Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Solaris 10 X86 Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2020-12-04
  • Severity:
  • Sort:
View

Select any old version/release of this SCAP to view the previous requirements

This Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The system must disable accounts after three consecutive unsuccessful login attempts.
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
GEN000460
Vuln IDs
V-220074
Rule IDs
SV-220074r603266_rule
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.
Fix: F-21782r488277_fix

Set RETRIES to 3 in the /etc/default/login file. #vi /etc/default/login Set LOCK_AFTER_RETRIES to YES in the /etc/security/policy.conf file. #vi /etc/security/policy.conf

b
The delay between login prompts following a failed login attempt must be at least 4 seconds.
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
GEN000480
Vuln IDs
V-220075
Rule IDs
SV-220075r603266_rule
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
Fix: F-21783r488280_fix

Edit the /etc/default/login file and set SLEEPTIME to 4.

b
The root account must be the only account having an UID of 0.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000880
Vuln IDs
V-220078
Rule IDs
SV-220078r603266_rule
If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.
Fix: F-21786r488343_fix

Remove or change the UID of accounts other than root that have UID 0.

b
Library files must have mode 0755 or less permissive.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
GEN001300
Vuln IDs
V-220081
Rule IDs
SV-220081r603266_rule
Unauthorized access could destroy the integrity of the library files.
Fix: F-21789r488427_fix

Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod 0755 /path/to/library-file NOTE: Library files should have an extension of .a or .so, possibly followed by a version number.

a
Global initialization files must contain the mesg -n or mesg n commands.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN001780
Vuln IDs
V-220087
Rule IDs
SV-220087r603266_rule
If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack.
Fix: F-21795r488592_fix

Edit /etc/profile or another global initialization script and add the mesg -n command.

b
The portmap or rpcbind service must not be running unless needed.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003810
Vuln IDs
V-220091
Rule IDs
SV-220091r603266_rule
The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using remote procedure calls (RPCs).
Fix: F-21799r489821_fix

Disable the portmap service. # svcadm disable network/rpc/bind

c
The rsh daemon must not be running.
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
GEN003820
Vuln IDs
V-220092
Rule IDs
SV-220092r603266_rule
The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Satisfies: SRG-OS-000505, SRG-OS-000555, SRG-OS-000033
Fix: F-21800r489827_fix

Disable the remote shell service and restart inetd. Procedure: # svcadm disable network/shell # svcadm refresh inetd

b
The rlogind service must not be running.
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
GEN003830
Vuln IDs
V-220093
Rule IDs
SV-220093r603266_rule
The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Satisfies: SRG-OS-000505, SRG-OS-000555, SRG-OS-000033
Fix: F-21801r489833_fix

Disable the rlogind service. # svcadm disable rlogin # svcadm refresh inetd

c
The SSH daemon must be configured to only use the SSHv2 protocol.
RMF Control
IA-2
Severity
High
CCI
CCI-001941
Version
GEN005500
Vuln IDs
V-220108
Rule IDs
SV-220108r603266_rule
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
Fix: F-21816r490076_fix

Edit the configuration file and modify the Protocol line to look like: Protocol 2 Reload sshd: kill -HUP <PID of sshd>

b
The system's access control program must be configured to grant or deny system access to specific hosts.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006620
Vuln IDs
V-220118
Rule IDs
SV-220118r603266_rule
If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.
Fix: F-21826r490301_fix

Edit the /etc/hosts.allow and /etc/hosts.deny files to configure access restrictions.

c
For systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GEN008660
Vuln IDs
V-220123
Rule IDs
SV-220123r603266_rule
GRUB is a versatile boot loader used by several platforms providing authentication for access to the system or boot loader.
Fix: F-21831r490394_fix

Configure the system to use the GRUB bootloader.

c
The system boot loader must require authentication.
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
GEN008700
Vuln IDs
V-220124
Rule IDs
SV-220124r603266_rule
If the system's boot loader does not require authentication, users with console access to the system may be able to alter the system boot configuration or boot the system into single user or maintenance mode, which could result in Denial-of-Service or unauthorized privileged access to the system.
Fix: F-21832r490400_fix

The GRUB console boot loader can be configured to use an MD5 encrypted password by adding password --md5 password-hash to the /pool-name/boot/grub/menu.lst or /boot/grub/menu.lst file. Use grub-md5-crypt to generate MD5 passwords from the command line.

b
The nosuid option must be configured in the /etc/rmmount.conf file.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00020
Vuln IDs
V-227532
Rule IDs
SV-227532r603266_rule
The rmmount.conf file controls the mounting of removable media on a Solaris system. Removable media is not to be trusted with privileged access, and therefore the filesystems must be mounted with the nosuid option, which prevents any executables with the setuid bit set on this filesystem from running with owner privileges.
Fix: F-29682r488124_fix

Edit /etc/rmmount.conf and add the nosuid mount option to the configuration.

b
The /etc/security/audit_user file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00060
Vuln IDs
V-227534
Rule IDs
SV-227534r603266_rule
The /etc/security/audit_user is a sensitive file and must be owned by root to prevent possible system compromise.
Fix: F-29684r488130_fix

Change the owner of the /etc/security/audit_user file to root. # chown root /etc/security/audit_user

b
The /etc/security/audit_user file must be group-owned by root, sys, or bin.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00080
Vuln IDs
V-227535
Rule IDs
SV-227535r603266_rule
The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could cause the loss of valuable forensics data in the case of a system compromise.
Fix: F-29685r488133_fix

Change the group owner of the audit_user file to root, bin, or sys. Example: # chgrp root /etc/security/audit_user

b
The /etc/security/audit_user file must have mode 0640 or less permissive.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
GEN000000-SOL00100
Vuln IDs
V-227536
Rule IDs
SV-227536r603266_rule
Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore his sessions. This would allow malicious operations the auditing subsystem would not log for that user.
Fix: F-29686r488136_fix

Change the mode of the audit_user file to 0640. # chmod 0640 /etc/security/audit_user

b
The /usr/aset/userlist file must exist.
RMF Control
AC-4
Severity
Medium
CCI
CCI-000032
Version
GEN000000-SOL00220
Vuln IDs
V-227541
Rule IDs
SV-227541r603266_rule
If the userlist file does not exist, then an unauthorized user may exist in the /etc/passwd file.
Fix: F-29691r488157_fix

Create the /usr/aset/userlist file and populate it with a list of authorized users.

b
The /usr/aset/userlist file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00240
Vuln IDs
V-227542
Rule IDs
SV-227542r603266_rule
If the userlist file is not owned by root, then an unauthorized user can modify the file and enter an unauthorized user.
Fix: F-29692r488160_fix

Use the chmod command to change the owner of the /usr/aset/userlist file. # chown root /usr/aset/userlist

b
The /usr/aset/userlist file must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00250
Vuln IDs
V-227543
Rule IDs
SV-227543r603266_rule
The /usr/aset/userlist file is critical to system security and must be protected from unauthorized access.
Fix: F-29693r488163_fix

Change the group ownership of the file. # chgrp root /usr/aset/userlist

b
The /usr/aset/userlist file must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00260
Vuln IDs
V-227544
Rule IDs
SV-227544r603266_rule
A permission mask not set to the required level could allow unauthorized access to sensitive system files and resources.
Fix: F-29694r488166_fix

Change the mode of the /usr/aset/userlist file to 0600. # chmod 0600 /usr/aset/userlist

b
The NFS server must have logging implemented.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
GEN000000-SOL00400
Vuln IDs
V-227546
Rule IDs
SV-227546r603266_rule
Filesystem logging, especially for NFS exported file systems, can be critical to detecting data misuse and possible hardware/system errors that may, otherwise, go unnoticed.
Fix: F-36399r602909_fix

Edit /etc/dfs/dfstab and add the log option to all exported filesystems. Run the shareall command for the changes to take effect. NFS version 2 or 3 must be forced by updating the NFS_SERVER_VERSMAX variable appropriately in /etc/default/nfs and restarting the NFS daemon.

c
The root account must be the only account with GID of 0.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GEN000000-SOL00440
Vuln IDs
V-227548
Rule IDs
SV-227548r603266_rule
Accounts with a GID of 0 have root group privileges.
Fix: F-29698r488178_fix

Change the default GID of non-root accounts to a valid GID other than 0.

b
The /etc/zones directory, and its contents, must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00540
Vuln IDs
V-227549
Rule IDs
SV-227549r603266_rule
Solaris zones configuration files must be protected against illicit creation, modification, and deletion.
Fix: F-29699r488181_fix

Change the ownership of the files and directories. # chown -R root /etc/zones

b
The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00560
Vuln IDs
V-227550
Rule IDs
SV-227550r603266_rule
Solaris zones configuration files must be protected against illicit creation, modification, and deletion.
Fix: F-29700r488184_fix

Change the group ownership of the files and directories. # chgrp -R sys /etc/zones # chgrp root /etc/zones/*.xml # chgrp bin /etc/zones/SUN*.xml

b
The /etc/zones directory, and its contents, must not be group- or world-writable.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000000-SOL00580
Vuln IDs
V-227551
Rule IDs
SV-227551r603266_rule
Solaris zones configuration files must be protected against illicit creation, modification, and deletion.
Fix: F-29701r488187_fix

Change the mode of the file or directory. # chmod 0644 <file> For directories: # chmod 0755 <directory>

b
The system clock must be synchronized continuously.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000241
Vuln IDs
V-227561
Rule IDs
SV-227561r603266_rule
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and require periodic resynchronization to ensure their accuracy. Software, such as NTPD, can be used to continuously synchronize the system clock with authoritative sources. Alternatively, the system may be synchronized periodically, with a maximum of one day between synchronizations. If the system is completely isolated (no connections to networks or other systems), time synchronization is not required as no correlation of events or operation of time-dependent protocols between systems will be necessary. If the system is completely isolated, this requirement is not applicable.
Fix: F-29711r488220_fix

Determine the type of zone that you are currently securing. # zonename If the command output is not "global", then NTP must be disabled. # svcadm disable ntp If the output from "zonename" is "global", then NTP must be enabled. # svcadm enable ntp

b
The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000250
Vuln IDs
V-227564
Rule IDs
SV-227564r603266_rule
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.
Fix: F-29714r488229_fix

Change the owner of the NTP configuration file to root. # chown root /etc/inet/ntp.conf

b
The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000251
Vuln IDs
V-227565
Rule IDs
SV-227565r603266_rule
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.
Fix: F-29715r488232_fix

Change the group owner of the NTP configuration file. Procedure: # chgrp root /etc/inet/ntp.conf

b
The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN000252
Vuln IDs
V-227566
Rule IDs
SV-227566r603266_rule
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.
Fix: F-29716r488235_fix

Change the mode of the NTP configuration file to 0640 or less permissive. # chmod 0640 /etc/inet/ntp.conf

a
All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN000380
Vuln IDs
V-227573
Rule IDs
SV-227573r603266_rule
If a user is assigned the GID of a group not existing on the system, and a group with the same GID is subsequently created, the user may have unintended rights to the group.
Fix: F-29723r488259_fix

Add a group to the system for each GID referenced that does not have a corresponding group. #/usr/sbin/groupadd < group >

c
The system must not have accounts configured with blank or null passwords.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GEN000560
Vuln IDs
V-227582
Rule IDs
SV-227582r603266_rule
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.
Fix: F-29732r488295_fix

Remove, lock, or configure a password for any account with a blank password.

b
The system must require passwords contain a minimum of 15 characters.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
GEN000580
Vuln IDs
V-227583
Rule IDs
SV-227583r603266_rule
The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.
Fix: F-29733r488298_fix

Edit /etc/default/passwd and set the PASSLENGTH variable to 15 or greater.

b
The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
GEN000595
Vuln IDs
V-227586
Rule IDs
SV-227586r603266_rule
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
Fix: F-36410r602942_fix

If the /etc/security/crypt.conf file does not support FIPS 140-2 approved cryptographic hashing algorithms, upgrade to at least the Solaris 10 8/07 release. Edit the /etc/security/policy.conf file. # vi /etc/security/policy.conf Uncomment or add the CRYPT_ALGORITHMS_ALLOW line and set it to "5,6". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable. CRYPT_ALGORITHMS_ALLOW=5,6 CRYPT_DEFAULT=6 Update passwords for all accounts with non-compliant password hashes.

b
The system must require at least eight characters be changed between the old and new passwords during a password change.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000195
Version
GEN000750
Vuln IDs
V-227593
Rule IDs
SV-227593r603266_rule
To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.
Fix: F-29743r488328_fix

Edit /etc/default/passwd and set or add a MINDIFF setting equal to or greater than 8.

b
The system must prohibit the reuse of passwords within five iterations.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
GEN000800
Vuln IDs
V-227595
Rule IDs
SV-227595r603266_rule
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.
Fix: F-29745r488337_fix

Edit /etc/default/passwd and set HISTORY to 5.

a
The root user's home directory must not be the root directory (/).
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN000900
Vuln IDs
V-227597
Rule IDs
SV-227597r603266_rule
Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.
Fix: F-36411r602945_fix

The root home directory should be something other than / (such as /rootdir). Procedure: # mkdir /rootdir # chown root /rootdir # chgrp root /rootdir # chmod 700 /rootdir # cp -r /.??* /rootdir Edit the passwd file and change the root home directory to /rootdir. The cp -r /.??* command copies all files and subdirectories of file names beginning with "." into the new root directory, which preserves the previous root environment. The cp command must be executed from the / directory.

b
The root account's home directory (other than /) must have mode 0700.
RMF Control
AC-6
Severity
Medium
CCI
CCI-002233
Version
GEN000920
Vuln IDs
V-227598
Rule IDs
SV-227598r603266_rule
Permissions greater than 0700 could allow unauthorized users access to the root home directory.
Fix: F-29748r488349_fix

The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory. # chmod 0700 /rootdir.

b
The root accounts executable search path must contain only authorized paths.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000940
Vuln IDs
V-227600
Rule IDs
SV-227600r603266_rule
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.
Fix: F-36412r602948_fix

Edit the root user's local initialization files. Remove any empty path entries. Remove any relative path entries that have not been documented with the ISSO. Edit the root user's local initialization files and remove any empty entry that is defined.

b
The root account's library search path must be the system default and must contain only absolute paths.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000945
Vuln IDs
V-227601
Rule IDs
SV-227601r603266_rule
The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.
Fix: F-29751r488358_fix

Edit the root user initialization files and remove any definition of LD_LIBRARY_PATH.

b
The root account's list of preloaded libraries must be empty.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN000950
Vuln IDs
V-227602
Rule IDs
SV-227602r603266_rule
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with (/) are absolute paths.
Fix: F-29752r488361_fix

Edit the root user initialization files and remove any definition of LD_PRELOAD.

b
The system must prevent the root account from directly logging in except from the system console.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
GEN000980
Vuln IDs
V-227603
Rule IDs
SV-227603r603266_rule
Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
Fix: F-29753r488367_fix

Edit the /etc/default/login file and uncomment the line containing /dev/console if it is commented out.

b
The system must not permit root logins using remote access programs such as SSH.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
GEN001120
Vuln IDs
V-227609
Rule IDs
SV-227609r603266_rule
Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account preserves the audit trail.
Fix: F-29759r488385_fix

Edit the configuration file and set the PermitRootLogin option to no.

b
System files, programs, and directories must be group-owned by a system group.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
GEN001240
Vuln IDs
V-227618
Rule IDs
SV-227618r603266_rule
Restricting permissions will protect the files from unauthorized modification.
Fix: F-29768r488412_fix

Change the group owner of system files to a system group. Procedure: # chgrp root /path/to/system/file (System groups other than root may be used.)

b
System log files must have mode 0640 or less permissive.
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
GEN001260
Vuln IDs
V-227619
Rule IDs
SV-227619r603266_rule
If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.
Fix: F-29769r488415_fix

Change the mode of the system log file(s) to 0640 or less permissive. Procedure: # chmod "0640" /path/to/system-log-file NOTE: Do not confuse system log files with audit logs. Any subsystems that require less stringent permissions must be documented.

b
NIS/NIS+/yp files must be owned by root, sys, or bin.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001320
Vuln IDs
V-227624
Rule IDs
SV-227624r603266_rule
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29774r488433_fix

Change the ownership of NIS/NIS+/yp files to root, bin, or sys. Procedure: # chown -R root /usr/lib/netsvc/yp /var/yp

b
NIS/NIS+/yp files must be group-owned by root, sys, or bin.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001340
Vuln IDs
V-227625
Rule IDs
SV-227625r603266_rule
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29775r488436_fix

Change the group owner of the NIS files to root, bin, or sys. Procedure: # chgrp -R root /usr/lib/netsvc/yp /var/yp

b
The NIS/NIS+/yp command files must have mode 0755 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001360
Vuln IDs
V-227626
Rule IDs
SV-227626r603266_rule
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and the system.
Fix: F-29776r488439_fix

Change the mode of NIS/NIS+/yp command files to 0755 or less permissive. Procedure: # chmod -R 0755 /usr/lib/netsvc/yp /var/yp

b
The /etc/resolv.conf file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001362
Vuln IDs
V-227628
Rule IDs
SV-227628r603266_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.
Fix: F-29778r488445_fix

Change the owner of the /etc/resolv.conf file to root. # chown root /etc/resolv.conf

b
The /etc/resolv.conf file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001363
Vuln IDs
V-227629
Rule IDs
SV-227629r603266_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions such as time synchronization, centralized authentication, and remote system logging.
Fix: F-29779r488448_fix

Change the group owner of the /etc/resolv.conf file to root, bin, or sys. Procedure: # chgrp root /etc/resolv.conf

b
The /etc/resolv.conf file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001364
Vuln IDs
V-227630
Rule IDs
SV-227630r603266_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.
Fix: F-29780r488451_fix

Change the mode of the /etc/resolv.conf file to 0644 or less permissive. # chmod 0644 /etc/resolv.conf

b
The /etc/hosts file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001366
Vuln IDs
V-227632
Rule IDs
SV-227632r603266_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Fix: F-29782r488457_fix

Change the owner of the /etc/hosts file to root. # chown root /etc/hosts

b
The /etc/hosts file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001367
Vuln IDs
V-227633
Rule IDs
SV-227633r603266_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Fix: F-29783r488460_fix

Change the group owner of the /etc/hosts file to root, sys, or bin. Procedure: # chgrp root /etc/hosts

b
The /etc/hosts file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001368
Vuln IDs
V-227634
Rule IDs
SV-227634r603266_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Fix: F-29784r488463_fix

Change the mode of the /etc/hosts file to 0644 or less permissive. # chmod 0644 /etc/hosts

b
The /etc/nsswitch.conf file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001371
Vuln IDs
V-227636
Rule IDs
SV-227636r603266_rule
The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.
Fix: F-29786r488469_fix

Change the owner of the /etc/nsswitch.conf file to root. # chown root /etc/nsswitch.conf

b
The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001372
Vuln IDs
V-227637
Rule IDs
SV-227637r603266_rule
The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.
Fix: F-29787r488472_fix

Change the group owner of the /etc/nsswitch.conf file to root, bin, or sys. Procedure: # chgrp root /etc/nsswitch.conf

b
The /etc/nsswitch.conf file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001373
Vuln IDs
V-227638
Rule IDs
SV-227638r603266_rule
The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.
Fix: F-29788r488475_fix

Change the mode of the /etc/nsswitch.conf file to 0644 or less permissive. Procedure: # chmod 0644 /etc/nsswitch.conf

b
The /etc/passwd file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001378
Vuln IDs
V-227640
Rule IDs
SV-227640r603266_rule
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.
Fix: F-29790r488481_fix

Change the owner of the /etc/passwd file to root. # chown root /etc/passwd

b
The /etc/passwd file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001379
Vuln IDs
V-227641
Rule IDs
SV-227641r603266_rule
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.
Fix: F-29791r488484_fix

Change the group owner of the /etc/passwd file to root, bin, or sys. Procedure: # chgrp root /etc/passwd

b
The /etc/passwd file must have mode 0644 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001380
Vuln IDs
V-227642
Rule IDs
SV-227642r603266_rule
If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.
Fix: F-29792r488487_fix

Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd Document all changes.

b
The /etc/group file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001391
Vuln IDs
V-227644
Rule IDs
SV-227644r603266_rule
The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.
Fix: F-29794r488493_fix

Change the owner of the /etc/group file to root. # chown root /etc/group

b
The /etc/group file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001392
Vuln IDs
V-227645
Rule IDs
SV-227645r603266_rule
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.
Fix: F-29795r488496_fix

Change the group owner of the /etc/group file. Procedure: # chgrp root /etc/group

b
The /etc/group file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001393
Vuln IDs
V-227646
Rule IDs
SV-227646r603266_rule
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.
Fix: F-29796r488499_fix

Change the mode of the /etc/group file to 0644 or less permissive. # chmod 0644 /etc/group

b
The /etc/shadow (or equivalent) file must be owned by root.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001400
Vuln IDs
V-227648
Rule IDs
SV-227648r603266_rule
The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29798r488505_fix

Change the ownership of the /etc/shadow file. # chown root /etc/shadow

b
The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001410
Vuln IDs
V-227649
Rule IDs
SV-227649r603266_rule
The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.
Fix: F-29799r488508_fix

Change the group owner of the /etc/shadow file. Procedure: # chgrp root /etc/shadow

b
The /etc/shadow (or equivalent) file must have mode 0400.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001420
Vuln IDs
V-227650
Rule IDs
SV-227650r603266_rule
The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.
Fix: F-29800r488511_fix

Change the mode of the /etc/shadow (or equivalent) file. # chmod <mode> <file>

a
All interactive users must be assigned a home directory in the /etc/passwd file.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN001440
Vuln IDs
V-227652
Rule IDs
SV-227652r603266_rule
If users do not have a valid home directory, there is no place for the storage and control of files they own.
Fix: F-29802r488517_fix

Assign a home directory to any user without one.

b
The /etc/passwd file must not contain password hashes.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
GEN001470
Vuln IDs
V-227654
Rule IDs
SV-227654r603266_rule
If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.
Fix: F-29804r488523_fix

Migrate /etc/passwd password hashes to /etc/shadow. # pwconv

b
The /etc/group file must not contain any group password hashes.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001475
Vuln IDs
V-227655
Rule IDs
SV-227655r603266_rule
Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.
Fix: F-29805r488526_fix

Edit /etc/group and change the password field to an exclamation point (!) to lock the group password.

b
Run control scripts executable search paths must contain only authorized paths.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001600
Vuln IDs
V-227664
Rule IDs
SV-227664r603266_rule
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
Fix: F-29814r488559_fix

Edit the run control script and remove the relative path entries from the executable search path variable that are not documented with the ISSO. Edit the run control script and remove any empty entry that is defined.

b
All system start-up files must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001660
Vuln IDs
V-227668
Rule IDs
SV-227668r603266_rule
System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.
Fix: F-29818r488571_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

b
All system start-up files must be group-owned by root, sys, or bin.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001680
Vuln IDs
V-227669
Rule IDs
SV-227669r603266_rule
If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.
Fix: F-29819r488574_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

b
All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN001800
Vuln IDs
V-227672
Rule IDs
SV-227672r603266_rule
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
Fix: F-29822r488595_fix

Change the mode of skeleton files with incorrect mode. # chmod 0644 <skeleton file>

b
All skeleton files and directories (typically in /etc/skel) must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001820
Vuln IDs
V-227674
Rule IDs
SV-227674r603266_rule
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29824r488601_fix

Change the ownership of skeleton files with incorrect mode. # chown root <skeleton file>

b
All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001830
Vuln IDs
V-227675
Rule IDs
SV-227675r603266_rule
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
Fix: F-29825r488604_fix

Change the group owner of the skeleton file to root. Procedure: # chgrp <group> /etc/skel/[skeleton file]

b
All global initialization files executable search paths must contain only authorized paths.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN001840
Vuln IDs
V-227676
Rule IDs
SV-227676r603266_rule
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
Fix: F-36417r602963_fix

Edit the global initialization file(s) with PATH variables containing relative paths and remove any relative path form the PATH variables that have not been documented with the ISSO. Edit the global initialization file(s) and remove any empty entry that is defined.

c
There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GEN002040
Vuln IDs
V-227689
Rule IDs
SV-227689r603266_rule
The .rhosts, .shosts, hosts.equiv, and shosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for preventing unauthorized access to the system.
Fix: F-29839r488649_fix

Remove the .rhosts, .shosts, hosts.equiv, and/or shosts.equiv files.

b
The .rhosts file must not be supported in PAM.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN002100
Vuln IDs
V-227691
Rule IDs
SV-227691r603266_rule
The .rhosts files are used to specify a list of hosts that are permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authentication requirements.
Fix: F-29841r488655_fix

Edit /etc/pam.conf and remove the reference(s) to the rhosts_auth module.

b
The /etc/shells (or equivalent) file must exist.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN002120
Vuln IDs
V-227692
Rule IDs
SV-227692r603266_rule
The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure.
Fix: F-36421r602975_fix

Create a /etc/shells file containing a list of valid system shells. The list below contains the default shells from the shells(4) man page. Procedure (the command is 24 lines long): cat >/etc/shells <<EOF /bin/bash /bin/csh /bin/jsh /bin/ksh /bin/pfcsh /bin/pfksh /bin/pfsh /bin/sh /bin/tcsh /bin/zsh /sbin/jsh /sbin/sh /usr/bin/bash /usr/bin/csh /usr/bin/jsh /usr/bin/ksh /usr/bin/pfcsh /usr/bin/pfksh /usr/bin/pfsh /usr/bin/sh /usr/bin/tcsh /usr/bin/zsh EOF

b
Audio devices must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN002340
Vuln IDs
V-227703
Rule IDs
SV-227703r603266_rule
Globally Accessible audio and video devices have proven to be security hazards. There is software that can activate system microphones and video devices connected to user workstations and/or X terminals. Once the microphone has been activated, it is possible to eavesdrop on otherwise private conversations without the victim being aware of it. This action effectively changes the user's microphone to a bugging device.
Fix: F-29853r488691_fix

Change the owner of the audio device. # chown root <audio device>

b
Audio devices must be group-owned by root, sys, or bin.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN002360
Vuln IDs
V-227704
Rule IDs
SV-227704r603266_rule
Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information.
Fix: F-29854r488694_fix

Change the group owner of the audio device. Procedure: # chgrp system <audio device>

b
System audit logs must be owned by root.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
GEN002680
Vuln IDs
V-227716
Rule IDs
SV-227716r603266_rule
Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.
Fix: F-29866r488733_fix

Change the ownership of the audit log file(s). Procedure: # chown root <audit log file>

b
System audit logs must be group-owned by root, bin, or sys.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
GEN002690
Vuln IDs
V-227717
Rule IDs
SV-227717r603266_rule
Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system.
Fix: F-29867r488736_fix

Change the group ownership of the audit log file(s). Procedure: # chgrp root <audit log file>

b
System audit logs must have mode 0640 or less permissive.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
GEN002700
Vuln IDs
V-227718
Rule IDs
SV-227718r603266_rule
If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do not include activity, error, or other log files created by application software.
Fix: F-29868r488739_fix

Change the mode of the audit log directories/files. # chmod 0750 <audit directory> # chmod 0640 <audit file>

a
System audit tool executables must be owned by root.
RMF Control
AU-9
Severity
Low
CCI
CCI-001493
Version
GEN002715
Vuln IDs
V-227720
Rule IDs
SV-227720r603266_rule
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
Fix: F-29870r488745_fix

Change the owner of the audit tool executable to root. # chown root [audit tool executable]

a
System audit tool executables must be group-owned by root, bin, or sys.
RMF Control
AU-9
Severity
Low
CCI
CCI-001493
Version
GEN002716
Vuln IDs
V-227721
Rule IDs
SV-227721r603266_rule
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
Fix: F-29871r488748_fix

Change the group-owner of the audit tool executable to root, bin, or sys. Procedure: # chgrp root <audit tool executable>

a
System audit tool executables must have mode 0750 or less permissive.
RMF Control
AU-9
Severity
Low
CCI
CCI-001493
Version
GEN002717
Vuln IDs
V-227722
Rule IDs
SV-227722r603266_rule
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
Fix: F-29872r488751_fix

Change the mode of the audit tool executable to 0750, or less permissive. # chmod 0750 [audit tool executable]

b
The audit system must be configured to audit failed attempts to access files and programs.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
GEN002720
Vuln IDs
V-227725
Rule IDs
SV-227725r603266_rule
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Fix: F-29875r488760_fix

Edit /etc/security/audit_control and add the fr or -fr flags to the flags list. Load the new audit configuration. # auditconfig -conf

b
The audit system must be configured to audit file deletions.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
GEN002740
Vuln IDs
V-227727
Rule IDs
SV-227727r603266_rule
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Fix: F-29877r488766_fix

Edit /etc/security/audit_control and add the fd to the flags list. Load the new audit configuration. # auditconfig -conf

b
The audit system must be configured to audit all administrative, privileged, and security actions.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
GEN002760
Vuln IDs
V-227732
Rule IDs
SV-227732r603266_rule
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Fix: F-29882r488781_fix

Edit /etc/security/audit_control and add am to the flags list. Load the new audit configuration. # auditconfig -conf

b
The audit system must be configured to audit login, logout, and session initiation.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
GEN002800
Vuln IDs
V-227733
Rule IDs
SV-227733r603266_rule
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Fix: F-29883r488784_fix

Edit /etc/security/audit_control and add lo to the flags list and naflags list. Load the new audit configuration. # auditconfig -conf

b
The audit system must be configured to audit all discretionary access control permission modifications.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
GEN002820
Vuln IDs
V-227734
Rule IDs
SV-227734r603266_rule
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Fix: F-29884r488787_fix

Edit /etc/security/audit_control and add fm to the flags list. Load the new audit configuration. # auditconfig -conf

b
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
GEN002825
Vuln IDs
V-227735
Rule IDs
SV-227735r603266_rule
Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.
Fix: F-29885r488790_fix

Edit /etc/security/audit_control and add the as flag to the flag parameter.

b
Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN002960
Vuln IDs
V-227738
Rule IDs
SV-227738r603266_rule
The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If neither cron.allow nor cron.deny exists, then any account may use the cron facility. This may open the facility up for abuse by system intruders and malicious users.
Fix: F-29888r488799_fix

Create /etc/cron.d/cron.allow and/or /etc/cron.d/cron.deny with appropriate content.

b
The cron.allow file must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN002980
Vuln IDs
V-227739
Rule IDs
SV-227739r603266_rule
A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is allowed to execute cron programs, which could be harmful to overall system and network security.
Fix: F-29889r488802_fix

Change the mode of the cron.allow file to 0600. Procedure: # chmod 0600 /etc/cron.d/cron.allow

b
Crontab files must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003080
Vuln IDs
V-227746
Rule IDs
SV-227746r603266_rule
To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.
Fix: F-29896r488823_fix

Change the mode of the crontab files. # chmod 0600 /var/spool/cron/crontabs/*

b
Cron and crontab directories must have mode 0755 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003100
Vuln IDs
V-227748
Rule IDs
SV-227748r603266_rule
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.
Fix: F-29898r488829_fix

Change the mode of the crontab directory. # chmod 0755 /var/spool/cron/crontabs

b
Cron and crontab directories must be owned by root or bin.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003120
Vuln IDs
V-227750
Rule IDs
SV-227750r603266_rule
Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29900r488835_fix

Change the owner of the crontab directory. # chown root /var/spool/cron/crontabs

b
Cron and crontab directories must be group-owned by root, sys, or bin.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003140
Vuln IDs
V-227751
Rule IDs
SV-227751r603266_rule
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group-ownership of cron or crontab directories to a system group provides the designated group and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29901r488838_fix

Change the group owner of the crontab directories to root, sys, or bin. Procedure: # chgrp root /var/spool/cron/crontabs

b
The cronlog file must have mode 0600 or less permissive.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
GEN003180
Vuln IDs
V-227753
Rule IDs
SV-227753r603266_rule
Cron logs contain reports of scheduled system activities and must be protected from unauthorized access or manipulation.
Fix: F-29903r488844_fix

Change the mode of the cron log file. # chmod 0600 /var/cron/log

b
The cron.deny file must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN003200
Vuln IDs
V-227755
Rule IDs
SV-227755r603266_rule
If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users.
Fix: F-29905r488850_fix

Change the mode of the cron.deny file. # chmod 0600 /etc/cron.d/cron.deny

b
The cron.allow file must be owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003240
Vuln IDs
V-227758
Rule IDs
SV-227758r603266_rule
If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information.
Fix: F-29908r488859_fix

# chown root /etc/cron.d/cron.allow

b
The cron.allow file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003250
Vuln IDs
V-227760
Rule IDs
SV-227760r603266_rule
If the group of the cron.allow is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.
Fix: F-29910r488865_fix

Change the group ownership of the file. Procedure: # chgrp root /etc/cron.d/cron.allow

b
The at.deny file must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003252
Vuln IDs
V-227761
Rule IDs
SV-227761r603266_rule
The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.
Fix: F-29911r488868_fix

Change the mode of the file. # chmod 0600 /etc/cron.d/at.deny

b
The cron.deny file must be owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003260
Vuln IDs
V-227763
Rule IDs
SV-227763r603266_rule
Cron daemon control files restrict the scheduling of automated tasks and must be protected.
Fix: F-29913r488874_fix

Change the ownership of the cron.deny file to root, sys, or bin. # chown root /etc/cron.d/cron.deny

b
The cron.deny file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003270
Vuln IDs
V-227764
Rule IDs
SV-227764r603266_rule
Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.
Fix: F-29914r488877_fix

Change the group ownership of the file to root, sys, or bin. Procedure: # chgrp root /etc/cron.d/cron.deny

b
Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN003280
Vuln IDs
V-227765
Rule IDs
SV-227765r603266_rule
The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no at.allow file, there is no ready documentation of who is allowed to submit at jobs.
Fix: F-29915r488880_fix

Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.

b
The at.deny file must not be empty if it exists.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003300
Vuln IDs
V-227766
Rule IDs
SV-227766r603266_rule
On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in the case of malicious users or system intruders.
Fix: F-29916r488883_fix

Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.

b
The at.allow file must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN003340
Vuln IDs
V-227768
Rule IDs
SV-227768r603266_rule
Permissions more permissive than 0600 (read and write for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files.
Fix: F-29918r489659_fix

Change the mode of the at.allow file. # chmod 0600 /etc/cron.d/at.allow

b
The at.allow file must be owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003460
Vuln IDs
V-227776
Rule IDs
SV-227776r603266_rule
If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.
Fix: F-29926r489683_fix

Change the owner of the at.allow file. # chown root /etc/cron.d/at.allow

b
The at.allow file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003470
Vuln IDs
V-227777
Rule IDs
SV-227777r603266_rule
If the group owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.
Fix: F-29927r489686_fix

Change the group ownership of the file. Procedure: # chgrp root /etc/cron.d/at.allow

b
The at.deny file must be owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003480
Vuln IDs
V-227778
Rule IDs
SV-227778r603266_rule
If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.
Fix: F-29928r489689_fix

Change the owner of the at.deny file. # chown root /etc/cron.d/at.deny

b
The at.deny file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003490
Vuln IDs
V-227779
Rule IDs
SV-227779r603266_rule
If the group owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized modification could result in Denial of Service to authorized "at" users or provide unauthorized users with the ability to run "at" jobs.
Fix: F-29929r489692_fix

Change the group ownership of the at.deny file to root, bin, or sys. Procedure: # chgrp root /etc/cron.d/at.deny

a
The kernel core dump data directory must be owned by root.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN003520
Vuln IDs
V-227787
Rule IDs
SV-227787r603266_rule
Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.
Fix: F-29937r489716_fix

Change the owner of the kernel core dump data directory to root. # chown root /var/crash

b
The system must implement non-executable program stacks.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003540
Vuln IDs
V-227791
Rule IDs
SV-227791r603266_rule
A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.
Fix: F-36430r603002_fix

This action applies to the global zone only. Determine the type of zone that you are currently securing. # zonename If the command output is "global", this action applies. Edit /etc/system and set the noexec_user_stack parameter to 1. Restart the system for the setting to take effect.

b
The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003580
Vuln IDs
V-227792
Rule IDs
SV-227792r603266_rule
One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection originator. If the initial TCP sequence numbers for a host can be determined by an attacker, it may be possible to establish a TCP connection from a spoofed source address without bidirectional communication.
Fix: F-29942r489731_fix

Edit /etc/default/inetinit and set the TCP_STRONG_ISS parameter to 2.

b
The system must prevent local applications from generating source-routed packets.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003606
Vuln IDs
V-227799
Rule IDs
SV-227799r603266_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Fix: F-29949r489752_fix

Edit /etc/ipf/ipf.conf and add rules to block outgoing source-routed packets, such as: block out log quick all with opt lsrr block out log quick all with opt ssrr Reload the IPF rules. Procedure: # ipf -Fa -A -f /etc/ipf/ipf.conf

b
The system must not accept source-routed IPv4 packets.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003607
Vuln IDs
V-227800
Rule IDs
SV-227800r603266_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-29950r489755_fix

Edit /etc/ipf/ipf.conf and add rules to block incoming source-routed packets, such as: block in log quick all with opt lsrr block in log quick all with opt ssrr Reload the IPF rules. Procedure: # ipf -Fa -A -f /etc/ipf/ipf.conf

a
The system must use a separate filesystem for /tmp (or equivalent).
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN003624
Vuln IDs
V-227807
Rule IDs
SV-227807r603266_rule
The use of separate filesystems for different paths can protect the system from failures resulting from a filesystem becoming full or failing.
Fix: F-29957r489779_fix

Migrate the /tmp path onto a separate file system.

b
The root file system must employ journaling or another mechanism ensuring file system consistency.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003640
Vuln IDs
V-227808
Rule IDs
SV-227808r603266_rule
File system journaling, or logging, can allow reconstruction of file system data after a system crash, thus, preserving the integrity of data that may have otherwise been lost. Journaling file systems typically do not require consistent checks upon booting after a crash, which can improve system availability. Some file systems employ other mechanisms to ensure consistency which also satisfy this requirement.
Fix: F-36432r603008_fix

Implement file system journaling for the root file system, or use a file system using other mechanisms to ensure consistency. If the root file system supports journaling, enable it. If the file system does not support journaling or another mechanism to ensure consistency, a migration to a different file system will be necessary.

b
The inetd.conf file must have mode 0440 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN003740
Vuln IDs
V-227814
Rule IDs
SV-227814r603266_rule
The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system.
Fix: F-29964r489800_fix

Change the mode of the inetd.conf file. # chmod 0440 /etc/inet/inetd.conf

b
The services file must be owned by root or bin.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN003760
Vuln IDs
V-227816
Rule IDs
SV-227816r603266_rule
Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
Fix: F-29966r489806_fix

Change the ownership of the services file to root or bin. Procedure: # chown root /etc/services

b
The services file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003770
Vuln IDs
V-227817
Rule IDs
SV-227817r603266_rule
Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.
Fix: F-29967r489809_fix

Change the group-owner of the services file. Procedure: # chgrp root /etc/services

b
The services file must have mode 0444 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN003780
Vuln IDs
V-227818
Rule IDs
SV-227818r603266_rule
The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.
Fix: F-29968r489812_fix

Change the mode of the services file to 0444 or less permissive. Procedure: # chmod 0444 /etc/services

b
The rshd service must not be installed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
GEN003825
Vuln IDs
V-227822
Rule IDs
SV-227822r603266_rule
The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
Fix: F-29972r489830_fix

Remove the SUNWrcmdr package. Procedure: # pkgrm SUNWrcmdr

b
The rlogind service must not be installed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
GEN003835
Vuln IDs
V-227823
Rule IDs
SV-227823r603266_rule
The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
Fix: F-29973r489836_fix

Remove the SUNWrcmdr package. Procedure: # pkgrm SUNWrcmdr

c
The rexec daemon must not be running.
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
GEN003840
Vuln IDs
V-227824
Rule IDs
SV-227824r603266_rule
The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
Fix: F-29974r489839_fix

# svcadm disable rexec # svcadm refresh inetd

b
The rexecd service must not be installed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
GEN003845
Vuln IDs
V-227825
Rule IDs
SV-227825r603266_rule
The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
Fix: F-29975r489842_fix

Remove the SUNWrcmdr package. Procedure: # pkgrm SUNWrcmdr

c
The telnet daemon must not be running.
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
GEN003850
Vuln IDs
V-227826
Rule IDs
SV-227826r603266_rule
The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. Satisfies: SRG-OS-000074, SRG-OS-000520
Fix: F-29976r489845_fix

Disable the telnet daemon. # svcadm disable telnet # svcadm refresh inetd

a
The system must not have the finger service active.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN003860
Vuln IDs
V-227827
Rule IDs
SV-227827r603266_rule
The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks.
Fix: F-29977r489848_fix

Disable the finger service and restart inetd. Procedure: # svcadm disable finger # svcadm refresh inetd

b
The traceroute command owner must be root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003960
Vuln IDs
V-227832
Rule IDs
SV-227832r603266_rule
If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.
Fix: F-29982r489869_fix

Change the owner of the traceroute command to root. Example procedure: # chown root /usr/sbin/traceroute

b
The traceroute command must be group-owned by sys, bin, or root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN003980
Vuln IDs
V-227833
Rule IDs
SV-227833r603266_rule
If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.
Fix: F-29983r489872_fix

Change the group-owner of the traceroute command to root. Procedure: # chgrp root /usr/sbin/traceroute

b
The alias file must be owned by root.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN004360
Vuln IDs
V-227837
Rule IDs
SV-227837r603266_rule
If the alias file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.
Fix: F-29987r489884_fix

Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root. Procedure: # chown root /etc/mail/aliases

a
Sendmail logging must not be set to less than nine in the sendmail.cf file.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN004440
Vuln IDs
V-227843
Rule IDs
SV-227843r603266_rule
If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the Sendmail service.
Fix: F-29993r489905_fix

Edit the sendmail.conf file, locate the "O L" or LogLevel entry and change it to 9.

b
The system syslog service must log informational and more severe SMTP service messages.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
GEN004460
Vuln IDs
V-227844
Rule IDs
SV-227844r603266_rule
If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed.
Fix: F-29994r489908_fix

Edit the syslog.conf file and add a configuration line specifying an appropriate destination for mail.crit syslogs.

b
The ftpusers file must exist.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN004880
Vuln IDs
V-227855
Rule IDs
SV-227855r603266_rule
The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.
Fix: F-30005r489959_fix

Create a /etc/ftpd/ftpusers file containing a list of accounts not authorized for FTP.

b
The ftpusers file must be owned by root.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN004920
Vuln IDs
V-227857
Rule IDs
SV-227857r603266_rule
If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
Fix: F-30007r489965_fix

Change the owner of the ftpusers file to root. # chown root /etc/ftpd/ftpusers

b
The ftpusers file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN004930
Vuln IDs
V-227858
Rule IDs
SV-227858r603266_rule
If the ftpusers file is not group-owned by root or a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
Fix: F-30008r489968_fix

Change the group owner of the ftpusers file. Procedure: # chgrp root /etc/ftpusers

b
The ftpusers file must have mode 0640 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN004940
Vuln IDs
V-227859
Rule IDs
SV-227859r603266_rule
Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users to access the FTP service.
Fix: F-30009r489971_fix

Change the mode of the ftpusers file to 0640. # chmod 0640 /etc/ftpd/ftpusers

c
Anonymous FTP accounts must not have a functional shell.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GEN005000
Vuln IDs
V-227862
Rule IDs
SV-227862r603266_rule
If an anonymous FTP account has been configured to use a functional shell, attackers could gain access to the shell if the account is compromised.
Fix: F-30012r489980_fix

Configure anonymous FTP accounts to use a non-functional shell. If necessary, edit the /etc/passwd file to remove any functioning shells associated with the FTP account and replace them with non-functioning shells, such as, /dev/null.

c
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
GEN005080
Vuln IDs
V-227865
Rule IDs
SV-227865r603266_rule
Secure mode limits TFTP requests to a specific directory. If TFTP is not running in secure mode, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability.
Fix: F-30015r489989_fix

Edit /etc/inet/inetd.conf and add the -s parameter to TFTPD. # inetconv OR Update the SMF entry for the TFTP daemon. # svccfg -s tftp/udp6 setprop inetd_start/exec = "astring:\"/usr/sbin/in.tftpd -s <other TFTPD options>\""

c
The TFTP daemon must have mode 0755 or less permissive.
RMF Control
AC-3
Severity
High
CCI
CCI-002165
Version
GEN005100
Vuln IDs
V-227866
Rule IDs
SV-227866r603266_rule
If TFTP runs with the setuid or setgid bit set, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability.
Fix: F-30016r489992_fix

Change the mode of the TFTP daemon. Procedure: # chmod 0755 /usr/sbin/in.tftpd

b
All .Xauthority files must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005180
Vuln IDs
V-227869
Rule IDs
SV-227869r603266_rule
.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.
Fix: F-30019r490004_fix

Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority

b
The /etc/syslog.conf file must have mode 0640 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005390
Vuln IDs
V-227885
Rule IDs
SV-227885r603266_rule
Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file.
Fix: F-30035r490052_fix

Change the permissions of the syslog configuration file. # chmod 0640 /etc/syslog.conf

b
The /etc/syslog.conf file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005400
Vuln IDs
V-227887
Rule IDs
SV-227887r603266_rule
If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.
Fix: F-30037r490058_fix

Use the chown command to set the owner to root. # chown root /etc/syslog.conf

b
The /etc/syslog.conf file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005420
Vuln IDs
V-227888
Rule IDs
SV-227888r603266_rule
If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.
Fix: F-30038r490061_fix

Change the group owner of the /etc/syslog.conf file to root, bin, or sys. Procedure: # chgrp root /etc/syslog.conf

b
The SSH client must be configured to only use the SSHv2 protocol.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
GEN005501
Vuln IDs
V-227891
Rule IDs
SV-227891r603266_rule
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client.
Fix: F-30041r490079_fix

Edit the /etc/ssh/ssh_config file and add or edit a Protocol configuration line that does not allow versions less than 2.

b
The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005506
Vuln IDs
V-227894
Rule IDs
SV-227894r603266_rule
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
Fix: F-36443r603041_fix

Edit /etc/ssh/sshd_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the sshd_config manpage. Restart the SSH daemon.

b
The SSH client must be configured to not use CBC-based ciphers.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005511
Vuln IDs
V-227897
Rule IDs
SV-227897r603266_rule
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
Fix: F-30047r490097_fix

Edit /etc/ssh/ssh_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the ssh_config manpage.

b
The SSH public host key files must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005522
Vuln IDs
V-227900
Rule IDs
SV-227900r603266_rule
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Fix: F-30050r490106_fix

Change the permissions for the SSH public host key files. # chmod 0644 /etc/ssh/*key.pub

b
The SSH private host key files must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005523
Vuln IDs
V-227901
Rule IDs
SV-227901r603266_rule
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Fix: F-30051r490109_fix

Change the permissions for the SSH private host key files. # chmod 0600 /etc/ssh/*key

a
The SSH daemon must not permit GSSAPI authentication unless needed.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN005524
Vuln IDs
V-227902
Rule IDs
SV-227902r603266_rule
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
Fix: F-30052r490112_fix

Edit the SSH daemon configuration and set (add if necessary) a GSSAPIAuthentication directive set to no.

a
The SSH client must not permit GSSAPI authentication unless needed.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN005525
Vuln IDs
V-227903
Rule IDs
SV-227903r603266_rule
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
Fix: F-30053r490115_fix

Edit the SSH client configuration and set (add if necessary) a GSSAPIAuthentication directive set to no.

b
The SSH daemon must not allow compression or must only allow compression after successful authentication.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005539
Vuln IDs
V-227906
Rule IDs
SV-227906r603266_rule
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
Fix: F-30056r490124_fix

Edit the SSH daemon configuration and add or edit the Compression setting value to no or delayed.

b
The SSH daemon must be configured for IP filtering.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005540
Vuln IDs
V-227907
Rule IDs
SV-227907r603266_rule
The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.
Fix: F-30057r490127_fix

Add appropriate IP restrictions for SSH to the /etc/hosts.deny and/or /etc/hosts.allow files.

b
The NFS export configuration file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005740
Vuln IDs
V-227913
Rule IDs
SV-227913r603266_rule
Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.
Fix: F-30063r490151_fix

Change the owner of the dfstab file to root. Example: # chown root /etc/dfs/dfstab

b
The NFS export configuration file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN005750
Vuln IDs
V-227914
Rule IDs
SV-227914r603266_rule
Failure to give group ownership of the NFS export configuration file to root or system groups provides the designated group owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.
Fix: F-30064r490154_fix

Change the group ownership of the NFS export configuration file. Procedure: # chgrp root /etc/dfs/dfstab

a
The NFS export configuration file must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN005760
Vuln IDs
V-227915
Rule IDs
SV-227915r603266_rule
Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of additional unauthorized exports.
Fix: F-30065r490157_fix

Change the permissions of the dfstab file to 664 or less permissive. # chmod 0644 /etc/dfs/dfstab

b
The system must not run Samba unless needed.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
GEN006060
Vuln IDs
V-227924
Rule IDs
SV-227924r603266_rule
Samba is a tool used for the sharing of files and printers between Windows and UNIX operating systems. It provides access to sensitive files and, therefore, poses a security risk if compromised.
Fix: F-30074r490190_fix

If there is no functional need for Samba and the daemon is running, disable the daemon by killing the process ID as noted from the output of ps -ef |grep smbd. The utility should also be removed or not installed if there is no functional requirement.

b
The smb.conf file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006100
Vuln IDs
V-227925
Rule IDs
SV-227925r603266_rule
The smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.
Fix: F-30075r490196_fix

Change the ownership of the smb.conf file. Procedure: # chown root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf

b
The smb.conf file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006120
Vuln IDs
V-227926
Rule IDs
SV-227926r603266_rule
If the group owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised.
Fix: F-30076r490199_fix

Change the group owner of the smb.conf file. Procedure: # chgrp root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf

b
The smb.conf file must have mode 0644 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN006140
Vuln IDs
V-227927
Rule IDs
SV-227927r603266_rule
If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.
Fix: F-30077r490202_fix

Change the mode of the smb.conf file to 0644 or less permissive. Procedure: # chmod 0644 /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf

b
The smbpasswd file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006160
Vuln IDs
V-227929
Rule IDs
SV-227929r603266_rule
If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
Fix: F-30079r490208_fix

Use the chown command to configure the smb passwd file. # chown root /etc/sfw/private/smbpasswd

b
The smbpasswd file must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006180
Vuln IDs
V-227930
Rule IDs
SV-227930r603266_rule
If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
Fix: F-30080r490211_fix

Use the chgrp command to ensure the group owner of the smbpasswd file is root. # chgrp root /etc/sfw/private/smbpasswd

b
The smbpasswd file must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN006200
Vuln IDs
V-227931
Rule IDs
SV-227931r603266_rule
If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
Fix: F-30081r490214_fix

Change the mode of the smbpasswd file to 0600. Procedure: # chmod 0600 /etc/sfw/private/smbpasswd

b
Samba must be configured to use an authentication mechanism other than "share."
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006225
Vuln IDs
V-227934
Rule IDs
SV-227934r603266_rule
Samba share authentication does not provide for individual user identification and must not be used.
Fix: F-30084r490223_fix

Edit the smb.conf file and change the security setting to user or another valid setting other than share.

b
Samba must be configured to not allow guest access to shares.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006235
Vuln IDs
V-227936
Rule IDs
SV-227936r603266_rule
Guest access to shares permits anonymous access and is not permitted.
Fix: F-30086r490229_fix

Edit the smb.conf file and change the guest ok setting to no.

b
The system must not run an Internet Network News (INN) server.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
GEN006240
Vuln IDs
V-227937
Rule IDs
SV-227937r603266_rule
Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the server and from the server to authorized remote hosts. If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.
Fix: F-30087r490232_fix

Disable the INN server.

b
The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN006260
Vuln IDs
V-227938
Rule IDs
SV-227938r603266_rule
Excessive permissions on the hosts.nntp file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.
Fix: F-30088r490235_fix

Change the mode of the /etc/news/hosts.nntp file to 0600. # chmod 0600 /etc/news/hosts.nntp

b
The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN006280
Vuln IDs
V-227940
Rule IDs
SV-227940r603266_rule
Excessive permissions on the hosts.nntp.nolimit file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.
Fix: F-30090r490241_fix

Change the mode of /etc/news/hosts.nntp.nolimit to 0600. # chmod 0600 /etc/news/hosts.nntp.nolimit

b
The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN006300
Vuln IDs
V-227942
Rule IDs
SV-227942r603266_rule
Excessive permissions on the nnrp.access file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.
Fix: F-30092r490247_fix

Change the mode of the /etc/news/nnrp.access file to 0600. # chmod 0600 /etc/news/nnrp.access

b
The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
GEN006320
Vuln IDs
V-227944
Rule IDs
SV-227944r603266_rule
File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users.
Fix: F-30094r490253_fix

Change the mode of the /etc/news/passwd.nntp file. # chmod 0600 /etc/news/passwd.nntp

b
Files in /etc/news must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006340
Vuln IDs
V-227946
Rule IDs
SV-227946r603266_rule
If critical system files are not owned by a privileged user, system integrity could be compromised.
Fix: F-30096r490259_fix

Change the ownership of the /etc/news directory and the files in it to root. Procedure: # chown -R root /etc/news

b
The files in /etc/news must be group-owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN006360
Vuln IDs
V-227947
Rule IDs
SV-227947r603266_rule
If critical system files do not have a privileged group owner, system integrity could be compromised.
Fix: F-30097r490262_fix

Change the group owner of the /etc/news directory and the files in it to root. Procedure: # chgrp -R root /etc/news

b
The Network Information System (NIS) protocol must not be used.
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
GEN006400
Vuln IDs
V-227949
Rule IDs
SV-227949r603266_rule
Due to numerous security vulnerabilities existing within NIS, it must not be used. Possible alternative directory services are NIS+ and LDAP.
Fix: F-30099r490268_fix

Disable the use of NIS. Possible replacements are NIS+ and LDAP.

b
The DHCP client must be disabled if not needed.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN007840
Vuln IDs
V-227962
Rule IDs
SV-227962r603266_rule
DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server.
Fix: F-30112r490319_fix

Delete the DHCP client configuration. # rm /etc/dhcp.*

b
If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN008060
Vuln IDs
V-227969
Rule IDs
SV-227969r603266_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.
Fix: F-30119r490343_fix

Change the permissions of the files. # chmod 0600 /var/ldap/ldap_client_file /var/ldap/ldap_client_cred

b
If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN008080
Vuln IDs
V-227970
Rule IDs
SV-227970r603266_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.
Fix: F-30120r490346_fix

Change the owner of the files. # chown root /var/ldap/ldap_client_file /var/ldap/ldap_client_cred

b
If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN008100
Vuln IDs
V-227971
Rule IDs
SV-227971r603266_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.
Fix: F-30121r490349_fix

Change the group-owner of the files to root, bin, or sys. Procedure: # chgrp root /var/ldap/ldap_client_file /var/ldap/ldap_client_cred

a
Automated file system mounting tools must not be enabled unless needed.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN008440
Vuln IDs
V-227976
Rule IDs
SV-227976r603266_rule
Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be disabled to reduce the risk of unauthorized access to these resources.
Fix: F-30126r490367_fix

Stop and disable the autofs service. # svcadm disable autofs

a
The system must have USB disabled unless needed.
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
GEN008460
Vuln IDs
V-227977
Rule IDs
SV-227977r603266_rule
USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
Fix: F-30127r490370_fix

Remove the SUNWusb package. # pkgrm SUNWusb

b
The system must employ a local firewall.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
GEN008520
Vuln IDs
V-227980
Rule IDs
SV-227980r603266_rule
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.
Fix: F-30130r490379_fix

Enable the system's local firewall. # svcadm enable network/ipfilter

a
The system package management tool must cryptographically verify the authenticity of software packages during installation.
RMF Control
CM-5
Severity
Low
CCI
CCI-001749
Version
GEN008800
Vuln IDs
V-227986
Rule IDs
SV-227986r603266_rule
To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic.
Fix: F-30136r490418_fix

Edit /var/sadm/install/admin/default and set the authentication setting to quit.