existence of any set-UID programs that do not belong on the system, and work with the owners (or system administrator) to determine the best course of action in accordance with site policy.","ccis":["CCI-000366"]},{"vulnId":"V-216436","ruleId":"SV-216436r959010_rule","severity":"medium","ruleTitle":"The operating system must have no unowned files.","description":"A new user who is assigned a deleted user's user ID or group ID may then end up owning these files, and thus have more access on the system than was intended.","checkContent":"The root role is required.\n\nIdentify all files that are owned by a user or group not listed in /etc/passwd or /etc/group\n\n# find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs \\\n-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \\\n-o -fstype proc \\) -prune \\( -nouser -o -nogroup \\) -ls\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the Check step. Determine the existence of any files that are not attributed to current users or groups on the system, and determine the best course of action in accordance with site policy. Remove the files and directories or change their ownership.","ccis":["CCI-000366"]},{"vulnId":"V-216437","ruleId":"SV-216437r959010_rule","severity":"low","ruleTitle":"The operating system must have no files with extended attributes.","description":"Attackers or malicious users could hide information, exploits, etc. in extended attribute areas. Since extended attributes are rarely used, it is important to find files with extended attributes set and correct these attributes.","checkContent":"The root role is required.\n\nIdentify all files with extended attributes.\n\n# find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs \\\n-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \\\n-o -fstype proc \\) -prune -o -xattr -ls\n\nIf output is produced, this is a finding.","fixText":"The root role is required.\n\nCorrect or justify any items discovered in the Check step. Determine the existence of any files having extended file attributes, and determine the best course of action in accordance with site policy.\n\nRemove the files or the extended attributes.","ccis":["CCI-000366"]},{"vulnId":"V-216438","ruleId":"SV-216438r959010_rule","severity":"medium","ruleTitle":"The root account must be the only account with GID of 0.","description":"All accounts with a GID of 0 have root group privileges and must be limited to the group account only.","checkContent":"Identify any users with GID of 0.\n\n# awk -F: '$4 == 0' /etc/passwd\n# awk -F: '$3 == 0' /etc/group\nConfirm the only account with a group id of 0 is root.\n\nIf the root account is not the only account with GID of 0, this is a finding.","fixText":"The root role is required.\n\nChange the default GID of non-root accounts to a valid GID other than 0.","ccis":["CCI-000366"]},{"vulnId":"V-216439","ruleId":"SV-216439r958566_rule","severity":"low","ruleTitle":"The operating system must reveal error messages only to authorized personnel.","description":"Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.","checkContent":"Check the permissions of the /var/adm/messages file:\n# ls -l /var/adm/messages\n\nCheck the permissions of the /var/adm directory:\n# ls -ld /var/adm\n\nIf the owner and group of /var/adm/messages is not root and the permissions are not 640, this is a finding.\n\nIf the owner of /var/adm is not root, group is not sys, and the permissions are not 750, this is a finding.","fixText":"The root role is required.\n\nChange the permissions and owner on the /var/adm/messages file:\n\n# chmod 640 /var/adm/messages\n# chown root /var/adm/messages\n# chgrp root /var/adm/messages\n\nChange the permissions and owner on the /var/adm directory:\n\n# chmod 750 /var/adm\n# chown root /var/adm\n# chgrp sys /var/adm","ccis":["CCI-001314"]},{"vulnId":"V-216441","ruleId":"SV-216441r959010_rule","severity":"medium","ruleTitle":"The operator must document all file system objects that have non-standard access control list settings.","description":"Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files.","checkContent":"The root role is required.\n\nIdentify all file system objects that have non-standard access control lists enabled.\n\n# find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs \\\n-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \\\n-o -fstype proc \\) -prune -o -acl -ls\n\nThis command should return no output. If output is created, this is a finding.\n\nIf the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.","fixText":"The root role is required.\n\nRemove ACLs that are not approved in the security policy.\n\nFor ZFS file systems, remove all extended ACLs with the following command:\n\n# chmod A- [filename]\n\nFor UFS file systems\n\nDetermine the ACLs that are set on a file:\n\n# getfacl [filename]\n\nRemove any ACL configurations that are set:\n\n# setfacl -d [ACL] [filename]","ccis":["CCI-000366"]},{"vulnId":"V-216442","ruleId":"SV-216442r1155800_rule","severity":"high","ruleTitle":"The operating system must be a supported release.","description":"An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRelease\t\tReleased\t\tPremier Support\t\tExtended Support\n11\t\t09 Nov 2011\t\tNA\t\t\t\t\tNA\n11.1\t\t03 Oct 2012\t\tNA\t\t\t\t\tNA\n11.2\t\t29 Apr 2014\t\tNA\t\t\t\t\tNA\n11.3\t\t26 Oct 2015\t\t01 Jan 2021\t\t\t01 Jan 2027\n11.4\t\t28 Aug 2018\t\t01 Nov 2031\t\t\t01 Nov 2037","checkContent":"Determine the operating system version.\n\n# uname -a\n\nIf the release is not supported by the vendor, this is a finding.","fixText":"Upgrade to a supported version of the operating system.","ccis":["CCI-000366"]},{"vulnId":"V-216443","ruleId":"SV-216443r959010_rule","severity":"medium","ruleTitle":"The system must implement non-executable program stacks.","description":"A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.","checkContent":"Determine the OS version you are currently securing.\n\n# uname –v\n\nIf the OS version is 11.3 or newer, this check applies to all zones and relies on the \"sxadm\" command. Determine if the system implements non-executable program stacks.\n\n# sxadm status -p nxstack | cut -d: -f2\nenabled.all\n\nIf the command output is not \"enabled.all\", this is a finding.\n\nFor Solaris 11, 11.1, and 11.2, this check applies to the global zone only and the \"/etc/system\" file is inspected. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", determine if the system implements non-executable program stacks. \n\n# grep noexec_user_stack /etc/system\n\nIf the noexec_user_stack is not set to 1, this is a finding.","fixText":"The root role is required.\n\nDetermine the OS version you are currently securing.\n\n# uname –v\n\nIf the OS version is 11.3 or newer, enable non-executable program stacks using the \"sxadm\" command.\n\n# pfexec sxadm enable nxstack\n\nFor Solaris 11, 11.1, and 11.2, this action applies to the global zone only and the \"/etc/system\" file is updated. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", modify the \"/etc/system\" file.\n\n# pfedit /etc/system \n\nadd the line:\n\nset noexec_user_stack=1\n\nSolaris 11, 11.1, and 11.2 systems will need to be restarted for the setting to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-216444","ruleId":"SV-216444r959010_rule","severity":"low","ruleTitle":"Address Space Layout Randomization (ASLR) must be enabled.","description":"Modification of memory area can result in executable code vulnerabilities. ASLR can reduce the likelihood of these attacks. ASLR activates the randomization of key areas of the process such as stack, brk-based heap, memory mappings, and so forth.","checkContent":"This check applies to the global zone only. \n\nDetermine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine if address space layout randomization is enabled.\n\nDetermine the OS version you are currently securing:. \n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# sxadm info -p | grep aslr | grep enabled\n\nFor Solaris 11.4 or newer:\n# sxadm status -p -o status aslr | grep enabled \n\nIf no output is produced, this is a finding.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nEnable address space layout randomization.\n\n# sxadm delcust aslr\n\nEnabling ASLR may affect the function or stability of some applications, including those that use Solaris Intimate Shared Memory features.","ccis":["CCI-000366"]},{"vulnId":"V-216445","ruleId":"SV-216445r959010_rule","severity":"medium","ruleTitle":"Process core dumps must be disabled unless needed.","description":"Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which may result in denial of service. Process core dumps can be useful for software debugging.","checkContent":"Check the process core dump configuration.\n# coreadm | grep enabled\n\nIf any lines are returned by coreadm other than \"logging\", this is a finding.","fixText":"The Maintenance and Repair profile is required.\n\nChange the process core dump configuration to disable core dumps globally and on a per process basis.\n\n# coreadm -d global\n# coreadm -d process\n# coreadm -d global-setid\n# coreadm -d proc-setid\n# coreadm -e log","ccis":["CCI-000366"]},{"vulnId":"V-216446","ruleId":"SV-216446r959010_rule","severity":"medium","ruleTitle":"The system must be configured to store any process core dumps in a specific, centralized directory.","description":"Specifying a centralized location for core file creation allows for the centralized protection of core files. Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If process core dump creation is not configured to use a centralized directory, core dumps may be created in a directory that does not have appropriate ownership or permissions configured, which could result in unauthorized access to the core dumps.","checkContent":"Check the defined directory for process core dumps:\n\n# coreadm | grep \"global core file pattern\"\n\nIf the parameter is not set, or is not an absolute path (does not start with a slash [/]), this is a finding.","fixText":"The root role is required.\n\nSet the core file directory and file pattern.\n\n# coreadm -g /var/share/cores/core.%f.%p","ccis":["CCI-000366"]},{"vulnId":"V-216447","ruleId":"SV-216447r959010_rule","severity":"medium","ruleTitle":"The centralized process core dump data directory must be owned by root.","description":"Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centralized process core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.","checkContent":"Check the defined directory for process core dumps.\n# coreadm | grep \"global core file pattern\"\n\nCheck the ownership of the directory.\n# ls -lLd [core file directory]\n\nIf the directory is not owned by root, this is a finding.","fixText":"The root role is required.\n\nChange the owner of the core file directory.\n\n# chown root [core file directory]","ccis":["CCI-000366"]},{"vulnId":"V-216448","ruleId":"SV-216448r959010_rule","severity":"medium","ruleTitle":"The centralized process core dump data directory must be group-owned by root, bin, or sys.","description":"Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centralized process core dump data directory is not group-owned by a system group, the core dumps contained in the directory may be subject to unauthorized access.","checkContent":"Check the defined directory for process core dumps.\n# coreadm | grep \"global core file pattern\"\n\nCheck the group ownership of the directory.\n# ls -lLd [core file directory]\n\nIf the directory is not group-owned by root, bin, or sys, this is a finding.","fixText":"The root role is required.\n\nChange the group-owner of the core file directory to root, bin, or sys.\n\nExample: # chgrp root [core file directory]","ccis":["CCI-000366"]},{"vulnId":"V-216449","ruleId":"SV-216449r959010_rule","severity":"medium","ruleTitle":"The centralized process core dump data directory must have mode 0700 or less permissive.","description":"Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the process core dump data directory has a mode more permissive than 0700, unauthorized users may be able to view or to modify sensitive information contained in any process core dumps in the directory.","checkContent":"Check the defined directory for process core dumps.\n# coreadm | grep \"global core file pattern\"\n\nCheck the permissions of the directory.\n\n# ls -lLd [core file directory]\n\nIf the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.","fixText":"The root role is required.\n\nChange the mode of the core file directory. \n\n# chmod 0700 [core file directory]","ccis":["CCI-000366"]},{"vulnId":"V-216450","ruleId":"SV-216450r959010_rule","severity":"medium","ruleTitle":"Kernel core dumps must be disabled unless needed.","description":"Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.","checkContent":"The root role is required.\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\n\nVerify savecore is not used.\n\n# dumpadm | grep 'Savecore enabled' \n\nIf the value is yes, this is a finding.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDisable savecore.\n\n# dumpadm -n","ccis":["CCI-000366"]},{"vulnId":"V-216451","ruleId":"SV-216451r959010_rule","severity":"medium","ruleTitle":"The kernel core dump data directory must be owned by root.","description":"Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.","checkContent":"The root role is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the location of the system dump directory.\n\n# dumpadm | grep directory\n\nCheck the ownership of the kernel core dump data directory.\n# ls -ld [savecore directory]\n\nIf the kernel core dump data directory is not owned by root, this is a finding. \n\nIn Solaris 11, /var/crash is linked to /var/share/crash.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDetermine the location of the system dump directory.\n\n# dumpadm | grep directory\n\nChange the owner of the kernel core dump data directory to root.\n\n# chown root [savecore directory]\n\nIn Solaris 11, /var/crash is linked to /var/share/crash.","ccis":["CCI-000366"]},{"vulnId":"V-216452","ruleId":"SV-216452r959010_rule","severity":"medium","ruleTitle":"The kernel core dump data directory must be group-owned by root.","description":"Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not group-owned by a system group, the core dumps contained in the directory may be subject to unauthorized access.","checkContent":"The root role is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the location of the system dump directory.\n\n# dumpadm | grep directory\n\nCheck ownership of the core dump data directory.\n\n# ls -l [savecore directory]\n\nIf the directory is not group-owned by root, this is a finding.\n\nIn Solaris 11, /var/crash is linked to /var/share/crash.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDetermine the location of the system dump directory.\n\n# dumpadm | grep directory\n\nChange the group-owner of the kernel core dump data directory. \n\n# chgrp root [kernel core dump data directory]\n\nIn Solaris 11, /var/crash is linked to /var/share/crash.","ccis":["CCI-000366"]},{"vulnId":"V-216453","ruleId":"SV-216453r959010_rule","severity":"medium","ruleTitle":"The kernel core dump data directory must have mode 0700 or less permissive.","description":"Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the mode of the kernel core dump data directory is more permissive than 0700, unauthorized users may be able to view or to modify kernel core dump data files.","checkContent":"The root role is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the location of the system dump directory.\n\n# dumpadm | grep directory\n\nCheck the permissions of the kernel core dump data directory.\n\n# ls -ld [savecore directory]\n\nIf the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDetermine the location of the system dump directory.\n\n# dumpadm | grep directory\n\nChange the group-owner of the kernel core dump data directory. \n\n# chmod 0700 [savecore directory]","ccis":["CCI-000366"]},{"vulnId":"V-216454","ruleId":"SV-216454r959010_rule","severity":"low","ruleTitle":"The system must require passwords to change the boot device settings. (SPARC)","description":"Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy).","checkContent":"This check applies only to SPARC-based systems.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine if the EEPROM security mode on SPARC-based systems is configured correctly.\n\n# eeprom security-mode\n\nIf the output of this command is not \"security-mode=command\", this is a finding.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\n# eeprom security-mode=command\n\n\nAfter entering the command above, the administrator will be prompted for a password. This password will be required to authorize any future command issued at boot-level on the system (the ok or > prompt) except for the normal multi-user boot command (i.e., the system will be able to reboot unattended).\n\nWrite down the password and store it in a secure location.","ccis":["CCI-000366"]},{"vulnId":"V-216455","ruleId":"SV-216455r959010_rule","severity":"medium","ruleTitle":"The operating system must implement transaction recovery for transaction-based systems.","description":"Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. \n\nTransaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery.\n\nWhile this is typically a database function, operating systems could be transactional in nature with respect to file processing.","checkContent":"Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance.\n\nDetermine if any UFS file systems are mounted with the \"nologging\" option.\n\n# mount|grep nologging\n\nIf any file systems are listed, this is a finding.","fixText":"The root role is required.\n\nSolaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance.\n\nIf any UFS file systems are mounted with the \"nologging\" options, remove that option from the /etc/vfstab file.\n\n# pfedit /etc/vfstab\n\nLocate any file systems listed with the \"nologging\" option and delete the keyword \"nologging\".","ccis":["CCI-000366"]},{"vulnId":"V-216456","ruleId":"SV-216456r1190826_rule","severity":"high","ruleTitle":"SNMP default community strings and passphrases must be changed from vendor defaults.","description":"Whether active or not, default SNMP passwords, users, and passphrases must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s).","checkContent":"Verify the Solaris 11 system does not use default SNMP community strings or passphrases.\n\nThe root role is required.\n\nFind any occurrences of the snmpd.conf file delivered with Solaris packages:\n\n# pkg search -l -Ho path snmpd.conf | awk '{ print \"/\"$1 }'\n/etc/net-snmp/snmp/snmpd.conf\n\nFor each listed file, use the following command to review its contents:\n\n# more [filename]\n\nReview SNMP trap configurations for default community strings:\n\n# grep trap /etc/net-snmp/snmp/snmpd.conf\n\nIdentify any community names, trap communities, or user password configurations set to default values. \nExamples: public, private, trap, public@localhost, password\n\nIf any default values are present, this is a finding.","fixText":"The root role is required.\n\nStop the SNMP service:\n# svcadm disable svc: /application/management/net-snmp:default\n\nOpen the /etc/snmp/snmpd.conf file and remove any lines containing default values.\n# pfedit [/path/filename]\n\nCreate a new SNMPv3 user with strong authentication and privacy keys (if the service is required).\n\nRestart the service (if the service is required).\n# svcadm enable svc: /application/management/net-snmp:default\n\nEnsure permissions on the configuration files are restricted:\n# chmod 600 /etc/snmp/snmp.conf","ccis":["CCI-000366"]},{"vulnId":"V-216457","ruleId":"SV-216457r959010_rule","severity":"medium","ruleTitle":"A file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.","description":"A file integrity baseline is a collection of file metadata used to evaluate the integrity of the system. A minimal baseline must contain metadata for all device files, setuid files, setgid files, system libraries, system binaries, and system configuration files. The minimal metadata must consist of the mode, owner, group owner, and modification times. For regular files, metadata must also include file size and a cryptographic hash of the file's contents.","checkContent":"The root role is required.\n\nSolaris 11 includes the Basic Account and Reporting Tool (BART), which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.\n\nA Baseline BART manifest may exist in: \n/var/adm/log/bartlogs/[control manifest filename]\n\nIf a BART manifest does not exist, this is a finding.\n\nAt least weekly, create a new BART baseline report.\n\n# bart create > /var/adm/log/bartlogs/[new manifest filename]\n\nCompare the new report to the previous report to identify any changes in the system baseline.\n\n# bart compare /var/adm/log/bartlogs/[baseline manifest filename] /var/adm/log/bartlogs/[new manifest filename]\n\nExamine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.","fixText":"The root role is required.\n\nSolaris 11 includes the Basic Account and Reporting Tool (BART) which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.\n\nCreate a protected area to store BART manifests.\n# mkdir /var/adm/log/bartlogs\n# chmod 700 /var/adm/log/bartlogs\n\nAfter initial installation and configuration of the system, create a manifest report of the current baseline.\n\n# bart create > /var/adm/log/bartlogs/[baseline manifest filename]","ccis":["CCI-000366"]},{"vulnId":"V-216459","ruleId":"SV-216459r959010_rule","severity":"medium","ruleTitle":"Direct logins must not be permitted to shared, default, application, or utility accounts.","description":"Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.","checkContent":"The Audit Review profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nUse the \"auditreduce\" command to check for multiple accesses to an account\n\n# auditreduce -c lo -u [shared_user_name] | praudit -l\n\nIf users log directly into accounts, rather than using the \"su\" command from their own named account to access them, this is a finding. Also, ask the SA or the IAO if shared accounts are logged into directly or if users log into an individual account and switch user to the shared account.","fixText":"The root role is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nUse the switch user (\"su\") command from a named account login to access shared accounts. Maintain audit trails that identify the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (\"su\") to the shared account.","ccis":["CCI-000366"]},{"vulnId":"V-216460","ruleId":"SV-216460r959010_rule","severity":"low","ruleTitle":"The system must not have any unnecessary accounts.","description":"Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.","checkContent":"Check the system for unnecessary user accounts.\n\n# getent passwd\n\nSome examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.","fixText":"The root role is required.\n\nRemove all unnecessary accounts, such as games, from the /etc/passwd file before connecting a system to the network. Other accounts, such as news and gopher, associated with a service not in use should also be removed.\n\nIdentify unnecessary accounts.\n\n# getent passwd\n\nRemove unnecessary accounts.\n\n# userdel [username]","ccis":["CCI-000366"]},{"vulnId":"V-216461","ruleId":"SV-216461r959010_rule","severity":"medium","ruleTitle":"The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.","description":"Operating system backup is a critical step in maintaining data assurance and availability. \n\nUser-level information is data generated by information system and/or application users.\n\nBackups shall be consistent with organizational recovery time and recovery point objectives.","checkContent":"The operations staff shall ensure that proper backups are created, tested, and archived. \n\nAsk the operator for documentation on the backup procedures implemented.\n\nIf the backup procedures are not documented then this is a finding.","fixText":"The operations staff shall install, configure, test, and verify operating system backup software.\n\nAdditionally, all backup procedures must be documented.","ccis":["CCI-000366"]},{"vulnId":"V-216462","ruleId":"SV-216462r959010_rule","severity":"medium","ruleTitle":"The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.","description":"Operating system backup is a critical step in maintaining data assurance and availability. \n\nSystem-level information is data generated for/by the host (such as configuration settings) and/or administrative users.\n\nBackups shall be consistent with organizational recovery time and recovery point objectives.","checkContent":"The operations staff shall ensure that proper backups are created, tested, and archived. \n\nAsk the operator for documentation on the backup procedures implemented.\n\nIf the backup procedures are not documented then this is a finding.","fixText":"The operations staff shall install, configure, test, and verify operating system backup software.\n\nAdditionally, all backup procedures must be documented.","ccis":["CCI-000366"]},{"vulnId":"V-216463","ruleId":"SV-216463r959010_rule","severity":"medium","ruleTitle":"The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.","description":"Operating system backup is a critical step in maintaining data assurance and availability. \n\nSystem documentation is data generated for/by the host (such as logs) and/or administrative users.\n\nBackups shall be consistent with organizational recovery time and recovery point objectives.","checkContent":"The operations staff shall ensure that proper backups are created, tested, and archived. \n\nAsk the operator for documentation on the backup procedures implemented.\n\nIf the backup procedures are not documented then this is a finding.","fixText":"The operations staff shall install, configure, test, and verify operating system backup software.\n\nAdditionally, all backup procedures must be documented.","ccis":["CCI-000366"]},{"vulnId":"V-216464","ruleId":"SV-216464r958544_rule","severity":"medium","ruleTitle":"The operating system must prevent the execution of prohibited mobile code.","description":"Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.","checkContent":"Determine if the Firefox package is installed:\n\n# pkg list web/browser/firefox\n\nIf the package is not installed, this check does not apply.\n\nIf installed, ensure that it is a supported version.\n\n# pkg info firefox | grep Version\nVersion: 52.5.2\n\nIf the version is not supported, this is a finding.\n\nEnsure that Java and JavaScript access by Firefox are disabled.\n\nStart Firefox.\n\nIn the address bar type: about:config\n\nIn search bar type: javascript.enabled\n\nIf 'Value\" is true, this is a finding\n\nIn the address bar type: about:addons\n\nClick on \"I accept the risk\" button.\n\nClick on \"Plugins\".\n\nIf Java is enabled, this is a finding.","fixText":"In the address bar type: about:config\n\nClick on \"I accept the risk\" button.\n\nIn search bar type: javascript.enabled\n\nDouble click on the javascript.enabled and Value true will change to false.\n\nIn the address bar type: about:addons\n\nClick on \"Plugins\".\n\nIf Java is displayed, disable Java by clicking on the \nNever Activate selection","ccis":["CCI-001695"]},{"vulnId":"V-216465","ruleId":"SV-216465r959010_rule","severity":"medium","ruleTitle":"The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.","description":"Without the use of PKI systems to manage digital certificates, the operating system or other system components may be unable to securely communicate on a network or reliably verify the identity of a user via digital signatures.","checkContent":"The operator will ensure that a DoD approved PKI system is installed, configured, and properly operating. Ask the operator to document the PKI software installation and configuration.\n\nIf the operator is not able to provide a documented configuration for an installed PKI system or if the PKI system is not properly configured, maintained, or used, this is a finding.","fixText":"The operator will ensure that a DoD approved PKI software is installed and operating continuously.","ccis":["CCI-000366"]},{"vulnId":"V-216467","ruleId":"SV-216467r959010_rule","severity":"medium","ruleTitle":"The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.","description":"In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. \n\nThe requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.","checkContent":"The operator will ensure that anti-virus software is installed and operating.\n\nIf the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.","fixText":"The operator will ensure that anti-virus software is installed and operating.","ccis":["CCI-000366"]},{"vulnId":"V-216469","ruleId":"SV-216469r958574_rule","severity":"medium","ruleTitle":"The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.","description":"Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.\n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement can be met by the operating system continuously sending records to a centralized logging server.","checkContent":"This check applies to the global zone only. Determine the zone that you a currently securing.\n\n# zonename\n\nIf the command output is \"global\" this check applies.\n\nThe operator must back up audit records at least every 7 days.\n\nIf the operator is unable to provide a documented procedure or the documented procedure is not being followed, then this is a finding.","fixText":"This fix applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe operator shall back up audit records at least every seven days.","ccis":["CCI-001348"]},{"vulnId":"V-216470","ruleId":"SV-216470r1099906_rule","severity":"low","ruleTitle":"All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.","description":"Editing a system file with common tools such as vi, emacs, or gedit does not allow the auditing of changes made by an operator. This reduces the capability of determining which operator made security-relevant changes to the system.","checkContent":"Ask the operators if they use vi, emacs, or gedit to make changes to system files.\n\nIf vi, emacs, or gedit are used to make changes to system files, this is a finding.","fixText":"Advise the operators to use pfedit or other appropriate command line tools to make system changes instead of vi, emacs, or gedit.\n\nOracle Solaris includes administrative configuration files which use pfedit, and the solaris.admin.edit/path_to_file authorization is not recommended. Alternate commands exist which are both domain-specific and safer. For example, for the /etc/passwd, /etc/shadow, or /etc/user_attr files, use instead passwd, useradd, userdel, or usermod. For the /etc/group file, use instead groupadd, groupdel, or groupmod. For updating /etc/security/auth_attr, /etc/security/exec_attr, or /etc/security/prof_attr, the preferred command is profiles.","ccis":["CCI-000366"]},{"vulnId":"V-216473","ruleId":"SV-216473r958528_rule","severity":"medium","ruleTitle":"The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.","description":"In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.","checkContent":"Verify that you are on the global zone:\n# zoneadm -z global list\nglobal\n\nNote: If the following message appears, you are not in the global zone:\n\"zoneadm: global: No such zone exists\"\n\n# dladm show-ether -Z | egrep \"LINK|up\"\n\nLINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE\nnet0 current up yes 1G-f bi\n\nDetermine the OS version that is being secured:\n\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n\n# dladm show-linkprop net0 | egrep \"LINK|en_\" | sort|uniq\nLINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE\nnet0 en_1000fdx_cap rw 1 1 1 1,0\nnet0 en_1000hdx_cap r- 0 0 0 1,0\nnet0 en_100fdx_cap rw 1 1 1 1,0\nnet0 en_100hdx_cap rw 1 1 1 1,0\nnet0 en_10fdx_cap rw 1 1 1 1,0\nnet0 en_10gfdx_cap -- -- -- 0 1,0\nnet0 en_10hdx_cap rw 1 1 1 1,0\n\nDo the above for all available/connected network adapters.\n\nFor Solaris 11.4.x.x.x or newer:\n\n# dladm show-linkprop -p speed-duplex net0\nLINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE\nnet0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 1g-f, 1g-f,100m-f,\n 100m-h, 100m-h, 100m-f, 100m-h,10m-f,\n 10m-f,10m-h 10m-f,10m-h 100m-h, 10m-h\n 10m-f,\n 10m-h\n\nDo the above for all available/connected network adapters.\n\nFor each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.","fixText":"The Network Management profile is required.\n\nSet each link's speed-duplex protection to an appropriate value based on each configured network interface's POSSIBLE settings.\n\nDetermine the OS version that is being secured:\n\n# uname -a\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n\n# pfexec dladm set-linkprop -p en_1000fdx_cap=1 net0\n\nVerify EFFECTIVE column\n# dladm show-linkprop net0 | egrep \"LINK|en_\" | sort|uniq\nLINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE\nnet0 en_1000fdx_cap rw 1 1 1 1,0\nnet0 en_1000hdx_cap r- 0 0 0 1,0\nnet0 en_100fdx_cap rw 1 1 1 1,0\nnet0 en_100hdx_cap rw 1 1 1 1,0\nnet0 en_10fdx_cap rw 1 1 1 1,0\nnet0 en_10gfdx_cap -- -- -- 0 1,0\nnet0 en_10hdx_cap rw 1 1 1 1,0\n\nDo the above for all available/connected network adapters.\n\nFor Solaris 11.4.x or newer:\n\n# pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net0\n\nVerify EFFECTIVE column\n# dladm show-linkprop -p speed-duplex net0\nLINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE\nnet0 speed-duplex rw 1g-f,100m-f 1g-f,100m-f 1g-f, 1g-f,100m-f,\n 100m-f, 100m-h,10m-f,\n 100m-h, 10m-h\n 10m-f,\n 10m-h\n\nDo the above for all available/connected network adapters.","ccis":["CCI-001095"]},{"vulnId":"V-216474","ruleId":"SV-216474r959010_rule","severity":"low","ruleTitle":"The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.","description":"Incorrect ownership can result in unauthorized changes or theft of data.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the ownership of the files and directories.\n\n# pkg verify system/zones\n\nThe command should return no output. If output is produced, this is a finding.","fixText":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe Software Installation profile is required.\n\nChange the ownership and permissions of the files and directories to the factory default. \n\n# pkg fix system/zones","ccis":["CCI-000366"]},{"vulnId":"V-216475","ruleId":"SV-216475r959010_rule","severity":"low","ruleTitle":"The limitpriv zone option must be set to the vendor default or less permissive.","description":"Solaris zones can be assigned privileges generally reserved for the global zone using the \"limitpriv\" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nList the non-global zones on the system.\n\n# zoneadm list -vi | grep -v global\n\nFrom the output list of non-global zones found, determine if any are Kernel zones.\n\n# zoneadm list -cv | grep [zonename] | grep solaris-kz\n\nExclude any Kernel zones found from the list of local zones.\n\nList the configuration for each zone.\n\n# zonecfg -z [zonename] info |grep limitpriv\n\nIf the output of this command has a setting for limitpriv and it is not:\nlimitpriv: default\n\nthis is a finding.","fixText":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe Zone Security profile is required:\n\nChange the \"limitpriv\" setting to default. \n\n# pfexec zonecfg -z [zone] set limitpriv=default","ccis":["CCI-000366"]},{"vulnId":"V-216476","ruleId":"SV-216476r959010_rule","severity":"medium","ruleTitle":"The systems physical devices must not be assigned to non-global zones.","description":"Solaris non-global zones can be assigned physical hardware devices. This increases the risk of such a non-global zone having the capability to compromise the global zone.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nList the non-global zones on the system.\n\n# zoneadm list -vi | grep -v global\n\nList the configuration for each zone.\n\n# zonecfg -z [zonename] info | grep dev\n\nCheck for device lines. If such a line exists and is not approved by security, this is a finding.","fixText":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe Zone Security profile is required:\n\nRemove all device assignments from the non-global zone. \n\n# pfexec zonecfg -z [zone] delete device [device]","ccis":["CCI-000366"]},{"vulnId":"V-216477","ruleId":"SV-216477r959010_rule","severity":"low","ruleTitle":"The audit system must identify in which zone an event occurred.","description":"Tracking the specific Solaris zones in the audit trail reduces the time required to determine the cause of a security event.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nList the non-global zones on the system.\n\n# zoneadm list -vi | grep -v global\n\nThe Audit Configuration profile is required.\n\nDetermine whether the \"zonename\" auditing policy is in effect.\n\n# pfexec auditconfig -getpolicy | grep active | grep zonename\n\nIf no output is returned, this is a finding.","fixText":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nList the non-global zones on the system.\n\n# zoneadm list -vi | grep -v global\n\nThe Audit Configuration profile is required.\n\nEnable the \"zonename\" auditing policy.\n\n# pfexec auditconfig -setpolicy +zonename","ccis":["CCI-000366"]},{"vulnId":"V-216478","ruleId":"SV-216478r959010_rule","severity":"low","ruleTitle":"The audit system must maintain a central audit trail for all zones.","description":"Centralized auditing simplifies the investigative process to determine the cause of a security event.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nList the non-global zones on the system.\n\n# zoneadm list -vi | grep -v global\n\nThe Audit Configuration profile is required.\n\nDetermine whether the \"perzone\" auditing policy is in effect.\n\n# pfexec auditconfig -getpolicy | grep active | grep perzone\n\nIf output is returned, this is a finding.","fixText":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nList the non-global zones on the system.\n\n# zoneadm list -vi | grep -v global\n\nThe Audit Configuration profile is required.\n\nDisable the \"perzone\" auditing policy.\n\n# pfexec auditconfig -setpolicy -perzone","ccis":["CCI-000366"]},{"vulnId":"V-216479","ruleId":"SV-216479r959010_rule","severity":"medium","ruleTitle":"The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.","description":"Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). \n\nOrganization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements.\n\nUsage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).\n\nIn order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\" this check applies.\n\nDetermine if USB mass storage devices are locked out by the kernel.\n\n# grep -h \"exclude: scsa2usb\" /etc/system /etc/system.d/*\n\nIf the output of this command is not:\n\nexclude: scsa2usb\n\nthis is a finding.","fixText":"The root role is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\" this check applies.\n\nModify the /etc/system file.\n\nDetermine the OS version you are currently securing.\n# uname –v\nFor Solaris 11GA and 11.1\n# pfedit /etc/system\n\nAdd a line containing:\n\nexclude: scsa2usb\n\nNote that the global zone will need to be rebooted for this change to take effect. \n\nFor Solaris 11.2 or newer\n\nModify an /etc/system.d file.\n# pfedit /etc/system.d/USB:MassStorage\n\nAdd a line containing:\nexclude: scsa2usb\n\nNote that the global zone will need to be rebooted for this change to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-219959","ruleId":"SV-219959r958768_rule","severity":"medium","ruleTitle":"The audit system must support an audit reduction capability.","description":"Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-001877"]},{"vulnId":"V-219960","ruleId":"SV-219960r958774_rule","severity":"medium","ruleTitle":"The audit system records must be able to be used by a report generation capability.","description":"Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-001880"]},{"vulnId":"V-219961","ruleId":"SV-219961r958442_rule","severity":"medium","ruleTitle":"The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.\n\nWithout accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked.\n\nWithout an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000169"]},{"vulnId":"V-219962","ruleId":"SV-219962r958442_rule","severity":"medium","ruleTitle":"The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.\n\nWithout accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked.\n\nWithout an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getcond\n\nIf this command does not report:\n\naudit condition = auditing\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nIf auditing has been disabled, it must be enabled with the following command:\n\n# pfexec audit -s","ccis":["CCI-000169"]},{"vulnId":"V-219963","ruleId":"SV-219963r958442_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit all discretionary access control permission modifications.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"The Audit Configuration profile is required.\n\nCheck that the audit flag for auditing file access is enabled.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version you are currently securing.\n# uname –v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\nIf \"fm\" audit flag is not included in output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"fm\" audit flag is not included in output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000169"]},{"vulnId":"V-219964","ruleId":"SV-219964r958442_rule","severity":"medium","ruleTitle":"The audit system must be configured to audit the loading and unloading of dynamic kernel modules.","description":"Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the OS version currently being secured.\n# uname -v\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -getflags | grep active | cut -f2 -d=\n\nIf \"as\" audit flag is not included in the output, this is a finding.\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -t -getflags | cut -f2 -d=\n\nIf \"cusa,fm,fd,-fa,-ps,-ex\" audit flags are not included in the output, this is a finding.\n\nDetermine if auditing policy is set to collect command line arguments.\n\n# pfexec auditconfig -getpolicy | grep active | grep argv\n\nIf the active audit policies line does not appear, this is a finding.","fixText":"The Audit Configuration profile is required. All audit flags must be enabled in a single command.\n\nThis action applies to the global zone only. Determine the zone currently being secured.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nFor Solaris 11, 11.1, 11.2, and 11.3:\n# pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm\n\nFor Solaris 11.4 or newer:\n# pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm\n\nEnable the audit policy to collect command line arguments.\n\n# pfexec auditconfig -setpolicy +argv\n\nThese changes will not affect users that are currently logged in.","ccis":["CCI-000169"]},{"vulnId":"V-219965","ruleId":"SV-219965r971542_rule","severity":"medium","ruleTitle":"The audit system must alert the SA when the audit storage volume approaches its capacity.","description":"Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe root role is required.\n\nVerify the presence of an audit_warn entry in /etc/mail/aliases.\n# /usr/lib/sendmail -bv audit_warn\nIf the response is:\naudit_warn... User unknown\n\nthis is a finding.\n\nReview the output of the command and verify that the audit_warn alias notifies the appropriate users in this form:\n\naudit_warn:user1,user2\n\nIf an appropriate user is not listed, this is a finding.","fixText":"The root role is required. \n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nAdd an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s).\n\n# pfedit /etc/mail/aliases\n\nInsert a line in the form:\naudit_warn:user1,user2\n\nPut the updated aliases file into service.\n# newaliases","ccis":["CCI-001855"]},{"vulnId":"V-219966","ruleId":"SV-219966r958758_rule","severity":"high","ruleTitle":"The audit system must alert the System Administrator (SA) if there is any type of audit failure.","description":"Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe root role is required.\n\nVerify the presence of an audit_warn entry in /etc/mail/aliases.\n# /usr/lib/sendmail -bv audit_warn\nIf the response is:\naudit_warn... User unknown\n\nthis is a finding.\n\nReview the output of the command and verify that the audit_warn alias notifies the appropriate users in this form:\n\naudit_warn:user1,user2\n\nIf an appropriate user is not listed, this is a finding.","fixText":"The root role is required. \n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nAdd an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s).\n\n# pfedit /etc/mail/aliases\n\nInsert a line in the form:\naudit_warn:user1,user2\n\nPut the updated aliases file into service.\n# newaliases","ccis":["CCI-001858"]},{"vulnId":"V-219967","ruleId":"SV-219967r958752_rule","severity":"medium","ruleTitle":"The operating system must allocate audit record storage capacity.","description":"Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nReview the current audit file space limitations\n\n# pfexec auditconfig -getplugin audit_binfile\nPlugin: audit_binfile (active)\n\nThe output of the command will appear in this form.\n\nAttributes: p_dir=/var/audit;p_fsize=4M;p_minfree=2\n\nIf p_minfree is not equal to \"2\" of greater, this is a finding.\n\np_dir defines the current audit file system.\n\nNote: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.\n\nCheck that zfs compression is enabled for the audit file system.\n\n# zfs get compression [poolname/filesystemname]\n\nIf compression is off, this is a finding.\n\nCheck that a ZFS quota is enforced for the audit filesystem.\n\n# zfs get quota [poolname/filesystemname]\n\nIf quota is set to \"none\", this is a finding.\n\nEnsure that a reservation of space is enforced on /var/share so that other users do not use up audit space.\n\n# zfs get quota,reservation [poolname/filesystemname]\n\nIf reservation is set to \"none\", this is a finding.","fixText":"The Audit Configuration, Audit Control and ZFS File System Management profiles are required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDetermine the audit system directory name:\n\n# pfexec auditconfig -getplugin audit_binfile\nPlugin: audit_binfile (active)\n\nThe output of the command will appear in this form:\n\nAttributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;\n\np_dir defines the current audit file system.\n\nNote: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.\n\nSet a minimum percentage of free space on the audit_binfile plugin to 2%.\n\n# pfexec auditconfig -setplugin audit_binfile p_minfree=2\n\nRestart the audit system.\n\n# pfexec audit -s\n\nEnable compression for the audit filesystem.\n\n# pfexec zfs set compression=on [poolname/filesystemname]\n\nSet a ZFS quota on the default /var/share filesystem for audit records to ensure that the root pool is not filled up with audit logs.\n\n# pfexec zfs set quota=XXG [poolname/filesystemname]\n\nThis commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements.\n\nSet a ZFS reservation on the default /var/share filesystem for audit records to ensure that the audit file system is guaranteed a fixed amount of storage.\n\n# pfexec zfs set reservation=XXG [poolname/filesystemname]\n\nThis commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements.","ccis":["CCI-001849"]},{"vulnId":"V-219968","ruleId":"SV-219968r958752_rule","severity":"high","ruleTitle":"The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.","description":"Overflowing the audit storage area can result in a denial of service or system outage.","checkContent":"The Audit Configuration profile is required.\n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nCheck the status of the audit system. It must be auditing.\n\n# pfexec auditconfig -getplugin \n\nIf the output of this command does not contain:\n\np_fsize=4M\n\nthis is a finding.","fixText":"The Audit Control profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nSet the size of a binary audit file to a specific size. The size is specified in megabytes.\n\n# pfexec auditconfig -setplugin audit_binfile p_fsize=4M\n\nRestart the audit system.\n\n# pfexec audit -s","ccis":["CCI-001849"]},{"vulnId":"V-219969","ruleId":"SV-219969r1016281_rule","severity":"medium","ruleTitle":"The system must verify that package updates are digitally signed.","description":"Digitally signed packages ensure that the source of the package can be identified.","checkContent":"Determine what the signature policy is for pkg publishers:\n\n# pkg property | grep signature-policy\n\nCheck that output produces:\n\nsignature-policy verify\n\nIf the output does not confirm that signature-policy verify is active, this is a finding.","fixText":"The Software Installation Profile is required.\n\nConfigure the package system to ensure that digital signatures are verified.\n\n# pfexec pkg set-property signature-policy verify","ccis":["CCI-003992","CCI-001749"]},{"vulnId":"V-219970","ruleId":"SV-219970r958794_rule","severity":"medium","ruleTitle":"The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.","description":"Addition of unauthorized code or packages may result in data corruption or theft.","checkContent":"The Software Installation Profile is required.\n\nDisplay the installation history of packages on the system to ensure that no undesirable packages have been installed:\n\n# pkg history -o finish,user,operation,command |grep install\n\nIf the install command is listed as \"/usr/bin/packagemanager\", execute the command:\n\n# pkg history -l \n\nto determine which packages were installed during package manager sessions.\n\nIf undocumented or unapproved packages have been installed, this is a finding.","fixText":"The Software Installation Profile is required.\n\nReview and report any unauthorized package installation operations.\n\nIf necessary, remove unauthorized packages.\n\n# pfexec pkg uninstall [package name]","ccis":["CCI-001744"]},{"vulnId":"V-219971","ruleId":"SV-219971r958804_rule","severity":"medium","ruleTitle":"The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.","description":"Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.","checkContent":"Identify the packages installed on the system. \n\n# pkg list\n\nAny unauthorized software packages listed in the output are a finding.","fixText":"The Software Installation profile is required.\n\nIdentify packages installed on the system:\n\n# pkg list\n\nuninstall unauthorized packages:\n\n# pfexec pkg uninstall [ package name]","ccis":["CCI-001764"]},{"vulnId":"V-219972","ruleId":"SV-219972r958548_rule","severity":"medium","ruleTitle":"The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.","description":"Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). \n\nAuto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine if the removable media volume manager is running.\n\n# svcs -Ho state svc:/system/filesystem/rmvolmgr:default\n\nIf the output reports that the service is \"online\", this is a finding.","fixText":"The Service Management profile is required.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nDisable the rmvolmgr service.\n\n# pfexec svcadm disable svc:/system/filesystem/rmvolmgr:default","ccis":["CCI-001170"]},{"vulnId":"V-219973","ruleId":"SV-219973r958726_rule","severity":"medium","ruleTitle":"The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.","description":"Allowing any user to elevate their privileges can allow them excessive control of the system tools.","checkContent":"Verify the root user is configured as a role, rather than a normal user. \n\n# userattr type root\n\nIf the command does not return the word \"role\", this is a finding.\n\nVerify at least one local user has been assigned the root role.\n\n# grep '[:;]roles=root[^;]*' /etc/user_attr\n\nIf no lines are returned, or no users are permitted to assume the root role, this is a finding.","fixText":"The root role is required.\n\nConvert the root user into a role. \n\n# usermod -K type=role root\n\nAdd the root role to authorized users' logins. \n\n# usermod -R +root [username]\n\nRemove the root role from users who should not be authorized to assume it.\n\n# usermod -R -root [username]","ccis":["CCI-001170"]},{"vulnId":"V-219975","ruleId":"SV-219975r987791_rule","severity":"medium","ruleTitle":"The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.","description":"FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.","checkContent":"This check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nThe Crypto Management profile is required to execute this command.\n\nCheck to ensure that FIPS-140 encryption mode is enabled.\n\n# cryptoadm list fips-140| grep -c \"is disabled\"\n\nIf the output of this command is not \"0\", this is a finding.","fixText":"The Crypto Management profile is required to execute this command.\n\nThis action applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this action applies.\n\nEnable FIPS-140 mode.\n\n# pfexec cryptoadm enable fips-140\n\nReboot the system as requested.","ccis":["CCI-002450"]},{"vulnId":"V-219976","ruleId":"SV-219976r958908_rule","severity":"medium","ruleTitle":"The operating system must protect the integrity of transmitted information.","description":"Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"All remote sessions must be conducted via encrypted services and ports.\n\nCheck that SSH is enabled:\n# svcs svc:/network/ssh\nSTATE STIME FMRI\nonline Nov_03 svc:/network/ssh:default\n\nAsk the operator to document all configured external ports and protocols.\n\nIf any unencrypted connections are used, this is a finding.","fixText":"Configure SSH to be enabled.\n\n# svcadm enable svc:/network/ssh","ccis":["CCI-001127"]},{"vulnId":"V-219977","ruleId":"SV-219977r1117271_rule","severity":"medium","ruleTitle":"The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.","description":"Ensuring that transmitted information is not altered during transmission requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"All remote sessions must be conducted via encrypted services and ports.\n\nCheck that SSH is enabled:\n# svcs svc:/network/ssh\nSTATE STIME FMRI\nonline Nov_03 svc:/network/ssh:default\n\nAsk the operator to document all configured external ports and protocols.\n\nIf any unencrypted connections are used, this is a finding.","fixText":"Configure SSH to be enabled.\n\n# svcadm enable svc:/network/ssh","ccis":["CCI-002421"]},{"vulnId":"V-219978","ruleId":"SV-219978r958912_rule","severity":"medium","ruleTitle":"The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.","description":"Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"All remote sessions must be conducted via encrypted services and ports.\n\nAsk the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.","fixText":"All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.","ccis":["CCI-002420"]},{"vulnId":"V-219979","ruleId":"SV-219979r958908_rule","severity":"medium","ruleTitle":"The operating system must protect the confidentiality of transmitted information.","description":"Ensuring the confidentiality of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"All remote sessions must be conducted via encrypted services and ports.\n\nAsk the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.","fixText":"All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.","ccis":["CCI-002418"]},{"vulnId":"V-219980","ruleId":"SV-219980r1117271_rule","severity":"medium","ruleTitle":"The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.","description":"Ensuring that transmitted information does not become disclosed to unauthorized entities requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"All remote sessions must be conducted via encrypted services and ports.\n\nAsk the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.","fixText":"All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.","ccis":["CCI-002421"]},{"vulnId":"V-219981","ruleId":"SV-219981r958912_rule","severity":"medium","ruleTitle":"The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.","description":"Ensuring that transmitted information remains confidential during aggregation, packaging, and transformation requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"All remote sessions must be conducted via encrypted services and ports.\n\nAsk the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.","fixText":"All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.","ccis":["CCI-002420"]},{"vulnId":"V-219982","ruleId":"SV-219982r958870_rule","severity":"low","ruleTitle":"The operating system must employ cryptographic mechanisms to protect information in storage.","description":"When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. \n\nAn organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. \n\nFewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.","checkContent":"Determine if file system encryption is required by your organization. If not required, this item does not apply.\n\nDetermine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.\n\n# zfs list \n\nUsing the file system name, determine if the file system is encrypted:\n\n# zfs get encryption [filesystem] \n\nIf \"encryption off\" is listed, this is a finding.","fixText":"The ZFS file system management profile is required.\n\nZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created.\n\nFirst, stop running applications using the file systems, archive the data, unmount, and then remove the file system.\n\n# umount [file system name]\n# zfs destroy [file system name]\n\nWhen creating ZFS file systems, ensure that they are created as encrypted file systems.\n\n# pfexec zfs create -o encryption=on [file system name]\nEnter passphrase for '[file system name]': xxxxxxx\nEnter again: xxxxxxx\n\nStore the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.","ccis":["CCI-002475"]},{"vulnId":"V-219983","ruleId":"SV-219983r958870_rule","severity":"low","ruleTitle":"The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.","description":"When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. \n\nAn organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. \n\nFewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.","checkContent":"Determine if file system encryption is required by your organization. If not required, this item does not apply.\n\nDetermine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.\n\n# zfs list \n\nUsing the file system name, determine if the file system is encrypted:\n\n# zfs get encryption [filesystem] \n\nIf \"encryption off\" is listed, this is a finding.","fixText":"The ZFS file system management profile is required.\n\nZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created.\n\nFirst, stop running applications using the file systems, archive the data, unmount, and then remove the file system.\n\n# umount [file system name]\n# zfs destroy [file system name]\n\nWhen creating ZFS file systems, ensure that they are created as encrypted file systems.\n\n# pfexec zfs create -o encryption=on [file system name]\nEnter passphrase for '[file system name]': xxxxxxx\nEnter again: xxxxxxx\n\nStore the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.","ccis":["CCI-002475"]},{"vulnId":"V-219984","ruleId":"SV-219984r958908_rule","severity":"medium","ruleTitle":"The operating system must protect the integrity of transmitted information.","description":"Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.","checkContent":"The operator shall determine if IPsec is being used to encrypt data for activities such as cluster interconnects or other non-SSH, SFTP data connections.\n\nOn both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation.\n\nCheck that the IPsec policy service is online:\n\n# svcs svc:/network/ipsec/policy:default\n\nIf the IPsec service is not online, this is a finding.\n\nIf encrypted protocols are not used between systems, this is a finding.","fixText":"The Service Management profile is required.\n\nConfigure IPsec encrypted tunneling between two systems.\n\nOn both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation.\n\nEnsure that the IPsec policy service is online:\n\nEnable the IPsec service:\n\n# svcadm enable svc:/network/ipsec/policy:default","ccis":["CCI-002418"]},{"vulnId":"V-219985","ruleId":"SV-219985r958732_rule","severity":"medium","ruleTitle":"The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.","description":"Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an operating system which the user being audited has privileged access to. The privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.","checkContent":"The audit configuration profile is required. \n\nThis check applies to the global zone only. Determine the zone that you are currently securing.\n\n# zonename\n\nIf the command output is \"global\", this check applies.\n\nDetermine the location of the local audit trail files.\n\n# auditconfig -getplugin audit_binfile\nPlugin: audit_binfile (active)\nAttributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;\"\n\nIn this example, the audit files can be found in /var/audit. Check that the permissions on the audit files are 640 (rw- r-- --) or less permissive.\n\n# ls -al /var/audit\n\n# ls -l /var/audit/*\n\nIf the permissions are more permissive than 640, this is a finding.\n\nNote: The default Solaris 11 location for /var/audit is a link to /var/share/audit.","fixText":"The root role is required.\n\nDetermine the location of the local audit trail files.\n\n# pfexec auditconfig -getplugin audit_binfile\nPlugin: audit_binfile (active)\nAttributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1\n\nIn this example, the audit files can be found in /var/audit.\n\nChange the permissions on the audit trail files and the audit directory.\n\n# chmod 640 /var/share/audit/*\n\n# chmod 750 /var/share/audit\n\nNote: The default Solaris 11 location for /var/audit is a link to /var/share/audit.","ccis":["CCI-002234"]},{"vulnId":"V-219986","ruleId":"SV-219986r1016282_rule","severity":"medium","ruleTitle":"The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).","description":"To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.","checkContent":"NTP must be used and used only in the global zone. Determine the zone to be secured.\n\n# zonename\n\nIf the command output is not \"global\", then NTP must be disabled. Check the system for a running NTP daemon.\n\n# svcs -Ho state ntp\n\nIf NTP is online, this is a finding.\n\nIf the output from \"zonename\" is \"global\", then NTP must be enabled. Check the system for a running NTP daemon.\n\n# svcs -Ho state ntp\n\nIf NTP is not online, this is a finding.\n\nIf NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative DOD source.\n\nFor the NTP daemon:\n\n# more /etc/inet/ntp.conf\n\nIf a nonlocal/nonauthoritative (non-DOD source, non-USNO-based, or non-GPS) time server is used, this is a finding.\n\nDetermine if the time synchronization frequency is correct.\n\n# grep \"maxpoll\" /etc/inet/ntp.conf\n\nIf the command returns \"File not found\" or any value for maxpoll, this is a finding.\n\nDetermine if the running NTP server is configured properly.\n\n# ntpq -p | awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1\" \"$6 }'\n\nThis will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.","fixText":"The root role is required.\n\nDetermine the zone to be secured.\n\n# zonename\n\nIf the command output is not \"global\", then NTP must be disabled.\n\n# svcadm disable ntp\n\nIf the output from \"zonename\" is \"global\", then NTP must be enabled.\n\nTo activate the ntpd daemon, the ntp.conf file must first be created.\n\n# cp /etc/inet/ntp.client /etc/inet/ntp.conf\n\n# pfedit /etc/inet/ntp.conf\n\nMake site-specific changes to this file as needed in the form.\n\nserver [ntpserver]\n\nLocate the line containing maxpoll (if it exists).\n\nDelete the line.\n\nStart the ntpd daemon.\n\n# svcadm enable ntp\n\nUse a local authoritative time server synchronizing to an authorized DOD time source, a USNO-based time server, or a GPS. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server.\n\nEdit the NTP configuration files and make the necessary changes to add the approved time servers per Solaris documentation.","ccis":["CCI-004926","CCI-002046"]},{"vulnId":"V-219987","ruleId":"SV-219987r958944_rule","severity":"medium","ruleTitle":"The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).","description":"Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property. For example, successful login triggers an audit entry.","checkContent":"Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis.\n\nIf DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.","fixText":"Install, configure, and run DoD-approved SCAP compliance checking software on a periodic basis. Review the output of the software and document any out-of-compliance issues.","ccis":["CCI-002696"]},{"vulnId":"V-224670","ruleId":"SV-224670r958726_rule","severity":"medium","ruleTitle":"The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.","description":"In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. \n\nThe requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.","checkContent":"The operator will ensure that anti-virus software is installed and operating.\n\nIf the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.","fixText":"The operator will ensure that anti-virus software is installed and operating.","ccis":["CCI-002235"]},{"vulnId":"V-224671","ruleId":"SV-224671r958944_rule","severity":"medium","ruleTitle":"The operating system must identify potentially security-relevant error conditions.","description":"Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property. For example, successful login triggers an audit entry.","checkContent":"Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis.\n\nIf DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.","fixText":"Install, configure, and run DoD-approved SCAP compliance checking software on a periodic basis. Review the output of the software and document any out-of-compliance issues.","ccis":["CCI-002696"]},{"vulnId":"V-233300","ruleId":"SV-233300r959010_rule","severity":"medium","ruleTitle":"The sshd server must bind the X11 forwarding server to the loopback address.","description":"As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.\nBy default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to “localhost”. This prevents remote hosts from connecting to the proxy display.","checkContent":"Determine if the X11 forwarding server is bound to the loopback address.\n\n# grep \"^X11UseLocalhost\" /etc/ssh/sshd_config\n\nIf the output of this command is not:\n\nX11UseLocalhost yes\n\nthis is a finding.","fixText":"The root role is required.\n\nModify the sshd_config file.\n\n# vi /etc/ssh/sshd_config\n\nLocate the line containing:\n\nX11UseLocalhost \n\nChange it to:\n\nX11UseLocalhost yes\n\nRestart the SSH service.\n\n# svcadm restart svc:/network/ssh","ccis":["CCI-000366"]}]}