Solaris 11 X86 Security Technical Implementation Guide
- Version/Release: V2R9
- Published: 2023-11-27
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-001487
- Version
- SOL-11.1-010040
- Vuln IDs
-
- V-216011
- V-47781
- Rule IDs
-
- SV-216011r603268_rule
- SV-60657
Checks: C-17249r372415_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17247r372416_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-7
- Severity
- Medium
- CCI
- CCI-000158
- Version
- SOL-11.1-010080
- Vuln IDs
-
- V-216014
- V-47787
- Rule IDs
-
- SV-216014r603268_rule
- SV-60663
Checks: C-17252r372424_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17250r372425_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SOL-11.1-010100
- Vuln IDs
-
- V-216015
- V-47789
- Rule IDs
-
- SV-216015r603268_rule
- SV-60665
Checks: C-17253r372427_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17251r372428_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SOL-11.1-010120
- Vuln IDs
-
- V-216016
- V-47791
- Rule IDs
-
- SV-216016r603268_rule
- SV-60667
Checks: C-17254r372430_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17252r372431_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SOL-11.1-010140
- Vuln IDs
-
- V-216018
- V-47795
- Rule IDs
-
- SV-216018r603268_rule
- SV-60671
Checks: C-17256r372436_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17254r372437_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000131
- Version
- SOL-11.1-010150
- Vuln IDs
-
- V-216019
- V-47797
- Rule IDs
-
- SV-216019r603268_rule
- SV-60673
Checks: C-17257r372439_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17255r372440_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000132
- Version
- SOL-11.1-010160
- Vuln IDs
-
- V-216020
- V-47799
- Rule IDs
-
- SV-216020r603268_rule
- SV-60675
Checks: C-17258r372442_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17256r372443_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000133
- Version
- SOL-11.1-010170
- Vuln IDs
-
- V-216021
- V-47801
- Rule IDs
-
- SV-216021r603268_rule
- SV-60677
Checks: C-17259r372445_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17257r372446_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000134
- Version
- SOL-11.1-010180
- Vuln IDs
-
- V-216022
- V-47803
- Rule IDs
-
- SV-216022r603268_rule
- SV-60679
Checks: C-17260r372448_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-17258r372449_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-010220
- Vuln IDs
-
- V-216023
- V-47805
- Rule IDs
-
- SV-216023r603268_rule
- SV-60681
Checks: C-17261r372451_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active |cut -f2 -d= If "fd" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "fd" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17259r372452_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- SOL-11.1-010230
- Vuln IDs
-
- V-216024
- V-47807
- Rule IDs
-
- SV-216024r916449_rule
- SV-60683
Checks: C-17262r916448_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17260r877443_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- SOL-11.1-010250
- Vuln IDs
-
- V-216025
- V-47809
- Rule IDs
-
- SV-216025r916451_rule
- SV-60685
Checks: C-17263r916450_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17261r877446_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001404
- Version
- SOL-11.1-010260
- Vuln IDs
-
- V-216026
- V-47811
- Rule IDs
-
- SV-216026r916453_rule
- SV-60687
Checks: C-17264r916452_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17262r877449_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001405
- Version
- SOL-11.1-010270
- Vuln IDs
-
- V-216027
- V-47813
- Rule IDs
-
- SV-216027r916455_rule
- SV-60689
Checks: C-17265r916454_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17263r877452_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-010290
- Vuln IDs
-
- V-216028
- V-47815
- Rule IDs
-
- SV-216028r916457_rule
- SV-60691
Checks: C-17266r916456_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17264r877455_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-010300
- Vuln IDs
-
- V-216029
- V-47817
- Rule IDs
-
- SV-216029r916459_rule
- SV-60693
Checks: C-17267r916458_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17265r877458_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AC-17
- Severity
- Low
- CCI
- CCI-000067
- Version
- SOL-11.1-010310
- Vuln IDs
-
- V-216030
- V-47819
- Rule IDs
-
- SV-216030r793046_rule
- SV-60695
Checks: C-17268r793045_chk
The Audit Configuration profile is required. Check that the audit flag for auditing login and logout is enabled. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "lo" audit flag is not included in output, this is a finding # pfexec auditconfig -getnaflags | grep active | cut -f2 -d= If "na" and "lo" audit flags are not included in output, this is a finding For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" or if the "ft,lo,ap,ss,as,ua,pe” audit flag(s) are not included in output, this is a finding # pfexec auditconfig -t -getnaflags | cut -f2 -d= If "na" and "lo" audit flags are not included in output, this is a finding Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17266r372473_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm # pfexec auditconfig -setnaflags lo,na For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm # pfexec auditconfig -setnaflags lo,na Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-010340
- Vuln IDs
-
- V-216033
- V-47825
- Rule IDs
-
- SV-216033r603268_rule
- SV-60701
Checks: C-17271r372481_chk
The Audit Configuration profile is required. Check that the audit flag for auditing file access is enabled. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "-fa" and "-ps" audit flags are not displayed, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "-fa", "-ex", and "-ps" audit flags are not displayed, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-17269r372482_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AU-10
- Severity
- Low
- CCI
- CCI-000166
- Version
- SOL-11.1-010350
- Vuln IDs
-
- V-216034
- V-47827
- Rule IDs
-
- SV-216034r603268_rule
- SV-60703
Checks: C-17272r462475_chk
Audit Configuration rights profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the syslog audit plugin is enabled. # pfexec auditconfig -getplugin | grep audit_syslog If "inactive" appears, this is a finding. Determine which system-log service instance is online. # pfexec svcs system-log Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly: # grep audit.notice /etc/syslog.conf or # grep @@ /etc/rsyslog.conf If audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration) or *.* @@remotesystemname (rsyslog configuration) points to an invalid remote system or is commented out, this is a finding. If no output is produced, this is a finding. Check the remote syslog host to ensure that audit records can be found for this host.
Fix: F-17270r462476_fix
Service Management, Audit Configuration and Audit Control rights profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Configure Solaris 11 to use the syslog audit plugin # pfexec auditconfig -setplugin audit_syslog active Determine which system-log service instance is online. # pfexec svcs system-log If the default system-log service is online: # pfedit /etc/syslog.conf Add the line: audit.notice @[remotesystemname] or audit.notice ![remotesystemname] Replacing the remote system name with the correct hostname. If the rsyslog service is online, modify the /etc/rsyslog.conf file. # pfedit /etc/rsyslog.conf Add the line: *.* @@[remotesystemname] Or *.* :omrelp:[remotesystemname]:[designatedportnumber] Replacing the remote system name with the correct hostname. Create the log file on the remote system # touch /var/adm/auditlog Refresh the syslog service # pfexec svcadm refresh system/system-log:default or # pfexec svcadm refresh system/system-log:rsyslog Refresh the audit service # pfexec audit -s
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-010360
- Vuln IDs
-
- V-216035
- V-47831
- Rule IDs
-
- SV-216035r603268_rule
- SV-60705
Checks: C-17273r372487_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. For each user on the system (not including root), check to see if special auditing flag configurations are set. # userattr audit_flags [username] If any flags are returned, this is a finding.
Fix: F-17271r372488_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For each user on the system, remove all special audit configuration flags. # usermod -K audit_flags= [username]
- RMF Control
- AU-5
- Severity
- High
- CCI
- CCI-000139
- Version
- SOL-11.1-010390
- Vuln IDs
-
- V-216038
- V-47845
- Rule IDs
-
- SV-216038r603268_rule
- SV-60719
Checks: C-17276r372496_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The root role is required. Verify the presence of an audit_warn entry in /etc/mail/aliases. # /usr/lib/sendmail -bv audit_warn If the response is: audit_warn... User unknown this is a finding. Review the output of the command and verify that the audit_warn alias notifies the appropriate users in this form: audit_warn:user1,user2 If an appropriate user is not listed, this is a finding.
Fix: F-17274r372497_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000140
- Version
- SOL-11.1-010420
- Vuln IDs
-
- V-216041
- V-47863
- Rule IDs
-
- SV-216041r603268_rule
- SV-60737
Checks: C-17279r372505_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. # pfexec auditconfig -getpolicy | grep ahlt If the output does not include "ahlt" as an active audit policy, this is a finding. # pfexec auditconfig -getpolicy | grep active | grep cnt If the output includes "cnt" as an active audit policy, this is a finding.
Fix: F-17277r372506_fix
The Audit Configuration profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Set audit policy to halt and suspend on failure. # pfexec auditconfig -setpolicy +ahlt # pfexec auditconfig -setpolicy -cnt
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- SOL-11.1-010440
- Vuln IDs
-
- V-216042
- V-47869
- Rule IDs
-
- SV-216042r603268_rule
- SV-60741
Checks: C-36490r603073_chk
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 750 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.
Fix: F-36454r603074_fix
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 750 [directory]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020010
- Vuln IDs
-
- V-216045
- V-47881
- Rule IDs
-
- SV-216045r603268_rule
- SV-60753
Checks: C-17283r372517_chk
The Software Installation Profile is required. An up-to-date Solaris repository must be accessible to the system. Enter the command: # pkg publisher to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured. Check for Solaris software package updates: # pfexec pkg update -n If the command does not report "No updates available for this image," this is a finding.
Fix: F-17281r372518_fix
The Software Installation Profile is required. An up-to-date Solaris repository must be accessible to the system. Enter the command: # pkg publisher to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured. Update system packages to the current version. # pfexec pkg update A reboot may be required for the updates to take effect.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- SOL-11.1-020030
- Vuln IDs
-
- V-216047
- V-47885
- Rule IDs
-
- SV-216047r603268_rule
- SV-60757
Checks: C-17285r372523_chk
The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.
Fix: F-17283r372524_fix
The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001494
- Version
- SOL-11.1-020040
- Vuln IDs
-
- V-216048
- V-47887
- Rule IDs
-
- SV-216048r603268_rule
- SV-60759
Checks: C-17286r372526_chk
The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.
Fix: F-17284r372527_fix
The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001495
- Version
- SOL-11.1-020050
- Vuln IDs
-
- V-216049
- V-47889
- Rule IDs
-
- SV-216049r603268_rule
- SV-60761
Checks: C-17287r372529_chk
The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.
Fix: F-17285r372530_fix
The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001496
- Version
- SOL-11.1-020080
- Vuln IDs
-
- V-216050
- V-47891
- Rule IDs
-
- SV-216050r603268_rule
- SV-60763
Checks: C-17288r372532_chk
The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.
Fix: F-17286r372533_fix
The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-020090
- Vuln IDs
-
- V-216051
- V-47893
- Rule IDs
-
- SV-216051r603268_rule
- SV-60765
Checks: C-17289r372535_chk
Determine if the finger package is installed. # pkg list service/network/finger If an installed package named service/network/finger is listed, this is a finding.
Fix: F-17287r372536_fix
The Software Installation Profile is required. # pfexec pkg uninstall service/network/finger
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020100
- Vuln IDs
-
- V-216052
- V-47901
- Rule IDs
-
- SV-216052r603268_rule
- SV-60773
Checks: C-17290r372538_chk
Determine if the legacy remote access package is installed. # pkg list service/network/legacy-remote-utilities If an installed package named service/network/legacy-remote-utilities is listed, this is a finding.
Fix: F-17288r372539_fix
The Software Installation Profile is required. # pfexec pkg uninstall service/network/legacy-remote-utilities
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-020110
- Vuln IDs
-
- V-216053
- V-47905
- Rule IDs
-
- SV-216053r603268_rule
- SV-60777
Checks: C-17291r372541_chk
Determine if the NIS package is installed. # pkg list service/network/nis If an installed package named "service/network/nis" is listed, this is a finding.
Fix: F-17289r372542_fix
The Software Installation Profile is required. # pfexec pkg uninstall service/network/nis
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-020120
- Vuln IDs
-
- V-216054
- V-47909
- Rule IDs
-
- SV-216054r603268_rule
- SV-60781
Checks: C-17292r372544_chk
Determine if the pidgin package is installed. # pkg list communication/im/pidgin If an installed package named communication/im/pidgin is listed, this is a finding.
Fix: F-17290r372545_fix
The Software Installation Profile is required. # pfexec pkg uninstall communication/im/pidgin
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-020130
- Vuln IDs
-
- V-216055
- V-47911
- Rule IDs
-
- SV-216055r603268_rule
- SV-60783
Checks: C-17293r372547_chk
Determine if the FTP package is installed. # pkg list service/network/ftp If an installed package named "service/network/ftp" is listed and not required for operations, this is a finding.
Fix: F-17291r372548_fix
The Software Installation Profile is required. # pfexec pkg uninstall service/network/ftp
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-020140
- Vuln IDs
-
- V-216056
- V-47913
- Rule IDs
-
- SV-216056r603268_rule
- SV-60785
Checks: C-17294r372550_chk
Determine if the TFTP package is installed. # pkg list service/network/tftp If an installed package named "/service/network/tftp" is listed and not required for operations, this is a finding.
Fix: F-17292r372551_fix
The Software Installation Profile is required. # pfexec pkg uninstall install/installadm # pfexec pkg uninstall service/network/tftp
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-020150
- Vuln IDs
-
- V-216057
- V-47915
- Rule IDs
-
- SV-216057r603268_rule
- SV-60787
Checks: C-17295r372553_chk
Determine if the telnet daemon package in installed. # pkg list service/network/telnet If an installed package named "service/network/telnet" is listed and vntsd is not in use for LDoms, this is a finding.
Fix: F-17293r372554_fix
The Software Installation Profile is required. # pfexec pkg uninstall service/network/telnet
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-020160
- Vuln IDs
-
- V-216058
- V-47917
- Rule IDs
-
- SV-216058r603268_rule
- SV-60789
Checks: C-17296r372556_chk
Determine if the UUCP package is installed. # pkg list /service/network/uucp If an installed package named "/service/network/uucp" is listed, this is a finding.
Fix: F-17294r372557_fix
The Software Installation Profile is required. # pfexec pkg uninstall /service/network/uucp
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020170
- Vuln IDs
-
- V-216059
- V-47919
- Rule IDs
-
- SV-216059r603268_rule
- SV-60791
Checks: C-17297r372559_chk
Check the status of the rpcbind service local_only property. # svcprop -p config/local_only network/rpc/bind If the state is not "true", this is a finding, unless it is required for system operations, then this is not a finding.
Fix: F-17295r372560_fix
The Service Management profile is required. If services such as portmap or rpcbind are required for system operations, the operator must document the services used and obtain approval from their Authorizing Official. They should also document the method(s) of blocking all other remote accesses through tools like a firewall or tcp_wrappers. Otherwise, configure the rpc/bind service for local only access. # svccfg -s network/rpc/bind setprop config/local_only=true
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020180
- Vuln IDs
-
- V-216060
- V-47921
- Rule IDs
-
- SV-216060r603268_rule
- SV-60793
Checks: C-17298r372562_chk
Determine if the VNC server package is installed. # pkg list x11/server/xvnc If an installed package named "x11/server/xvnc is listed" is listed, this is a finding.
Fix: F-17296r372563_fix
The Software Installation Profile is required. # pfexec pkg uninstall x11/server/xvnc
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- SOL-11.1-020220
- Vuln IDs
-
- V-216062
- V-47925
- Rule IDs
-
- SV-216062r603268_rule
- SV-60797
Checks: C-17300r372568_chk
Identify the packages installed on the system. # pkg list Any unauthorized software packages listed in the output are a finding.
Fix: F-17298r372569_fix
The Software Installation profile is required. Identify packages installed on the system: # pkg list uninstall unauthorized packages: # pfexec pkg uninstall [ package name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020300
- Vuln IDs
-
- V-216064
- V-59827
- Rule IDs
-
- SV-216064r603268_rule
- SV-74257
Checks: C-17302r372574_chk
Check run control script modes. # ls -lL /etc/rc* /etc/init.d /lib/svc/method If any run control script has a mode more permissive than 0755, this is a finding.
Fix: F-17300r372575_fix
Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod go-w <startupfile>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020310
- Vuln IDs
-
- V-216065
- V-59829
- Rule IDs
-
- SV-216065r603268_rule
- SV-74259
Checks: C-17303r372577_chk
Verify run control scripts have no extended ACLs. # ls -lL /etc/rc* /etc/init.d If the permissions include a "+", the file has an extended ACL and this is a finding.
Fix: F-17301r372578_fix
Remove the extended ACL from the file. # chmod A- [run control script with extended ACL]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020320
- Vuln IDs
-
- V-216066
- V-59831
- Rule IDs
-
- SV-216066r603268_rule
- SV-74261
Checks: C-17304r372580_chk
Verify run control scripts' executable search paths. Procedure: # find /etc/rc* /etc/init.d /lib/svc/method -type f -print | xargs grep -i PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Fix: F-17302r372581_fix
Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020330
- Vuln IDs
-
- V-216067
- V-59833
- Rule IDs
-
- SV-216067r603268_rule
- SV-74263
Checks: C-17305r372583_chk
Verify run control scripts' library search paths. # find /etc/rc* /etc/init.d -type f -print | xargs grep LD_LIBRARY_PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Fix: F-17303r372584_fix
Edit the run control script and remove the relative path entries from the library search path variables that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020340
- Vuln IDs
-
- V-216068
- V-59835
- Rule IDs
-
- SV-216068r603268_rule
- SV-74265
Checks: C-17306r372586_chk
Verify run control scripts' library preload list. Procedure: # find /etc/rc* /etc/init.d -type f -print | xargs grep LD_PRELOAD This variable is formatted as a colon-separated list of paths. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.
Fix: F-17304r372587_fix
Edit the run control script and remove the relative path entries from the library preload variables that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020350
- Vuln IDs
-
- V-216069
- V-59837
- Rule IDs
-
- SV-216069r603268_rule
- SV-74267
Checks: C-17307r372589_chk
Check the permissions on the files or scripts executed from system startup scripts to see if they are world writable. Create a list of all potential run command level scripts. # ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " " Create a list of world writable files. # find / -perm -002 -type f >> WorldWritableFileList Determine if any of the world writeable files in "WorldWritableFileList" are called from the run command level scripts. Note: Depending upon the number of scripts vs. world writable files, it may be easier to inspect the scripts manually. # more `ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "` If any system startup script executes any file or script that is world writable, this is a finding.
Fix: F-17305r372590_fix
Remove the world writable permission from programs or scripts executed by run control scripts. Procedure: # chmod o-w <program or script executed from run control script>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020360
- Vuln IDs
-
- V-216070
- V-59839
- Rule IDs
-
- SV-216070r603268_rule
- SV-74269
Checks: C-17308r372592_chk
Check run control scripts' ownership. # ls -lL /etc/rc* /etc/init.d If any run control script is not owned by root, this is a finding.
Fix: F-17306r372593_fix
Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020370
- Vuln IDs
-
- V-216071
- V-59841
- Rule IDs
-
- SV-216071r603268_rule
- SV-74271
Checks: C-17309r372595_chk
Check run control scripts' group ownership. Procedure: # ls -lL /etc/rc* /etc/init.d If any run control script is not group-owned by root, sys, or bin, this is a finding.
Fix: F-17307r372596_fix
Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020380
- Vuln IDs
-
- V-216072
- V-59843
- Rule IDs
-
- SV-216072r603268_rule
- SV-74273
Checks: C-17310r372598_chk
Determine the programs executed by system start-up files. Determine the ownership of the executed programs. # cat /etc/rc* /etc/init.d/* | more Check the ownership of every program executed by the system start-up files. # ls -l <executed program> If any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.
Fix: F-17308r372599_fix
Change the ownership of the file executed from system startup scripts to root, bin, or sys. # chown root <executed file>
- RMF Control
- CM-2
- Severity
- Medium
- CCI
- CCI-000297
- Version
- SOL-11.1-020500
- Vuln IDs
-
- V-216073
- V-61003
- Rule IDs
-
- SV-216073r603268_rule
- SV-75471
Checks: C-17311r372601_chk
If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X. Procedure: # cd ~someuser # ls -la .Xauthority If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.
Fix: F-17309r372602_fix
Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020510
- Vuln IDs
-
- V-216074
- V-61005
- Rule IDs
-
- SV-216074r603268_rule
- SV-75473
Checks: C-17312r372604_chk
If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the file permissions for the .Xauthority files in the home directories of users of X. Procedure: # cd ~<X user> # ls -lL .Xauthority If the file mode is more permissive than 0600, this is finding.
Fix: F-17310r372605_fix
Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-000225
- Version
- SOL-11.1-020520
- Vuln IDs
-
- V-216075
- V-61023
- Rule IDs
-
- SV-216075r603268_rule
- SV-75491
Checks: C-17313r372607_chk
If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the file permissions for the .Xauthority files. # ls -lL .Xauthority If the permissions include a "+", the file has an extended ACL and this is a finding.
Fix: F-17311r372608_fix
Remove the extended ACL from the file. # chmod A- .Xauthority
- RMF Control
- AC-6
- Severity
- High
- CCI
- CCI-000225
- Version
- SOL-11.1-020530
- Vuln IDs
-
- V-216076
- V-61025
- Rule IDs
-
- SV-216076r603268_rule
- SV-75493
Checks: C-17314r372610_chk
If X Windows is not used on the system, this is not applicable. Check the output of the xhost command from an X terminal. Procedure: $ xhost If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding. NOTE: It may be necessary to define the display if the command reports it cannot open the display. Procedure: $ DISPLAY=MachineName:0.0; export DISPLAY MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.
Fix: F-17312r372611_fix
If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.
- RMF Control
- CM-2
- Severity
- Medium
- CCI
- CCI-000297
- Version
- SOL-11.1-020540
- Vuln IDs
-
- V-216077
- V-61027
- Rule IDs
-
- SV-216077r603870_rule
- SV-75495
Checks: C-17315r622333_chk
If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Determine if xauth is being used. Procedure: # xauth xauth> list If the above command sequence does not show any host other than the localhost, then xauth is not being used. Search the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. If no files are found, X*.hosts files are not being used. If the X*.hosts files contain any unauthorized hosts, this is a finding. If both xauth and X*.hosts files are not being used, this is a finding.
Fix: F-17313r372614_fix
Create an X*.hosts file, where * is a display number that may be used to limit X window connections. Add the list of authorized X clients to the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020550
- Vuln IDs
-
- V-216078
- V-61029
- Rule IDs
-
- SV-216078r603268_rule
- SV-75497
Checks: C-17316r372616_chk
If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the X Window system access is limited to authorized clients. Procedure: # xauth xauth> list Ask the SA if the clients listed are authorized. If any are not, this is a finding.
Fix: F-17314r372617_fix
Remove unauthorized clients from the xauth configuration. Procedure: # xauth remove <display name>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-020560
- Vuln IDs
-
- V-216079
- V-61031
- Rule IDs
-
- SV-216079r603268_rule
- SV-75499
Checks: C-17317r372619_chk
Determine if the X Window system is running. Procedure: # ps -ef |grep X Ask the SA if the X Window system is an operational requirement. If it is not, this is a finding.
Fix: F-17315r372620_fix
Disable the X Windows server on the system.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-030010
- Vuln IDs
-
- V-216080
- V-47929
- Rule IDs
-
- SV-216080r603268_rule
- SV-60801
Checks: C-17318r372622_chk
Determine if the X11 server system is providing remote services on the network. # svcprop -p options/tcp_listen svc:/application/x11/x11-server If the output of the command is "true" and network access to graphical user login is not required, this is a finding.
Fix: F-17316r372623_fix
The System Administrator profile is required: Configure the X11 server for local system only graphics access. # pfexec svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen=false
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-030030
- Vuln IDs
-
- V-216081
- V-47931
- Rule IDs
-
- SV-216081r603268_rule
- SV-60803
Checks: C-17319r372625_chk
Determine the status of the Generic Security Services. # svcs -Ho state svc:/network/rpc/gss If the GSS service is reported as online, this is a finding.
Fix: F-17317r372626_fix
The Service Management profile is required: Disable the GSS service. # pfexec svcadm disable svc:/network/rpc/gss
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-030040
- Vuln IDs
-
- V-216082
- V-47933
- Rule IDs
-
- SV-216082r603268_rule
- SV-60805
Checks: C-17320r372628_chk
Determine all of the systems services that are enabled on the system. # svcs -a | grep online Document all enabled services and disable any that are not required.
Fix: F-17318r372629_fix
The Service Management profile is required: Disable any other service not required. # pfexec svcadm disable [service name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-030050
- Vuln IDs
-
- V-216083
- V-47935
- Rule IDs
-
- SV-216083r603268_rule
- SV-60807
Checks: C-17321r372631_chk
Check that TCP Wrappers are enabled and the host.deny and host.allow files exist. # inetadm -p | grep tcp_wrappers If the output of this command is "tcp_wrappers=FALSE", this is a finding. # ls /etc/hosts.deny /etc/hosts.deny # ls /etc/hosts.allow /etc/hosts.allow If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.
Fix: F-17319r372632_fix
The root role is required. To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE The versions of SunSSH (0.5.11) and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. SunSSH is removed starting with Solaris 11.4.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- SOL-11.1-040010
- Vuln IDs
-
- V-216086
- V-47943
- Rule IDs
-
- SV-216086r646931_rule
- SV-60815
Checks: C-17324r646930_chk
The root role is required. Determine if user passwords are properly configured to be changed every 60 days. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less. # grep "^MAXWEEKS=" /etc/default/passwd If the command does not report MAXWEEKS=8 or less, this is a finding. For Solaris 11.4 or newer: # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 60 days or less. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MAXDAYS=" /etc/default/passwd If the command does not report MAXDAYS=60 or less, this is a finding. # grep "^MAXWEEKS=" /etc/default/passwd If output is returned, this is a finding.
Fix: F-17322r622336_fix
The User Security role is required. For Solaris 11, 11.1, 11.2, and 11.3: Change each username to enforce 56 day password changes. # pfexec passwd -x 56 [username] # pfedit /etc/default/passwd Search for MAXWEEKS. Change the line to read: MAXWEEKS=8 For Solaris 11.4 or newer: Change each username to enforce 60 day password changes. # pfexec passwd -x 60 [username] # pfedit /etc/default/passwd Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MAXDAYS. Change the line to read: MAXDAYS=60 Search for MAXWEEKS. Change the line to read: #MAXWEEKS=
- RMF Control
- AC-2
- Severity
- Low
- CCI
- CCI-000016
- Version
- SOL-11.1-040020
- Vuln IDs
-
- V-216087
- V-47949
- Rule IDs
-
- SV-216087r603268_rule
- SV-60821
Checks: C-17325r372643_chk
The root role is required. Determine if an expiration date is set for temporary accounts. # logins -aox |awk -F: '($14 == "0") {print}' This command produces a list of accounts with no expiration date set. If any of these accounts are temporary accounts, this is a finding. # logins -aox |awk -F: '($14 != "0") {print}' This command produces a list of accounts with an expiration date set as defined in the last field. If any accounts have a date that is not within 72 hours, this is a finding.
Fix: F-17323r372644_fix
The User Security role is required. Apply an expiration date to temporary users. # pfexec usermod -e "[date]" [username] Enter the date in the form mm/dd/yyyy such that it is within 72 hours.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- SOL-11.1-040030
- Vuln IDs
-
- V-216088
- V-47953
- Rule IDs
-
- SV-216088r603876_rule
- SV-60825
Checks: C-17326r622338_chk
The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1 or more, this is a finding. For Solaris 11.4 or newer: # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 day. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MINDAYS=" /etc/default/passwd If the command does not report MINDAYS=1 or more, this is a finding. # grep "^MINWEEKS=" /etc/default/passwd If output is returned, this is a finding.
Fix: F-17324r622339_fix
The root role is required. For Solaris 11, 11.1, 11.2, and 11.3: # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname] For Solaris 11.4 or newer: # pfedit /etc/default/passwd file. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MINDAYS. Change the line to read: MINDAYS=1 Search for MINWEEKS. Change the line to read: #MINWEEKS= Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname]
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000205
- Version
- SOL-11.1-040040
- Vuln IDs
-
- V-216089
- V-47957
- Rule IDs
-
- SV-216089r603268_rule
- SV-60829
Checks: C-17327r372649_chk
Check the system password length setting. # grep ^PASSLENGTH /etc/default/passwd If PASSLENGTH is not set to 15 or more, this is a finding.
Fix: F-17325r372650_fix
The root role is required. # pfedit /etc/default/passwd Locate the line containing: PASSLENGTH Change the line to read PASSLENGTH=15
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- SOL-11.1-040050
- Vuln IDs
-
- V-216090
- V-47961
- Rule IDs
-
- SV-216090r603268_rule
- SV-60833
Checks: C-17328r372652_chk
Determine if the password history setting is configured properly. # grep ^HISTORY /etc/default/passwd If HISTORY is commented out or is not set to 5 or more, this is a finding.
Fix: F-17326r372653_fix
The root role is required. # pfedit /etc/default/passwd Locate the line containing: HISTORY Change the line to read: HISTORY=5
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000195
- Version
- SOL-11.1-040060
- Vuln IDs
-
- V-216091
- V-47967
- Rule IDs
-
- SV-216091r603268_rule
- SV-60839
Checks: C-17329r372655_chk
Check /etc/default/passwd to verify the MINDIFF setting. # grep ^MINDIFF /etc/default/passwd If the setting is not present, or is less than 8, this is a finding.
Fix: F-17327r372656_fix
The root role is required. # pfedit /etc/default/passwd Search for MINDIFF. Change the line to read: MINDIFF=8
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- SOL-11.1-040070
- Vuln IDs
-
- V-216092
- V-47971
- Rule IDs
-
- SV-216092r603268_rule
- SV-60843
Checks: C-17330r372658_chk
Check the MINUPPER setting. # grep ^MINUPPER /etc/default/passwd If MINUPPER is not set to 1 or more, this is a finding.
Fix: F-17328r372659_fix
The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINUPPER Change the line to read: MINUPPER=1
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000193
- Version
- SOL-11.1-040080
- Vuln IDs
-
- V-216093
- V-47981
- Rule IDs
-
- SV-216093r603268_rule
- SV-60853
Checks: C-17331r372661_chk
Check the MINLOWER setting. # grep ^MINLOWER /etc/default/passwd If MINLOWER is not set to 1 or more, this is a finding.
Fix: F-17329r372662_fix
The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINLOWER Change the line to read: MINLOWER=1
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000194
- Version
- SOL-11.1-040090
- Vuln IDs
-
- V-216094
- V-47989
- Rule IDs
-
- SV-216094r603268_rule
- SV-60861
Checks: C-17332r372664_chk
Check the MINDIGIT setting. # grep ^MINDIGIT /etc/default/passwd If the MINDIGIT setting is less than 1, this is a finding.
Fix: F-17330r372665_fix
The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINDIGIT Change the line to read: MINDIGIT=1
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-001619
- Version
- SOL-11.1-040100
- Vuln IDs
-
- V-216095
- V-47991
- Rule IDs
-
- SV-216095r603268_rule
- SV-60863
Checks: C-17333r372667_chk
Check the MINSPECIAL setting. # grep ^MINSPECIAL /etc/default/passwd If the MINSPECIAL setting is less than 1, this is a finding.
Fix: F-17331r372668_fix
The root role is required. # pfedit /etc/default/passwd a Locate the line containing: MINSPECIAL Change the line to read: MINSPECIAL=1
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-040110
- Vuln IDs
-
- V-216096
- V-47993
- Rule IDs
-
- SV-216096r603268_rule
- SV-60865
Checks: C-17334r372670_chk
Check the MAXREPEATS setting. # grep ^MAXREPEATS /etc/default/passwd If the MAXREPEATS setting is greater than 3, this is a finding.
Fix: F-17332r372671_fix
The root role is required. # pfedit /etc/default/passwd Locate the line containing: MAXREPEATS Change the line to read: MAXREPEATS=3
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040120
- Vuln IDs
-
- V-216097
- V-47999
- Rule IDs
-
- SV-216097r603268_rule
- SV-60871
Checks: C-17335r372673_chk
The root role is required. Determine if accounts with blank or null passwords exist. # logins -po If any account is listed, this is a finding.
Fix: F-17333r372674_fix
The root role is required. Remove, lock, or configure a password for any account with a blank password. # passwd [username] or Use the passwd -l command to lock accounts that are not permitted to execute commands. or Use the passwd -N command to set accounts to be non-login.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000196
- Version
- SOL-11.1-040130
- Vuln IDs
-
- V-216098
- V-48243
- Rule IDs
-
- SV-216098r603268_rule
- SV-61115
Checks: C-17336r372676_chk
Determine which cryptographic algorithms are configured. # grep ^CRYPT /etc/security/policy.conf If the command output does not include the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 this is a finding.
Fix: F-17334r372677_fix
The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 exist and are not commented out.
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- SOL-11.1-040140
- Vuln IDs
-
- V-216099
- V-48245
- Rule IDs
-
- SV-216099r603268_rule
- SV-61117
Checks: C-17337r372679_chk
Verify RETRIES is set in the login file. # grep ^RETRIES /etc/default/login If the output is not RETRIES=3 or fewer, this is a finding. Verify the account locks after invalid login attempts. # grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf If the output is not LOCK_AFTER_RETRIES=YES, this is a finding. For each user in the system, use the command: # userattr lock_after_retries [username] to determine if the user overrides the system value. If the output of this command is "no", this is a finding.
Fix: F-17335r372680_fix
The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040160
- Vuln IDs
-
- V-216100
- V-48043
- Rule IDs
-
- SV-216100r603268_rule
- SV-60915
Checks: C-17338r372682_chk
Check the SLEEPTIME parameter in the /etc/default/login file. # grep ^SLEEPTIME /etc/default/login If the output is not SLEEPTIME=4 or more, this is a finding.
Fix: F-17336r372683_fix
The root role is required. # pfedit the /etc/default/login Locate the line containing: SLEEPTIME Change the line to read: SLEEPTIME=4
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000056
- Version
- SOL-11.1-040170
- Vuln IDs
-
- V-216101
- V-48045
- Rule IDs
-
- SV-216101r603268_rule
- SV-60917
Checks: C-17339r372685_chk
If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuring of their personal .xscreensaver file. # grep "^timeout:" $HOME/.xscreensaver If the output is not: timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^lock:" $HOME/.xscreensaver If the output is not: lock: True this is a finding.
Fix: F-17337r372686_fix
The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- SOL-11.1-040180
- Vuln IDs
-
- V-216102
- V-48047
- Rule IDs
-
- SV-216102r603268_rule
- SV-60919
Checks: C-17340r372688_chk
If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuration of their personal .xscreensaver file. # grep "^lock:" $HOME/.xscreensaver If the output is not: *lock: True this is a finding. grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: *lockTimeout: 0:00:05 this is a finding.
Fix: F-17338r372689_fix
The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout:0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 lock: True
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040190
- Vuln IDs
-
- V-216103
- V-48053
- Rule IDs
-
- SV-216103r603268_rule
- SV-60925
Checks: C-17341r372691_chk
Check /etc/default/passwd for dictionary check configuration. # grep ^DICTION /etc/default/passwd If the DICTIONLIST or DICTIONDBDIR settings are not present and are not set to: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd this is a finding. Determine if the target files exist. # ls -l /usr/share/lib/dict/words /var/passwd If the files defined by DICTIONLIST or DICTIONBDIR are not present or are empty, this is a finding.
Fix: F-17339r372692_fix
The root role is required. # pfedit /etc/default/passwd Insert the lines: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd Generate the password dictionary by running the mkpwdict command. # mkpwdict -s /usr/share/lib/dict/words
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000770
- Version
- SOL-11.1-040230
- Vuln IDs
-
- V-216105
- V-48057
- Rule IDs
-
- SV-216105r603268_rule
- SV-60929
Checks: C-17343r372697_chk
Verify the root user is configured as a role, rather than a normal user. # userattr type root If the command does not return the word "role", this is a finding. Verify at least one local user has been assigned the root role. # grep '[:;]roles=root[^;]*' /etc/user_attr If no lines are returned, or no users are permitted to assume the root role, this is a finding.
Fix: F-17341r372698_fix
The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040250
- Vuln IDs
-
- V-216106
- V-48061
- Rule IDs
-
- SV-216106r603268_rule
- SV-60933
Checks: C-17344r372700_chk
The root role is required. Determine if the default umask is configured properly. # grep -i "^UMASK=" /etc/default/login If "UMASK=077" is not displayed, this is a finding. Check local initialization files: # cut -d: -f1 /etc/passwd | xargs -n1 -iUSER sh -c "grep umask ~USER/.*" If this command does not output a line indicating "umask 077" for each user, this is a finding.
Fix: F-17342r372701_fix
The root role is required. Edit local and global initialization files containing "umask" and change them to use 077. # pfedit /etc/default/login Insert the line UMASK=077 # pfedit [user initialization file] Insert the line umask 077
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-040260
- Vuln IDs
-
- V-216107
- V-48071
- Rule IDs
-
- SV-216107r603268_rule
- SV-60943
Checks: C-17345r372703_chk
The package service/network/ftp must be installed for this check. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Determine if the FTP umask is set to 077. # egrep -i "^UMASK" /etc/proftpd.conf | awk '{ print $2 }' If 077 is not displayed, this is a finding.
Fix: F-17343r372704_fix
The root role is required. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Otherwise, edit the FTP configuration file. # pfedit /etc/proftpd.conf Locate the line containing: Umask Change the line to read: Umask 077
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-040270
- Vuln IDs
-
- V-216108
- V-48075
- Rule IDs
-
- SV-216108r603268_rule
- SV-60947
Checks: C-17346r372706_chk
Determine if "mesg n" is the default for users. # grep "^mesg" /etc/.login # grep "^mesg" /etc/profile If either of these commands produces a line: mesg y this is a finding. For each existing user on the system, enter the command: # mesg If the command output is: is y this is a finding.
Fix: F-17344r372707_fix
The root role is required. Edit the default profile configuration files. # pfedit /etc/profile # pfedit /etc/.login In each file add a new line: mesg n For each user on the system, enter the command: # mesg n
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000017
- Version
- SOL-11.1-040280
- Vuln IDs
-
- V-216109
- V-48079
- Rule IDs
-
- SV-216109r603268_rule
- SV-60951
Checks: C-36491r603076_chk
Determine whether the 35-day inactivity lock is configured properly. # useradd -D | xargs -n 1 | grep inactive |\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] | awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.
Fix: F-36455r603077_fix
The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040310
- Vuln IDs
-
- V-216112
- V-48087
- Rule IDs
-
- SV-216112r603268_rule
- SV-60959
Checks: C-17350r372718_chk
Determine if terminal login services are disabled. # svcs -Ho state svc:/system/console-login:terma # svcs -Ho state svc:/system/console-login:termb If the system/console-login services are not "disabled", this is a finding.
Fix: F-17348r372719_fix
The Service Operator profile is required. Disable serial terminal services. # pfexec svcadm disable svc:/system/console-login:terma # pfexec svcadm disable svc:/system/console-login:termb
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040320
- Vuln IDs
-
- V-216113
- V-48089
- Rule IDs
-
- SV-216113r603268_rule
- SV-60961
Checks: C-17351r462442_chk
Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. Determine if "nobody" access for keyserv is enabled. # grep "^ENABLE_NOBODY_KEYS=" /etc/default/keyserv If the output of the command is not: ENABLE_NOBODY_KEYS=NO this is a finding.
Fix: F-17349r462443_fix
Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040330
- Vuln IDs
-
- V-216114
- V-48093
- Rule IDs
-
- SV-216114r603268_rule
- SV-60965
Checks: C-17352r372724_chk
Determine if X11 Forwarding is enabled. # grep "^X11Forwarding" /etc/ssh/sshd_config If the output of this command is not: X11Forwarding no this is a finding.
Fix: F-17350r372725_fix
The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: X11Forwarding Change it to: X11Forwarding no Restart the SSH service. # svcadm restart svc:/network/ssh
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-040340
- Vuln IDs
-
- V-216115
- V-48099
- Rule IDs
-
- SV-216115r603268_rule
- SV-60971
Checks: C-17353r462478_chk
Determine if consecutive login attempts are limited to 3. # grep "^MaxAuthTries" /etc/ssh/sshd_config | grep -v Log If the output of this command is not: MaxAuthTries 6 this is a finding. Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.
Fix: F-17351r462479_fix
The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: MaxAuthTries Change it to: MaxAuthTries 6 Restart the SSH service. # svcadm restart svc:/network/ssh Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040350
- Vuln IDs
-
- V-216116
- V-48101
- Rule IDs
-
- SV-216116r603268_rule
- SV-60973
Checks: C-17354r372730_chk
Determine if rhost-based authentication is enabled. # grep "^IgnoreRhosts" /etc/ssh/sshd_config If the output is produced and it is not: IgnoreRhosts yes this is a finding. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.
Fix: F-17352r372731_fix
The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040360
- Vuln IDs
-
- V-216117
- V-48103
- Rule IDs
-
- SV-216117r603268_rule
- SV-60975
Checks: C-17355r372733_chk
Determine if root login is disabled for the SSH service. # grep "^PermitRootLogin" /etc/ssh/sshd_config If the output of this command is not: PermitRootLogin no this is a finding.
Fix: F-17353r372734_fix
The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitRootLogin Change it to: PermitRootLogin no Restart the SSH service. # svcadm restart svc:/network/ssh
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-040370
- Vuln IDs
-
- V-216118
- V-48107
- Rule IDs
-
- SV-216118r603268_rule
- SV-60979
Checks: C-17356r372736_chk
Determine if empty/null passwords are allowed for the SSH service. # grep "^PermitEmptyPasswords" /etc/ssh/sshd_config If the output of this command is not: PermitEmptyPasswords no this is a finding.
Fix: F-17354r372737_fix
The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitEmptyPasswords Change it to: PermitEmptyPasswords no Restart the SSH service. # svcadm restart svc:/network/ssh
- RMF Control
- SC-10
- Severity
- Low
- CCI
- CCI-001133
- Version
- SOL-11.1-040380
- Vuln IDs
-
- V-216119
- V-48111
- Rule IDs
-
- SV-216119r603268_rule
- SV-60983
Checks: C-17357r372739_chk
Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity. # grep ClientAlive /etc/ssh/sshd_config If the output of this command is not: ClientAliveInterval 600 ClientAliveCountMax 0 this is a finding.
Fix: F-17355r372740_fix
The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Modify or add the lines containing: ClientAliveInterval ClientAliveCountMax Change them to: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service: # svcadm restart svc:/network/ssh
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040390
- Vuln IDs
-
- V-216120
- V-48113
- Rule IDs
-
- SV-216120r603268_rule
- SV-60985
Checks: C-17358r372742_chk
Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. Determine if host-based authentication services are enabled. # grep 'pam_rhosts_auth.so.1' /etc/pam.conf /etc/pam.d/*| grep -vc '^#' If the returned result is not 0 (zero), this is a finding.
Fix: F-17356r372743_fix
Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. The root role is required. # ls -l /etc/pam.d to identify the various configuration files used by PAM. Search each file for the pam_rhosts_auth.so.1 entry. # grep pam_rhosts_auth.so.1 [filename] Identify the file with the line pam_hosts_auth.so.1 in it. # pfedit [filename] Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040400
- Vuln IDs
-
- V-216121
- V-48117
- Rule IDs
-
- SV-216121r603268_rule
- SV-60989
Checks: C-17359r372745_chk
The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. If the FTP server is installed, determine if FTP access is restricted. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do grep -w "${user}" /etc/ftpd/ftpusers >/dev/null 2>&1 if [ $? != 0 ]; then echo "User '${user}' not in /etc/ftpd/ftpusers." fi done If output is returned, this is a finding.
Fix: F-17357r372746_fix
The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> /etc/ftpd/ftpusers) done # sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp # mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-040410
- Vuln IDs
-
- V-216122
- V-48121
- Rule IDs
-
- SV-216122r603268_rule
- SV-60993
Checks: C-17360r372748_chk
Determine if autologin is enabled for the GNOME desktop. # egrep "auth|account" /etc/pam.d/gdm-autologin | grep -vc ^# If the command returns other than "0", this is a finding.
Fix: F-17358r372749_fix
The root role is required. Modify the /etc/pam.d/gdm-autologin file. # pfedit /etc/pam.d/gdm-autologin Locate the lines: auth required pam_unix_cred.so.1 auth sufficient pam_allow.so.1 account sufficient pam_allow.so.1 Change the lines to read: #auth required pam_unix_cred.so.1 #auth sufficient pam_allow.so.1 #account sufficient pam_allow.so.1
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040420
- Vuln IDs
-
- V-216123
- V-48125
- Rule IDs
-
- SV-216123r603268_rule
- SV-60997
Checks: C-17361r462445_chk
Check that "at" and "cron" users are configured correctly. # ls /etc/cron.d/cron.deny If cron.deny exists, this is a finding. # ls /etc/cron.d/at.deny If at.deny exists, this is a finding. # cat /etc/cron.d/cron.allow cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC. If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding. # wc -l /etc/cron.d/at.allow | awk '{ print $1 }' If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.
Fix: F-17359r462446_fix
The root role is required. Modify the cron configuration files. # mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp # mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp Skip the remaining steps only if using the “solaris.jobs.user” RBAC role. # echo root > /etc/cron.d/cron.allow # cp /dev/null /etc/cron.d/at.allow # chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow # chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040430
- Vuln IDs
-
- V-216124
- V-48127
- Rule IDs
-
- SV-216124r603268_rule
- SV-60999
Checks: C-17362r372754_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if root login is restricted to the console. # grep "^CONSOLE=/dev/console" /etc/default/login If the output of this command is not: CONSOLE=/dev/console this is a finding.
Fix: F-17360r372755_fix
The root role is required. Modify the /etc/default/login file # pfedit /etc/default/login Locate the line containing: CONSOLE Change it to read: CONSOLE=/dev/console
- RMF Control
- AC-9
- Severity
- Low
- CCI
- CCI-000052
- Version
- SOL-11.1-040450
- Vuln IDs
-
- V-216125
- V-48131
- Rule IDs
-
- SV-216125r603268_rule
- SV-61003
Checks: C-17363r372757_chk
Determine if last login will be printed for SSH users. # grep PrintLastLog /etc/ssh/sshd_config If PrintLastLog is found, not preceded with a "#" sign, and is set to "no", this is a finding. PrintLastLog should either not exist (defaulting to yes) or exist and be set to yes.
Fix: F-17361r372758_fix
The root role is required for this action. # pfedit /etc/ssh/sshd_config Locate the line containing: PrintLastLog no and place a comment sign ("# ")at the beginning of the line or delete the line # PrintLastLog no Restart the ssh service # pfexec svcadm restart svc:/network/ssh
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000058
- Version
- SOL-11.1-040460
- Vuln IDs
-
- V-216126
- V-48135
- Rule IDs
-
- SV-216126r603268_rule
- SV-61007
Checks: C-17364r372760_chk
Determine whether the lock screen function works correctly. For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop System >> Lock Screen. For Solaris 11.4 or newer: In the GNOME 3 desktop Status Menu (top right corner) >> Lock Icon, check that the screen locks and displays the "password" prompt. Check that "Disable Screensaver" is not selected in the GNOME Screensaver preferences. If the screen does not lock or the "Disable Screensaver" option is selected, this is a finding.
Fix: F-17362r372761_fix
User-initiated session lock is accessible from the GNOME graphical desktop menu GNOME 2: System >> Lock Screen. GNOME 3: Status Menu (top right corner) >> Lock Icon. However, the user has the option to disable screensaver lock. For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select "Screensaver" Icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Ensure that "Mode" is set to "Blank Screen only".
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000060
- Version
- SOL-11.1-040470
- Vuln IDs
-
- V-216127
- V-48139
- Rule IDs
-
- SV-216127r603268_rule
- SV-61011
Checks: C-17365r372763_chk
For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select "Screensaver" icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver menu item the user can select other screens or disable screensaver. Check that "Disable Screensaver" is not selected in the Gnome Screensaver preferences. If "Disable Screensaver" is selected or "Blank Screen Only" is not selected, this is a finding.
Fix: F-17363r372764_fix
For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select “Screensaver” icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Click on Mode's pull-down. Select: "Blank Screen Only". Ensure that "Blank Screen Only" is selected.
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-040480
- Vuln IDs
-
- V-216128
- V-48143
- Rule IDs
-
- SV-216128r603268_rule
- SV-61015
Checks: C-17366r372766_chk
Determine if the system is enforcing a policy that passwords are required. # grep ^PASSREQ /etc/default/login If the command does not return: PASSREQ=YES this is a finding.
Fix: F-17364r372767_fix
The root role is required. Modify the /etc/default/login file. # pfedit /etc/default/login Insert the line: PASSREQ=YES
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040490
- Vuln IDs
-
- V-216129
- V-48147
- Rule IDs
-
- SV-216129r603268_rule
- SV-61019
Checks: C-17367r372769_chk
Determine if the "RestrictOutbound" profile is configured properly: # profiles -p RestrictOutbound info If the output is not: name=RestrictOutbound desc=Restrict Outbound Connections limitpriv=zone,!net_access this is a finding. For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile. # profiles -l [username] If the output does not include: [username]: RestrictOutbound this is a finding.
Fix: F-17365r372770_fix
The root Role is required. Remove net_access privilege from users who may be accessing the systems externally. 1. Create an RBAC Profile with net_access restriction # profiles -p RestrictOutbound profiles:RestrictOutbound> set desc="Restrict Outbound Connections" profiles:RestrictOutbound> set limitpriv=zone,!net_access profiles:RestrictOutbound> exit 2. Assign the RBAC Profile to a user # usermod -P +RestrictOutbound [username] This prevents the user from initiating any outbound network connections.
- RMF Control
- AC-10
- Severity
- Low
- CCI
- CCI-000054
- Version
- SOL-11.1-040500
- Vuln IDs
-
- V-216130
- V-48151
- Rule IDs
-
- SV-216130r603268_rule
- SV-61023
Checks: C-17368r372772_chk
Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply. For each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username. # projects [username] | grep user If the output does not include the project user.[username], this is a finding. Determine the project membership for the user. # projects [username] If the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding. Determine whether the max-tasks resource control is enabled properly. # projects -l user.[username] | grep attribs If the output does not include the text: attribs: project.max-tasks=(privileged,[MAX],deny) where [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.
Fix: F-17366r372773_fix
Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply. The Project Management profile is required. For each user requiring concurrent session restrictions, add the user to the special user.[username] project where [username] is the user's account username where [MAX] is equal to the organizational requirement. # pfexec projadd -K 'project.max-tasks=(privileged,[MAX],deny)' user.[username] Determine the project membership for the user. # projects [username] If the user is a member of any projects other than default, group.[groupname], or user.[username], remove that project from the user's account. The root role is required. # pfedit /etc/user_attr Locate the line containing the user's username. Remove any project=[projectname] entries from the fifth field. # pfedit /etc/project Locate the line containing the user's username in a project other than default, group.[groupname], or user.[username], and remove the user from the project's entry or entries from the fourth field.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050010
- Vuln IDs
-
- V-216131
- V-48165
- Rule IDs
-
- SV-216131r603268_rule
- SV-61037
Checks: C-17369r372775_chk
Determine if directed broadcast packet forwarding is disabled. # ipadm show-prop -p _forward_directed_broadcasts -co current ip If the output of this command is not "0", this is a finding.
Fix: F-17367r372776_fix
The Network Management profile is required. Disable directed broadcast packet forwarding. # pfexec ipadm set-prop -p _forward_directed_broadcasts=0 ip
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050020
- Vuln IDs
-
- V-216132
- V-48169
- Rule IDs
-
- SV-216132r603268_rule
- SV-61041
Checks: C-17370r372778_chk
Determine if ICMP time stamp responses are disabled. # ipadm show-prop -p _respond_to_timestamp -co current ip If the output of both commands is not "0", this is a finding.
Fix: F-17368r372779_fix
The Network Management profile is required. Disable source respond to timestamp. # pfexec ipadm set-prop -p _respond_to_timestamp=0 ip
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050030
- Vuln IDs
-
- V-216133
- V-48173
- Rule IDs
-
- SV-216133r603268_rule
- SV-61045
Checks: C-17371r372781_chk
Determine if response to ICMP broadcast timestamp requests is disabled. # ipadm show-prop -p _respond_to_timestamp_broadcast -co current ip If the output of this command is not "0", this is a finding.
Fix: F-17369r372782_fix
The Network Management profile is required. Disable respond to timestamp broadcasts. # pfexec ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050040
- Vuln IDs
-
- V-216134
- V-48177
- Rule IDs
-
- SV-216134r603268_rule
- SV-61049
Checks: C-17372r372784_chk
Determine if the response to address mask broadcast is disabled. # ipadm show-prop -p _respond_to_address_mask_broadcast -co current ip If the output of this command is not "0", this is a finding.
Fix: F-17370r372785_fix
The Network Management profile is required. Disable responses to address mask broadcast. # pfexec ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-050050
- Vuln IDs
-
- V-216135
- V-48181
- Rule IDs
-
- SV-216135r603268_rule
- SV-61053
Checks: C-17373r372787_chk
Determine if ICMP echo requests response is disabled. # ipadm show-prop -p _respond_to_echo_broadcast -co current ip If the output of this command is not "0", this is a finding.
Fix: F-17371r372788_fix
The Network Management profile is required. Disable respond to echo broadcast. # pfexec ipadm set-prop -p _respond_to_echo_broadcast=0 ip
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050060
- Vuln IDs
-
- V-216136
- V-48185
- Rule IDs
-
- SV-216136r603268_rule
- SV-61057
Checks: C-17374r372790_chk
Determine if response to multicast echo requests is disabled. # ipadm show-prop -p _respond_to_echo_multicast -co current ipv4 # ipadm show-prop -p _respond_to_echo_multicast -co current ipv6 If the output of all commands is not "0", this is a finding.
Fix: F-17372r372791_fix
The Network Management profile is required. Disable respond to echo multi-cast for IPv4 and IPv6. # pfexec ipadm set-prop -p _respond_to_echo_multicast=0 ipv4 # pfexec ipadm set-prop -p _respond_to_echo_multicast=0 ipv6
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050070
- Vuln IDs
-
- V-216137
- V-48189
- Rule IDs
-
- SV-216137r603268_rule
- SV-61061
Checks: C-17375r372793_chk
Determine if ICMP redirect messages are ignored. # ipadm show-prop -p _ignore_redirect -co current ipv4 # ipadm show-prop -p _ignore_redirect -co current ipv6 If the output of all commands is not "1", this is a finding.
Fix: F-17373r372794_fix
The Network Management profile is required. Disable ignore redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p _ignore_redirect=1 ipv4 # pfexec ipadm set-prop -p _ignore_redirect=1 ipv6
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-050080
- Vuln IDs
-
- V-216138
- V-48193
- Rule IDs
-
- SV-216138r603268_rule
- SV-61065
Checks: C-17376r372796_chk
Determine if strict multihoming is configured. # ipadm show-prop -p _strict_dst_multihoming -co current ipv4 # ipadm show-prop -p _strict_dst_multihoming -co current ipv6 If the output of all commands is not "1", this is a finding.
Fix: F-17374r372797_fix
The Network Management profile is required. Disable strict multihoming for IPv4 and IPv6. # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv4 # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv6
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050090
- Vuln IDs
-
- V-216139
- V-48197
- Rule IDs
-
- SV-216139r603268_rule
- SV-61069
Checks: C-17377r372799_chk
Determine the version of Solaris 11 in use. # cat /etc/release If the version of Solaris is earlier than Solaris 11.2, determine if ICMP redirect messages are disabled. # ipadm show-prop -p _send_redirects -co current ipv4 # ipadm show-prop -p _send_redirects -co current ipv6 If the output of all commands is not "0", this is a finding. If the version of Solaris is Solaris 11.2 or later, determine if ICMP redirect messages are disabled. # ipadm show-prop -p send_redirects -co current ipv4 # ipadm show-prop -p send_redirects -co current ipv6 If the output of all commands is not "off", this is a finding.
Fix: F-17375r372800_fix
The Network Management profile is required. If the version of Solaris is earlier than Solaris 11.2, disable send redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p _send_redirects=0 ipv4 # pfexec ipadm set-prop -p _send_redirects=0 ipv6 If the version of Solaris is Solaris 11.2 or later, disable send redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p send_redirects=off ipv4 # pfexec ipadm set-prop -p send_redirects=off ipv6
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050100
- Vuln IDs
-
- V-216140
- V-48201
- Rule IDs
-
- SV-216140r603268_rule
- SV-61073
Checks: C-17378r372802_chk
Determine if TCP reverse IP source routing is disabled. # ipadm show-prop -p _rev_src_routes -co current tcp If the output of this command is not "0", this is a finding.
Fix: F-17376r372803_fix
The Network Management profile is required. Disable reverse source routing. # pfexec ipadm set-prop -p _rev_src_routes=0 tcp
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-050110
- Vuln IDs
-
- V-216141
- V-48207
- Rule IDs
-
- SV-216141r603268_rule
- SV-61079
Checks: C-17379r372805_chk
Determine if the number of half open TCP connections is set to 4096. # ipadm show-prop -p _conn_req_max_q0 -co current tcp If the value of "4096" is not returned, this is a finding.
Fix: F-17377r372806_fix
The Network Management profile is required Configure maximum TCP connections for IPv4 and IPv6. # pfexec ipadm set-prop -p _conn_req_max_q0=4096 tcp
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050120
- Vuln IDs
-
- V-216142
- V-48211
- Rule IDs
-
- SV-216142r603268_rule
- SV-61083
Checks: C-17380r372808_chk
Determine if the maximum number of incoming connections is set to 1024. # ipadm show-prop -p _conn_req_max_q -co current tcp If the value returned is smaller than "1024", this is a finding. In environments where connection numbers are high, such as a busy web server, this value may need to be increased.
Fix: F-17378r372809_fix
The Network Management profile is required. Configure maximum number of incoming connections. # pfexec ipadm set-prop -p _conn_req_max_q=1024 tcp
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-050130
- Vuln IDs
-
- V-216143
- V-48217
- Rule IDs
-
- SV-216143r603268_rule
- SV-61089
Checks: C-17381r372811_chk
Determine if routing is disabled. # routeadm -p | egrep "routing |forwarding" | grep enabled If the command output includes "persistent=enabled" or "current=enabled", this is a finding.
Fix: F-17379r372812_fix
The Network Management profile is required. Disable routing for IPv4 and IPv6. # pfexec routeadm -d ipv4-forwarding -d ipv4-routing # pfexec routeadm -d ipv6-forwarding -d ipv6-routing To apply these changes to the running system, use the command: # pfexec routeadm -u
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050140
- Vuln IDs
-
- V-216144
- V-48221
- Rule IDs
-
- SV-216144r603268_rule
- SV-61093
Checks: C-17382r372814_chk
Determine if TCP Wrappers is configured. # inetadm -p | grep tcp_wrappers If the output of this command is "FALSE", this is a finding. The above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. SunSSH is removed starting with Solaris 11.4. Individual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to "FALSE". To check the status of individual inetd services, use the command: # for svc in `inetadm | awk '/svc:\// { print $NF }'`; do val=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE` if [ ${val} -eq 1 ]; then echo "TCP Wrappers enabled for ${svc}" fi done If the required services are not configured to use TCP Wrappers, this is finding. # ls /etc/hosts.deny # ls /etc/hosts.allow If these files are not found, this is a finding.
Fix: F-17380r372815_fix
The root role is required. Configure allowed and denied hosts per organizational policy. 1. Create and customize the policy in /etc/hosts.allow: # echo "ALL: [net]/[mask] , [net]/[mask], ..." > /etc/hosts.allow where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by the organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000197
- Version
- SOL-11.1-050240
- Vuln IDs
-
- V-216150
- V-48235
- Rule IDs
-
- SV-216150r854549_rule
- SV-61107
Checks: C-17388r744133_chk
Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, the IP Filter Management profile is required. Check that the IP Filter firewall is enabled and configured so that only authorized sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer, that use Packet Filter, the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only authorized sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include this line: block drop log (to pflog0) all This is a finding. Check that the Packet Filter firewall logging daemon is enabled. svcs firewall/pflog:default If pflog is not listed with a state of "online", this is a finding.
Fix: F-17386r744134_fix
The root role is required. For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer, that use Packet Filter, configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Enable Packet Filter logging daemon. # svcadm enable firewall/pflog:default Note: Because the default firewall rules block all network access to the system, ensure that there is still a method to access the system such as SSH or console access prior to activating the firewall rules. Operational requirements may dictate the addition of protocols such as SSH, DNS, NTP, HTTP, and HTTPS to be allowed.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-050370
- Vuln IDs
-
- V-216157
- V-48213
- Rule IDs
-
- SV-216157r603268_rule
- SV-61085
Checks: C-17395r372853_chk
Determine the OS version you are currently securing. # uname –v Solaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required. Check the system for an IPF rule blocking outgoing source-routed packets. # ipfstat -o Examine the list for rules such as: block out log quick from any to any with opt lsrr block out log quick from any to any with opt ssrr If the listed rules do not block both lsrr and ssrr options, this is a finding. For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required. Ensure that IP Options are not in use: # pfctl -s rules | grep allow-opts If any output is returned, this is a finding.
Fix: F-17393r372854_fix
The root role is required. # pfedit /etc/ipf/ipf.conf For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter dd rules to block outgoing source-routed packets, such as: block out log quick all with opt lsrr block out log quick all with opt ssrr Reload the IPF rules. # ipf -Fa -A -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter remove or modify any rules that include "allow-opts". Reload the Packet Filter rules: # svcadm refresh firewall:default
- RMF Control
- AC-8
- Severity
- Low
- CCI
- CCI-000048
- Version
- SOL-11.1-050380
- Vuln IDs
-
- V-216158
- V-48209
- Rule IDs
-
- SV-216158r603268_rule
- SV-61081
Checks: C-17396r372856_chk
Review the contents of these two files and check that the proper DoD banner message is configured. # cat /etc/motd # cat /etc/issue If the DoD-approved banner text is not in the files, this is a finding.
Fix: F-17394r372857_fix
The root role is required. Edit the contents of these two files and ensure that the proper DoD banner message is viewable. # pfedit /etc/motd # pfedit /etc/issue The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
- RMF Control
- AC-8
- Severity
- Low
- CCI
- CCI-000048
- Version
- SOL-11.1-050390
- Vuln IDs
-
- V-216159
- V-48205
- Rule IDs
-
- SV-216159r603268_rule
- SV-61077
Checks: C-17397r372859_chk
Check SSH configuration for banner message: # grep "^Banner" /etc/ssh/sshd_config If the output is not: Banner /etc/issue and /etc/issue does not contain the approved banner text, this is a finding.
Fix: F-17395r372860_fix
The root role is required. Edit the SSH configuration file. # pfedit /etc/ssh/sshd_config Locate the file containing: Banner Change the line to read: Banner /etc/issue Edit the /etc/issue file # pfedit /etc/issue The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Restart the SSH service # svcadm restart svc:/network/ssh
- RMF Control
- AC-8
- Severity
- Low
- CCI
- CCI-000048
- Version
- SOL-11.1-050410
- Vuln IDs
-
- V-216160
- V-48203
- Rule IDs
-
- SV-216160r603268_rule
- SV-61075
Checks: C-17398r372862_chk
This item does not apply if a graphic login is not configured. Log in to the Gnome Graphical interface. If the approved banner message does not appear, this is a finding. # cat /etc/issue # grep /etc/gdm/Init/Default zenity If /etc/issue does not contain that DoD-approved banner message or /etc/gdm/Init/Default does not contain the line: /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" --filename=/etc/issue this is a finding.
Fix: F-17396r372863_fix
The root role is required. If the system does not use XWindows, this is not applicable. # pfedit /etc/issue Insert the proper DoD banner message text. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." # pfedit /etc/gdm/Init/Default Add the following content before the "exit 0" line of the file. /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" --filename=/etc/issue
- RMF Control
- AC-8
- Severity
- Low
- CCI
- CCI-000048
- Version
- SOL-11.1-050430
- Vuln IDs
-
- V-216161
- V-48199
- Rule IDs
-
- SV-216161r603268_rule
- SV-61071
Checks: C-17399r372865_chk
Determine if the FTP server package is installed: # pkg list service/network/ftp If the package is not installed, this check does not apply. # grep DisplayConnect /etc/proftpd.conf If: DisplayConnect /etc/issue does not appear, this is a finding. If /etc/issue does not contain the approved DoD text, this is a finding.
Fix: F-17397r372866_fix
The root role is required. The package: pkg:/service/network/ftp must be installed. # pfedit /etc/issue Insert the proper DoD banner message text. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." # echo "DisplayConnect /etc/issue" >> /etc/proftpd.conf # svcadm restart ftp
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-000879
- Version
- SOL-11.1-050460
- Vuln IDs
-
- V-216162
- V-48195
- Rule IDs
-
- SV-216162r603268_rule
- SV-61067
Checks: C-17400r372868_chk
Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity. # grep ClientAlive /etc/ssh/sshd_config If the output of this command is not: ClientAliveInterval 600 ClientAliveCountMax 0 this is a finding.
Fix: F-17398r372869_fix
The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. # pfedit /etc/ssh/sshd_config Insert the two lines: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service with the new configuration. # svcadm restart svc:/network/ssh
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-050470
- Vuln IDs
-
- V-216163
- V-48191
- Rule IDs
-
- SV-216163r603268_rule
- SV-61063
Checks: C-17401r372871_chk
Determine the zone that you are currently securing. # zonename If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require inspection. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require inspection. Identify if this system has physical interfaces. # dladm show-link -Z | grep -v vnic LINK ZONE CLASS MTU STATE OVER net0 global phys 1500 unknown -- e1000g0 global phys 1500 up -- e1000g1 global phys 1500 up -- zoneD/net2 zoneD iptun 65515 up -- If "phys" appears in the third column, then the interface is physical. For each physical interface, determine if the network interface is Ethernet or InfiniBand: # dladm show-phys [interface name] LINK MEDIA STATE SPEED DUPLEX DEVICE [name] Ethernet unknown 0 half dnet0 The second column indicates either "Ethernet" or "Infiniband". For each physical interface, determine if the host is using ip-forwarding: # ipadm show-ifprop [interface name] | grep forwarding [name] forwarding ipv4 rw off -- off on,off [name] forwarding ipv6 rw off -- off on,off If "on" appears in the fifth column, then the interface is using ip-forwarding. For each interface, determine if the host is using SR-IOV’s Virtual Function (VF) driver: # dladm show-phys [interface name] | grep vf If the sixth column includes 'vf' in its name, it is using SR-IOV (ex: ixgbevf0). For each physical and SR-IOV interface, determine if network link protection capabilities are enabled. # dladm show-linkprop -p protection LINK PROPERTY PERM VALUE DEFAULT POSSIBLE net0 protection rw mac-nospoof, -- mac-nospoof, restricted, restricted, ip-nospoof, ip-nospoof, dhcp-nospoof dhcp-nospoof If the interface uses Infiniband and if restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses ip-forwarding and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses SR-IOV and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses Ethernet without IP forwarding and if mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.
Fix: F-17399r372872_fix
Determine the name of the zone that you are currently securing. # zonename If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require configuration. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require configuration. The Network Link Security profile is required. Determine which network interfaces are available and what protection modes are enabled and required. Enable link protection based on each configured network interface type. For InfiniBand: # pfexec dladm set-linkprop -p protection=restricted,ip-nospoof,dhcp-nospoof [interface name] For IP forwarding: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] For SR-IOV: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] For Ethernet without IP forwarding: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name]
- RMF Control
- AC-18
- Severity
- Medium
- CCI
- CCI-001443
- Version
- SOL-11.1-050480
- Vuln IDs
-
- V-216164
- V-72827
- Rule IDs
-
- SV-216164r916433_rule
- SV-87479
Checks: C-17402r372874_chk
This is N/A for systems that do not have wireless network adapters. Verify that there are no wireless interfaces configured on the system: # ifconfig -a eth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5 inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0 TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2849 errors:0 dropped:0 overruns:0 frame:0 TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB) If a wireless interface is configured, it must be documented and approved by the local Authorizing Official. If a wireless interface is configured and has not been documented and approved, this is a finding.
Fix: F-17400r372875_fix
Configure the system to disable all wireless network interfaces.
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- SOL-11.1-060010
- Vuln IDs
-
- V-216165
- V-48187
- Rule IDs
-
- SV-216165r916433_rule
- SV-61059
Checks: C-17403r372877_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Crypto Management profile is required to execute this command. Check to ensure that FIPS-140 encryption mode is enabled. # cryptoadm list fips-140| grep -c "is disabled" If the output of this command is not "0", this is a finding.
Fix: F-17401r372878_fix
The Crypto Management profile is required to execute this command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable FIPS-140 mode. # pfexec cryptoadm enable fips-140 Reboot the system as requested.
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- SOL-11.1-060130
- Vuln IDs
-
- V-216173
- V-48159
- Rule IDs
-
- SV-216173r744136_rule
- SV-61031
Checks: C-17411r622341_chk
Check the SSH daemon configuration for allowed ciphers. # grep -i ciphers /etc/ssh/sshd_config | grep -v '^#’ Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.
Fix: F-17409r622342_fix
The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Change or set the ciphers line to the following: ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH service. # svcadm restart svc:/network/ssh
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-060140
- Vuln IDs
-
- V-216174
- V-48157
- Rule IDs
-
- SV-216174r603268_rule
- SV-61029
Checks: C-17412r372904_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the logical node of all attached removable media: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Determine which zpool is mapped to the device: # zpool status Determine the file system names of the portable digital media: # zfs list | grep [poolname] Using the file system name, determine if the removal media is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.
Fix: F-17410r372905_fix
The root role is required. Format a removable device as a ZFS encrypted file system. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The ZFS File System Management and ZFS Storage management profiles are required. Insert the removable device: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Create an encrypted zpool on this device using a poolname of your choice: # pfexec zpool create -O encryption=on [poolname] c8t0d0p0 Enter a passphrase and confirm the passphrase. Keep the passphrase secure. Export the zpool before removing the media: # pfexec export [poolname] It will be necessary to enter the passphrase when inserting and importing the removable media zpool: Insert the removable media # pfexec import [poolname] Only store data in the encrypted file system.
- RMF Control
- SC-28
- Severity
- Low
- CCI
- CCI-001199
- Version
- SOL-11.1-060160
- Vuln IDs
-
- V-216176
- V-48153
- Rule IDs
-
- SV-216176r603268_rule
- SV-61025
Checks: C-17414r372910_chk
Determine if file system encryption is required by your organization. If not required, this item does not apply. Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets. # zfs list Using the file system name, determine if the file system is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.
Fix: F-17412r372911_fix
The ZFS file system management profile is required. ZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created. First, stop running applications using the file systems, archive the data, unmount, and then remove the file system. # umount [file system name] # zfs destroy [file system name] When creating ZFS file systems, ensure that they are created as encrypted file systems. # pfexec zfs create -o encryption=on [file system name] Enter passphrase for '[file system name]': xxxxxxx Enter again: xxxxxxx Store the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.
- RMF Control
- AU-9
- Severity
- Low
- CCI
- CCI-001350
- Version
- SOL-11.1-060180
- Vuln IDs
-
- V-216178
- V-48145
- Rule IDs
-
- SV-216178r603268_rule
- SV-61017
Checks: C-17416r372916_chk
The Audit Configuration and the Audit Control profiles are required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if audit log encryption is required by your organization. If not required, this check does not apply. Determine where the audit logs are stored and whether the file system is encrypted. # pfexec auditconfig -getplugin audit_binfile The p_dir attribute lists the location of the audit log filesystem. The default location for Solaris 11.1 is /var/audit. /var/audit is a link to /var/share/audit which, by default, is mounted on rpool/VARSHARE. Determine if this is encrypted: # zfs get encryption rpool/VARSHARE If the file system where audit logs are stored reports "encryption off", this is a finding.
Fix: F-17414r372917_fix
The ZFS File System Management and ZFS Storage Management profiles are required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The Audit Configuration and the Audit Control profiles are required. If necessary, create a new ZFS pool to store the encrypted audit logs. # pfexec zpool create auditp mirror [device] [device] Create an encryption key: # pktool genkey keystore=file outkey=/[filename] keytype=aes keylen=256 Create a new file system to store the audit logs with encryption enabled. Use the file name created in the previous step as the keystore. # pfexec zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///[filename] -o compression=on -o mountpoint=/audit auditp/auditf Configure auditing to use this encrypted directory. # pfexec auditconfig -setplugin audit_binfile p_dir=/audit/ Refresh the audit service for the setting to be applied: # pfexec audit -s
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070010
- Vuln IDs
-
- V-216180
- V-48137
- Rule IDs
-
- SV-216180r603268_rule
- SV-61009
Checks: C-17418r372922_chk
The root role is required. Identify all world-writable directories without the "sticky bit" set. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -type d \( -perm -0002 \ -a ! -perm -1000 \) -ls Output of this command identifies world-writable directories without the "sticky bit" set. If output is created, this is a finding.
Fix: F-17416r372923_fix
The root role is required. Ensure that the "sticky bit" is set on any directories identified during the check steps. # chmod +t [directory name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070020
- Vuln IDs
-
- V-216181
- V-48133
- Rule IDs
-
- SV-216181r603268_rule
- SV-61005
Checks: C-17419r372925_chk
The root role is required. Check that the permissions on users' home directories are 750 or less permissive. # for dir in `logins -ox |\ awk -F: '($8 == "PS") { print $6 }'`; do find ${dir} -type d -prune \( -perm -g+w -o \ -perm -o+r -o -perm -o+w -o -perm -o+x \) -ls done If output is created, this is finding.
Fix: F-17417r372926_fix
The root role is required. Change the permissions on users' directories to 750 or less permissive. # chmod 750 [directory name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070030
- Vuln IDs
-
- V-216182
- V-48129
- Rule IDs
-
- SV-216182r793048_rule
- SV-61001
Checks: C-17420r793047_chk
The root role is required. Ensure that the permissions on user "." files are 750 or less permissive. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.[A-Za-z0-9]* \! -type l \ \( -perm -0001 -o -perm -0002 -o -perm -0004 -o -perm -0020 \) -ls done If output is produced, this is a finding.
Fix: F-17418r372929_fix
The root role is required. Change the permissions on users' "." files to 750 or less permissive. # chmod 750 [file name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070040
- Vuln IDs
-
- V-216183
- V-48123
- Rule IDs
-
- SV-216183r603268_rule
- SV-60995
Checks: C-17421r372931_chk
The root role is required. Check that permissions on user .netrc files are 750 or less permissive. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.netrc -type f \( \ -perm -g+r -o -perm -g+w -o -perm -g+x -o \ -perm -o+r -o -perm -o+w -o -perm -o+x \) \ -ls 2>/dev/null done If output is produced, this is a finding.
Fix: F-17419r372932_fix
The root role is required. Change the permissions on users' .netrc files to 750 or less permissive. # chmod 750 [file name]
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-070050
- Vuln IDs
-
- V-216184
- V-48119
- Rule IDs
-
- SV-216184r603268_rule
- SV-60991
Checks: C-17422r372934_chk
The root role is required. Check for the presence of .rhosts files. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.rhosts -type f -ls 2>/dev/null done If output is produced, this is a finding.
Fix: F-17420r372935_fix
The root role is required. Remove any .rhosts files found. # rm [file name]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070060
- Vuln IDs
-
- V-216185
- V-48115
- Rule IDs
-
- SV-216185r603268_rule
- SV-60987
Checks: C-17423r372937_chk
The root role is required. Check that groups are configured correctly. # logins -xo | awk -F: '($3 == "") { print $1 }' If output is produced, this is a finding.
Fix: F-17421r372938_fix
The root role is required. Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-070070
- Vuln IDs
-
- V-216186
- V-48109
- Rule IDs
-
- SV-216186r603268_rule
- SV-60981
Checks: C-17424r372940_chk
The root role is required. Determine if each user has a valid home directory. # logins -xo | while read line; do user=`echo ${line} | awk -F: '{ print $1 }'` home=`echo ${line} | awk -F: '{ print $6 }'` if [ -z "${home}" ]; then echo ${user} fi done If output is produced, this is a finding.
Fix: F-17422r372941_fix
The root role is required. Correct or justify any items discovered in the check step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy. This generally means deleting the user or creating a valid home directory.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-070080
- Vuln IDs
-
- V-216187
- V-48105
- Rule IDs
-
- SV-216187r603268_rule
- SV-60977
Checks: C-17425r372943_chk
The root role is required. Check if a GUI is installed. Determine the OS version you are currently securing:. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pkg info gdm # pkg info coherence-26 # pkg info coherence-27 If none of these packages are installed on the system, then no GUI is present. For Solaris 11.4 or newer: # pkg info gdm If gdm is not installed on the system, then no GUI is present. # pkg info uucp uucp is no longer installed by default starting in 11.4 and is deprecated. For all versions, check that all users' home directories exist. # pwck Accounts with no home directory will output "Login directory not found". If no GUI is present, then "gdm" and "upnp" accounts should generate errors. On all systems, with uucp package installed, the "uucp" and "nuucp" accounts should generate errors. If users' home directories do not exist, this is a finding.
Fix: F-17423r372944_fix
The root role is required. Work with users identified in the check step to determine the best course of action in accordance with site policy. This generally means deleting the user account or creating a valid home directory.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070090
- Vuln IDs
-
- V-216188
- V-48097
- Rule IDs
-
- SV-216188r603268_rule
- SV-60969
Checks: C-17426r372946_chk
The root role is required. Check that home directories are owned by the correct user. # export IFS=":"; logins -uxo | while read user uid group gid gecos home rest; do result=$(find ${home} -type d -prune \! -user $user -print 2>/dev/null); if [ ! -z "${result}" ]; then echo "User: ${user}\tOwner: $(ls -ld $home | awk '{ print $3 }')"; fi; done If any output is produced, this is a finding.
Fix: F-17424r372947_fix
The root role is required. Correct the owner of any directory that does not match the password file entry for that user. # chown [user] [home directory]
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- SOL-11.1-070100
- Vuln IDs
-
- V-216189
- V-48095
- Rule IDs
-
- SV-216189r603268_rule
- SV-60967
Checks: C-17427r372949_chk
The root role is required. Check that there are no duplicate UIDs. # logins -d If output is produced, this is a finding.
Fix: F-17425r372950_fix
The root role is required. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy. Change user account names and UID or delete accounts, so each account has a unique name and UID.
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- SOL-11.1-070110
- Vuln IDs
-
- V-216190
- V-48091
- Rule IDs
-
- SV-216190r603268_rule
- SV-60963
Checks: C-17428r372952_chk
The root role is required. Check that there are no duplicate UIDs. # logins -d If output is produced, this is a finding.
Fix: F-17426r372953_fix
The root role is required. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy. Change user account names and UID or delete accounts, so each account has a unique name and UID.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070120
- Vuln IDs
-
- V-216191
- V-48081
- Rule IDs
-
- SV-216191r603268_rule
- SV-60953
Checks: C-17429r372955_chk
The root role is required. Check that group IDs are unique. # getent group | cut -f3 -d":" | sort -n | uniq -c |\ while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then grps=`getent group | nawk -F: '($3 == n) { print $1 }' n=$2 | xargs` echo "Duplicate GID ($2): ${grps}" fi done If output is produced, this is a finding.
Fix: F-17427r372956_fix
The root role is required. Work with each respective group owner to remediate this issue and ensure that the group ownership of their files are set to an appropriate value.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070130
- Vuln IDs
-
- V-216192
- V-48077
- Rule IDs
-
- SV-216192r809491_rule
- SV-60949
Checks: C-17430r809490_chk
The root role is required. Check that reserved UIDs are not assigned to non-system users. Determine the OS version you are currently securing: # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # logins -so | awk -F: '{ print $1 }' | while read user; do found=0 for tUser in root daemon bin sys adm dladm netadm netcfg \ ftp dhcpserv sshd smmsp gdm zfssnap aiuser \ polkitd ikeuser lp openldap webservd unknown \ uucp nuucp upnp xvm mysql postgres svctag \ pkg5srv nobody noaccess nobody4; do if [ ${user} = ${tUser} ]; then found=1 fi done if [ $found -eq 0 ]; then echo "Invalid User with Reserved UID: ${user}" fi done If output is produced without justification and documentation in accordance with site policy, this is a finding. For Solaris 11.4 or newer: # logins -so | awk -F: '{ print $1 }' | while read user; do found=0 for tUser in root daemon bin sys adm dladm netadm \ netcfg dhcpserv sshd smmsp gdm zfssnap aiuser _polkitd \ ikeuser lp openldap webservd unknown \ uucp nuucp upnp xvm mysql postgres svctag \ pkg5srv nobody noaccess nobody4 _ntp; do if [ ${user} = ${tUser} ]; then found=1 fi done if [ $found -eq 0 ]; then echo "Invalid User with Reserved UID: ${user}" fi done If output is produced without justification and documentation in accordance with site policy, this is a finding.
Fix: F-17428r462482_fix
The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any accounts using these reserved UIDs, and work with their owners to determine the best course of action in accordance with site policy. This may require deleting users or changing UIDs for users.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070140
- Vuln IDs
-
- V-216193
- V-48073
- Rule IDs
-
- SV-216193r603268_rule
- SV-60945
Checks: C-17431r372961_chk
The root role is required. Identify any duplicate user names. # getent passwd | awk -F: '{print $1}' | uniq -d If output is produced, this is a finding.
Fix: F-17429r372962_fix
The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any duplicate user names, and work with their respective owners to determine the best course of action in accordance with site policy. Delete or change the user name of duplicate users.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070150
- Vuln IDs
-
- V-216194
- V-48069
- Rule IDs
-
- SV-216194r603881_rule
- SV-60941
Checks: C-17432r622344_chk
The root role is required. Check for duplicate group names. # getent group | cut -f1 -d":" | sort -n | uniq -d If output is produced, this is a finding.
Fix: F-17430r372965_fix
The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any duplicate group names, and work with their respective owners to determine the best course of action in accordance with site policy. Delete or change the group name of duplicate groups.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070160
- Vuln IDs
-
- V-216195
- V-48067
- Rule IDs
-
- SV-216195r603268_rule
- SV-60939
Checks: C-17433r372967_chk
The root role is required. Check for the presence of user .netrc files. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do ls -l ${dir}/.netrc 2>/dev/null done If output is produced, this is a finding.
Fix: F-17431r372968_fix
The root role is required. Determine if any .netrc files exist, and work with the owners to determine the best course of action in accordance with site policy.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070170
- Vuln IDs
-
- V-216196
- V-48065
- Rule IDs
-
- SV-216196r603268_rule
- SV-60937
Checks: C-17434r372970_chk
The root role is required. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do ls -l ${dir}/.forward 2>/dev/null done If output is produced, this is a finding.
Fix: F-17432r372971_fix
The root role is required. Remove any .forward files that are found. # pfexec rm [filename]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070180
- Vuln IDs
-
- V-216197
- V-48063
- Rule IDs
-
- SV-216197r603268_rule
- SV-60935
Checks: C-17435r372973_chk
The root role is required. Check for the existence of world-writable files. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -type f -perm -0002 -print If output is produced, this is a finding.
Fix: F-17433r372974_fix
The root role is required. Change the permissions of the files identified in the check step to remove the world-writable permission. # pfexec chmod o-w [filename]
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-070190
- Vuln IDs
-
- V-216198
- V-48059
- Rule IDs
-
- SV-216198r603268_rule
- SV-60931
Checks: C-17436r372976_chk
The root role is required. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -type f -perm -4000 -o \ -perm -2000 -print Output should only be Solaris-provided files and approved customer files. Solaris-provided SUID/SGID files can be listed using the command: # pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example: # elfsign verify -e /usr/bin/su elfsign: verification of /usr/bin/su passed. This message indicates that the binary is properly signed. If non-vendor provided or non-approved files are included in the list, this is a finding.
Fix: F-17434r372977_fix
The root role is required. Determine the existence of any set-UID programs that do not belong on the system, and work with the owners (or system administrator) to determine the best course of action in accordance with site policy.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070200
- Vuln IDs
-
- V-216199
- V-48039
- Rule IDs
-
- SV-216199r603268_rule
- SV-60911
Checks: C-17437r372979_chk
The root role is required. Identify all files that are owned by a user or group not listed in /etc/passwd or /etc/group # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune \( -nouser -o -nogroup \) -ls If output is produced, this is a finding.
Fix: F-17435r372980_fix
The root role is required. Correct or justify any items discovered in the Check step. Determine the existence of any files that are not attributed to current users or groups on the system, and determine the best course of action in accordance with site policy. Remove the files and directories or change their ownership.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-070210
- Vuln IDs
-
- V-216200
- V-48037
- Rule IDs
-
- SV-216200r603268_rule
- SV-60909
Checks: C-17438r372982_chk
The root role is required. Identify all files with extended attributes. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -xattr -ls If output is produced, this is a finding.
Fix: F-17436r372983_fix
The root role is required. Correct or justify any items discovered in the Check step. Determine the existence of any files having extended file attributes, and determine the best course of action in accordance with site policy. Remove the files or the extended attributes.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070220
- Vuln IDs
-
- V-216201
- V-48035
- Rule IDs
-
- SV-216201r603268_rule
- SV-60907
Checks: C-17439r372985_chk
Identify any users with GID of 0. # awk -F: '$4 == 0' /etc/passwd # awk -F: '$3 == 0' /etc/group Confirm the only account with a group id of 0 is root. If the root account is not the only account with GID of 0, this is a finding.
Fix: F-17437r372986_fix
The root role is required. Change the default GID of non-root accounts to a valid GID other than 0.
- RMF Control
- SI-11
- Severity
- Low
- CCI
- CCI-001314
- Version
- SOL-11.1-070240
- Vuln IDs
-
- V-216202
- V-48033
- Rule IDs
-
- SV-216202r603268_rule
- SV-60905
Checks: C-17440r372988_chk
Check the permissions of the /var/adm/messages file: # ls -l /var/adm/messages Check the permissions of the /var/adm directory: # ls -ld /var/adm If the owner and group of /var/adm/messages is not root and the permissions are not 640, this is a finding. If the owner of /var/adm is not root, group is not sys, and the permissions are not 750, this is a finding.
Fix: F-17438r372989_fix
The root role is required. Change the permissions and owner on the /var/adm/messages file: # chmod 640 /var/adm/messages # chown root /var/adm/messages # chgrp root /var/adm/messages Change the permissions and owner on the /var/adm directory: # chmod 750 /var/adm # chown root /var/adm # chgrp sys /var/adm
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-070260
- Vuln IDs
-
- V-216204
- V-48029
- Rule IDs
-
- SV-216204r603268_rule
- SV-60901
Checks: C-17442r372994_chk
The root role is required. Identify all file system objects that have non-standard access control lists enabled. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -acl -ls This command should return no output. If output is created, this is a finding. If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.
Fix: F-17440r372995_fix
The root role is required. Remove ACLs that are not approved in the security policy. For ZFS file systems, remove all extended ACLs with the following command: # chmod A- [filename] For UFS file systems Determine the ACLs that are set on a file: # getfacl [filename] Remove any ACL configurations that are set: # setfacl -d [ACL] [filename]
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-080010
- Vuln IDs
-
- V-216205
- V-48027
- Rule IDs
-
- SV-216205r603268_rule
- SV-60899
Checks: C-17443r372997_chk
Determine the operating system version. # uname -a If the release is not supported by the vendor, this is a finding.
Fix: F-17441r372998_fix
Upgrade to a supported version of the operating system.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080020
- Vuln IDs
-
- V-216206
- V-48025
- Rule IDs
-
- SV-216206r793061_rule
- SV-60897
Checks: C-17444r793049_chk
Determine the OS version you are currently securing. # uname –v If the OS version is 11.3 or newer, this check applies to all zones and relies on the "sxadm" command. Determine if the system implements non-executable program stacks. # sxadm status -p nxstack | cut -d: -f2 enabled.all If the command output is not "enabled.all", this is a finding. For Solaris 11, 11.1, and 11.2, this check applies to the global zone only and the "/etc/system" file is inspected. Determine the zone that you are currently securing. # zonename If the command output is "global", determine if the system implements non-executable program stacks. # grep noexec_user_stack /etc/system If the noexec_user_stack is not set to 1, this is a finding.
Fix: F-17442r373001_fix
The root role is required. Determine the OS version you are currently securing. # uname –v If the OS version is 11.3 or newer, enable non-executable program stacks using the "sxadm" command. # pfexec sxadm enable nxstack For Solaris 11, 11.1, and 11.2, this action applies to the global zone only and the "/etc/system" file is updated. Determine the zone that you are currently securing. # zonename If the command output is "global", modify the "/etc/system" file. # pfedit /etc/system add the line: set noexec_user_stack=1 Solaris 11, 11.1, and 11.2 systems will need to be restarted for the setting to take effect.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-080030
- Vuln IDs
-
- V-216207
- V-48023
- Rule IDs
-
- SV-216207r603268_rule
- SV-60895
Checks: C-17445r373003_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if address space layout randomization is enabled. Determine the OS version you are currently securing:. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # sxadm info -p | grep aslr | grep enabled For Solaris 11.4 or newer: # sxadm status -p -o status aslr | grep enabled If no output is produced, this is a finding.
Fix: F-17443r373004_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable address space layout randomization. # sxadm delcust aslr Enabling ASLR may affect the function or stability of some applications, including those that use Solaris Intimate Shared Memory features.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080040
- Vuln IDs
-
- V-216208
- V-48021
- Rule IDs
-
- SV-216208r603268_rule
- SV-60893
Checks: C-17446r373006_chk
Check the process core dump configuration. # coreadm | grep enabled If any lines are returned by coreadm other than "logging", this is a finding.
Fix: F-17444r373007_fix
The Maintenance and Repair profile is required. Change the process core dump configuration to disable core dumps globally and on a per process basis. # coreadm -d global # coreadm -d process # coreadm -d global-setid # coreadm -d proc-setid # coreadm -e log
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080045
- Vuln IDs
-
- V-216209
- V-95717
- Rule IDs
-
- SV-216209r603268_rule
- SV-104855
Checks: C-17447r373009_chk
Check the defined directory for process core dumps: # coreadm | grep "global core file pattern" If the parameter is not set, or is not an absolute path (does not start with a slash [/]), this is a finding.
Fix: F-17445r373010_fix
The root role is required. Set the core file directory and file pattern. # coreadm -g /var/share/cores/core.%f.%p
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080050
- Vuln IDs
-
- V-216210
- V-48019
- Rule IDs
-
- SV-216210r603268_rule
- SV-60891
Checks: C-17448r373012_chk
Check the defined directory for process core dumps. # coreadm | grep "global core file pattern" Check the ownership of the directory. # ls -lLd [core file directory] If the directory is not owned by root, this is a finding.
Fix: F-17446r373013_fix
The root role is required. Change the owner of the core file directory. # chown root [core file directory]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080060
- Vuln IDs
-
- V-216211
- V-48017
- Rule IDs
-
- SV-216211r603268_rule
- SV-60889
Checks: C-36492r603079_chk
Check the defined directory for process core dumps. # coreadm | grep "global core file pattern" Check the group ownership of the directory. # ls -lLd [core file directory] If the directory is not group-owned by root, bin, or sys, this is a finding.
Fix: F-36456r603080_fix
The root role is required. Change the group-owner of the core file directory to root, bin or sys. Example: # chgrp root [core file directory]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080070
- Vuln IDs
-
- V-216212
- V-48015
- Rule IDs
-
- SV-216212r603268_rule
- SV-60887
Checks: C-17450r373018_chk
Check the defined directory for process core dumps. # coreadm | grep "global core file pattern" Check the permissions of the directory. # ls -lLd [core file directory] If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.
Fix: F-17448r373019_fix
The root role is required. Change the mode of the core file directory. # chmod 0700 [core file directory]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080080
- Vuln IDs
-
- V-216213
- V-48013
- Rule IDs
-
- SV-216213r603268_rule
- SV-60885
Checks: C-17451r373021_chk
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Verify savecore is not used. # dumpadm | grep 'Savecore enabled' If the value is yes, this is a finding.
Fix: F-17449r373022_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable savecore. # dumpadm -n
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080090
- Vuln IDs
-
- V-216214
- V-48011
- Rule IDs
-
- SV-216214r603268_rule
- SV-60883
Checks: C-17452r373024_chk
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the system dump directory. # dumpadm | grep directory Check the ownership of the kernel core dump data directory. # ls -ld [savecore directory] If the kernel core dump data directory is not owned by root, this is a finding. In Solaris 11, /var/crash is linked to /var/share/crash.
Fix: F-17450r373025_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the system dump directory. # dumpadm | grep directory Change the owner of the kernel core dump data directory to root. # chown root [savecore directory] In Solaris 11, /var/crash is linked to /var/share/crash.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080100
- Vuln IDs
-
- V-216215
- V-48009
- Rule IDs
-
- SV-216215r603268_rule
- SV-60881
Checks: C-17453r373027_chk
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the system dump directory. # dumpadm | grep directory Check ownership of the core dump data directory. # ls -l [savecore directory] If the directory is not group-owned by root, this is a finding. In Solaris 11, /var/crash is linked to /var/share/crash.
Fix: F-17451r373028_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the system dump directory. # dumpadm | grep directory Change the group-owner of the kernel core dump data directory. # chgrp root [kernel core dump data directory] In Solaris 11, /var/crash is linked to /var/share/crash.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080110
- Vuln IDs
-
- V-216216
- V-48007
- Rule IDs
-
- SV-216216r603268_rule
- SV-60879
Checks: C-17454r373030_chk
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the system dump directory. # dumpadm | grep directory Check the permissions of the kernel core dump data directory. # ls -ld [savecore directory] If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.
Fix: F-17452r373031_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the system dump directory. # dumpadm | grep directory Change the group-owner of the kernel core dump data directory. # chmod 0700 [savecore directory]
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-080120
- Vuln IDs
-
- V-216217
- V-48005
- Rule IDs
-
- SV-216217r603268_rule
- SV-60877
Checks: C-17455r373033_chk
This check applies to X86 compatible platforms. On systems with a BIOS or system controller, verify a supervisor or administrator password is set. If a password is not set, this is a finding. If the BIOS or system controller supports user-level access in addition to supervisor/administrator access, determine if this access is enabled. If so, this is a finding.
Fix: F-17453r373034_fix
Consult the hardware vendor's documentation to determine how to start the system and access the BIOS controls. Access the system's BIOS or system controller. Set a supervisor/administrator password if one has not been set. Disable a user-level password if one has been set.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-080140
- Vuln IDs
-
- V-216218
- V-48001
- Rule IDs
-
- SV-216218r603268_rule
- SV-60873
Checks: C-17456r373036_chk
This check applies to X86 systems only. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. # grep source /rpool/boot/grub/grub.cfg source $prefix/custom.cfg If the output does not contain "source $prefix/custom.cfg" on a line of its own, this is a finding. # grep superusers /rpool/boot/grub/custom.cfg. # grep password_pbkdf2 /rpool/boot/grub/custom.cfg If no superuser name and password are defined, this is a finding.
Fix: F-17454r373037_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Update GRUB to use a custom configuration file. # pfedit /rpool/boot/grub/grub.cfg Insert the line: source $prefix/custom.cfg Create a password hash. # /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is ....... Copy the long password hash in its entirety. # pfedit /rpool/boot/grub/custom.cfg Insert the lines: set superusers="[username]" password_pbkdf2 [username] [password hash] Restart the system.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-080150
- Vuln IDs
-
- V-216219
- V-47997
- Rule IDs
-
- SV-216219r603268_rule
- SV-60869
Checks: C-17457r373039_chk
Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. Determine if any UFS file systems are mounted with the "nologging" option. # mount|grep nologging If any file systems are listed, this is a finding.
Fix: F-17455r373040_fix
The root role is required. Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. If any UFS file systems are mounted with the "nologging" options, remove that option from the /etc/vfstab file. # pfedit /etc/vfstab Locate any file systems listed with the "nologging" option and delete the keyword "nologging".
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SOL-11.1-080160
- Vuln IDs
-
- V-216220
- V-47995
- Rule IDs
-
- SV-216220r793062_rule
- SV-60867
Checks: C-17458r793051_chk
The root role is required. Check the SNMP configuration for default passwords. Locate and examine the SNMP configuration. Procedure: Find any occurrences of the snmpd.conf file delivered with Solaris packages: # pkg search -l -Ho path snmpd.conf | awk '{ print "/"$1 }' # more [filename] Identify any community names or user password configurations. If any community name or password is set to a default value, such as public, private, snmp-trap, or password, this is a finding.
Fix: F-17456r373043_fix
The root role is required. Change the default snmpd.conf community passwords. To change them, locate the snmpd.conf file and edit it. # pfedit [filename] Locate the line system-group-read-community which has a default password of public and make the password something more random (less guessable). Make the same changes for the lines that read system- group-write-community, read-community, write-community, trap, and trap-community. Read the information in the file carefully. The trap is defining who to send traps to, for instance, by default. It is not a password, but the name of a host.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090010
- Vuln IDs
-
- V-216221
- V-47987
- Rule IDs
-
- SV-216221r877441_rule
- SV-60859
Checks: C-17459r877439_chk
The root role is required. Solaris 11 includes the Basic Account and Reporting Tool (BART), which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system. A Baseline BART manifest may exist in: /var/adm/log/bartlogs/[control manifest filename] If a BART manifest does not exist, this is a finding. At least weekly, create a new BART baseline report. # bart create > /var/adm/log/bartlogs/[new manifest filename] Compare the new report to the previous report to identify any changes in the system baseline. # bart compare /var/adm/log/bartlogs/[baseline manifest filename] /var/adm/log/bartlogs/[new manifest filename] Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.
Fix: F-17457r877440_fix
The root role is required. Solaris 11 includes the Basic Account and Reporting Tool (BART), which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system. Create a protected area to store BART manifests. # mkdir /var/adm/log/bartlogs # chmod 700 /var/adm/log/bartlogs After initial installation and configuration of the system, create a manifest report of the current baseline. # bart create > /var/adm/log/bartlogs/[baseline manifest filename]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090030
- Vuln IDs
-
- V-216223
- V-47983
- Rule IDs
-
- SV-216223r603268_rule
- SV-60855
Checks: C-17461r373051_chk
The Audit Review profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Use the "auditreduce" command to check for multiple accesses to an account # auditreduce -c lo -u [shared_user_name] | praudit -l If users log directly into accounts, rather than using the "su" command from their own named account to access them, this is a finding. Also, ask the SA or the IAO if shared accounts are logged into directly or if users log into an individual account and switch user to the shared account.
Fix: F-17459r373052_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Use the switch user ("su") command from a named account login to access shared accounts. Maintain audit trails that identify the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user ("su") to the shared account.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-090040
- Vuln IDs
-
- V-216224
- V-47979
- Rule IDs
-
- SV-216224r603268_rule
- SV-60851
Checks: C-17462r373054_chk
Check the system for unnecessary user accounts. # getent passwd Some examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.
Fix: F-17460r373055_fix
The root role is required. Remove all unnecessary accounts, such as games, from the /etc/passwd file before connecting a system to the network. Other accounts, such as news and gopher, associated with a service not in use should also be removed. Identify unnecessary accounts. # getent passwd Remove unnecessary accounts. # userdel [username]
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090050
- Vuln IDs
-
- V-216225
- V-47977
- Rule IDs
-
- SV-216225r603268_rule
- SV-60849
Checks: C-17463r373057_chk
The operations staff shall ensure that proper backups are created, tested, and archived. Ask the operator for documentation on the backup procedures implemented. If the backup procedures are not documented then this is a finding.
Fix: F-17461r373058_fix
The operations staff shall install, configure, test, and verify operating system backup software. Additionally, all backup procedures must be documented.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090060
- Vuln IDs
-
- V-216226
- V-47975
- Rule IDs
-
- SV-216226r603268_rule
- SV-60847
Checks: C-17464r373060_chk
The operations staff shall ensure that proper backups are created, tested, and archived. Ask the operator for documentation on the backup procedures implemented. If the backup procedures are not documented then this is a finding.
Fix: F-17462r373061_fix
The operations staff shall install, configure, test, and verify operating system backup software. Additionally, all backup procedures must be documented.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090070
- Vuln IDs
-
- V-216227
- V-47973
- Rule IDs
-
- SV-216227r603268_rule
- SV-60845
Checks: C-17465r373063_chk
The operations staff shall ensure that proper backups are created, tested, and archived. Ask the operator for documentation on the backup procedures implemented. If the backup procedures are not documented then this is a finding.
Fix: F-17463r373064_fix
The operations staff shall install, configure, test, and verify operating system backup software. Additionally, all backup procedures must be documented.
- RMF Control
- SC-18
- Severity
- Medium
- CCI
- CCI-001695
- Version
- SOL-11.1-090100
- Vuln IDs
-
- V-216228
- V-47969
- Rule IDs
-
- SV-216228r603268_rule
- SV-60841
Checks: C-17466r373066_chk
Determine if the Firefox package is installed: # pkg list web/browser/firefox If the package is not installed, this check does not apply. If installed, ensure that it is a supported version. # pkg info firefox | grep Version Version: 52.5.2 If the version is not supported, this is a finding. Ensure that Java and JavaScript access by Firefox are disabled. Start Firefox. In the address bar type: about:config In search bar type: javascript.enabled If 'Value" is true, this is a finding In the address bar type: about:addons Click on "I accept the risk" button. Click on "Plugins". If Java is enabled, this is a finding.
Fix: F-17464r373067_fix
In the address bar type: about:config Click on "I accept the risk" button. In search bar type: javascript.enabled Double click on the javascript.enabled and Value true will change to false. In the address bar type: about:addons Click on "Plugins". If Java is displayed, disable Java by clicking on the Never Activate selection
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090115
- Vuln IDs
-
- V-216229
- V-49625
- Rule IDs
-
- SV-216229r603268_rule
- SV-62549
Checks: C-17467r373069_chk
The operator will ensure that a DoD approved PKI system is installed, configured, and properly operating. Ask the operator to document the PKI software installation and configuration. If the operator is not able to provide a documented configuration for an installed PKI system or if the PKI system is not properly configured, maintained, or used, this is a finding.
Fix: F-17465r373070_fix
The operator will ensure that a DoD approved PKI software is installed and operating continuously.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090130
- Vuln IDs
-
- V-216231
- V-47959
- Rule IDs
-
- SV-216231r603268_rule
- SV-60831
Checks: C-17469r462451_chk
The operator will ensure that anti-virus software is installed and operating. If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.
Fix: F-17467r462452_fix
The operator will ensure that anti-virus software is installed and operating.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-090140
- Vuln IDs
-
- V-216232
- V-47955
- Rule IDs
-
- SV-216232r603268_rule
- SV-60827
Checks: C-17470r373075_chk
The operator will ensure that anti-virus software is installed and operating. If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.
Fix: F-17468r373076_fix
The operator will ensure that anti-virus software is installed and operating.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001348
- Version
- SOL-11.1-090220
- Vuln IDs
-
- V-216233
- V-47941
- Rule IDs
-
- SV-216233r603268_rule
- SV-60813
Checks: C-17471r373078_chk
This check applies to the global zone only. Determine the zone that you a currently securing. # zonename If the command output is "global" this check applies. The operator must back up audit records at least every 7 days. If the operator is unable to provide a documented procedure or the documented procedure is not being followed, then this is a finding.
Fix: F-17469r373079_fix
This fix applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The operator shall back up audit records at least every seven days.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-090240
- Vuln IDs
-
- V-216234
- V-47937
- Rule IDs
-
- SV-216234r603268_rule
- SV-60809
Checks: C-17472r373081_chk
Ask the operators if they use vi, emacs, or gedit to make changes to system files. If vi, emacs, or gedit are used to make changes to system files, this is a finding.
Fix: F-17470r373082_fix
Advise the operators to use pdfedit or other appropriate command line tools to make system changes instead of vi, emacs, or gedit. Oracle Solaris includes administrative configuration files which use pfedit, and the solaris.admin.edit/path_to_file authorization is not recommended. Alternate commands exist which are both domain-specific and safer. For example, for the /etc/passwd, /etc/shadow, or /etc/user_attr files, use instead passwd, useradd, userdel, or usermod. For the /etc/group file, use instead groupadd, groupdel, or groupmod. For updating /etc/security/auth_attr, /etc/security/exec_attr, or /etc/security/prof_attr, the preferred command is profiles.
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- SOL-11.1-090280
- Vuln IDs
-
- V-216237
- V-47899
- Rule IDs
-
- SV-216237r940018_rule
- SV-60771
Checks: C-36493r940017_chk
Verify that you are on the global zone: # zoneadm -z global list global Note: If you see following message, you are not in the global zone: "zoneadm: global: No such zone exists" # dladm show-ether -Z | egrep "LINK|up" LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE net0 current up yes 1G-f bi Determine the OS version that is being secured: # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 en_1000fdx_cap rw 1 1 1 1,0 net0 en_1000hdx_cap r- 0 0 0 1,0 net0 en_100fdx_cap rw 1 1 1 1,0 net0 en_100hdx_cap rw 1 1 1 1,0 net0 en_10fdx_cap rw 1 1 1 1,0 net0 en_10gfdx_cap -- -- -- 0 1,0 net0 en_10hdx_cap rw 1 1 1 1,0 Do the above for all available/connected network adapters. For Solaris 11.4.x.x.x or newer: # dladm show-linkprop -p speed-duplex net0 LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 speed-duplex rw 1g-f,100m-f, 1g-f,100m-f, 1g-f, 1g-f,100m-f, 100m-h, 100m-h, 100m-f, 100m-h,10m-f, 10m-f,10m-h 10m-f,10m-h 100m-h, 10m-h 10m-f, 10m-h Do the above for all available/connected network adapters. For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.
Fix: F-36457r940018_fix
The Network Management profile is required. Set each link's speed-duplex protection to an appropriate value based on each configured network interface's POSSIBLE settings. Determine the OS version that is being secured: # uname -a For Solaris 11, 11.1, 11.2, and 11.3: # pfexec dladm set-linkprop -p en_1000fdx_cap=1 net0 Verify EFFECTIVE column # dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 en_1000fdx_cap rw 1 1 1 1,0 net0 en_1000hdx_cap r- 0 0 0 1,0 net0 en_100fdx_cap rw 1 1 1 1,0 net0 en_100hdx_cap rw 1 1 1 1,0 net0 en_10fdx_cap rw 1 1 1 1,0 net0 en_10gfdx_cap -- -- -- 0 1,0 net0 en_10hdx_cap rw 1 1 1 1,0 Do the above for all available/connected network adapters. For Solaris 11.4.x or newer: # pfexec dladm set-linkprop -p speed-duplex=1g-f,100m-f net0 Verify EFFECTIVE column # dladm show-linkprop -p speed-duplex net0 LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE net0 speed-duplex rw 1g-f,100m-f 1g-f,100m-f 1g-f, 1g-f,100m-f, 100m-f, 100m-h,10m-f, 100m-h, 10m-h 10m-f, 10m-h Do the above for all available/connected network adapters.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-100010
- Vuln IDs
-
- V-216238
- V-47897
- Rule IDs
-
- SV-216238r603268_rule
- SV-60769
Checks: C-17476r373090_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the ownership of the files and directories. # pkg verify system/zones The command should return no output. If output is produced, this is a finding.
Fix: F-17474r373091_fix
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Software Installation profile is required. Change the ownership and permissions of the files and directories to the factory default. # pkg fix system/zones
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-100020
- Vuln IDs
-
- V-216239
- V-47895
- Rule IDs
-
- SV-216239r603268_rule
- SV-60767
Checks: C-17477r373093_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global From the output list of non-global zones found, determine if any are Kernel zones. # zoneadm list -cv | grep [zonename] | grep solaris-kz Exclude any Kernel zones found from the list of local zones. List the configuration for each zone. # zonecfg -z [zonename] info |grep limitpriv If the output of this command has a setting for limitpriv and it is not: limitpriv: default this is a finding.
Fix: F-17475r373094_fix
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Change the "limitpriv" setting to default. # pfexec zonecfg -z [zone] set limitpriv=default
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-100030
- Vuln IDs
-
- V-216240
- V-47841
- Rule IDs
-
- SV-216240r603268_rule
- SV-60715
Checks: C-17478r373096_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global List the configuration for each zone. # zonecfg -z [zonename] info | grep dev Check for device lines. If such a line exists and is not approved by security, this is a finding.
Fix: F-17476r373097_fix
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Remove all device assignments from the non-global zone. # pfexec zonecfg -z [zone] delete device [device]
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-100040
- Vuln IDs
-
- V-216241
- V-47839
- Rule IDs
-
- SV-216241r603268_rule
- SV-60713
Checks: C-17479r373099_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Determine whether the "zonename" auditing policy is in effect. # pfexec auditconfig -getpolicy | grep active | grep zonename If no output is returned, this is a finding.
Fix: F-17477r373100_fix
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Enable the "zonename" auditing policy. # pfexec auditconfig -setpolicy +zonename
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SOL-11.1-100050
- Vuln IDs
-
- V-216242
- V-47837
- Rule IDs
-
- SV-216242r603268_rule
- SV-60711
Checks: C-17480r373102_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Determine whether the "perzone" auditing policy is in effect. # pfexec auditconfig -getpolicy | grep active | grep perzone If output is returned, this is a finding.
Fix: F-17478r373103_fix
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Disable the "perzone" auditing policy. # pfexec auditconfig -setpolicy -perzone
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-120410
- Vuln IDs
-
- V-216243
- V-49635
- Rule IDs
-
- SV-216243r603268_rule
- SV-62559
Checks: C-17481r373105_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Determine if USB mass storage devices are locked out by the kernel. # grep -h "exclude: scsa2usb" /etc/system /etc/system.d/* If the output of this command is not: exclude: scsa2usb this is a finding.
Fix: F-17479r373106_fix
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Modify the /etc/system file. Determine the OS version you are currently securing. # uname –v For Solaris 11GA and 11.1 # pfedit /etc/system Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect. For Solaris 11.2 or newer Modify an /etc/system.d file. # pfedit /etc/system.d/USB:MassStorage Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect.
- RMF Control
- AU-7
- Severity
- Medium
- CCI
- CCI-001877
- Version
- SOL-11.1-010060
- Vuln IDs
-
- V-219988
- V-47783
- Rule IDs
-
- SV-219988r854551_rule
- SV-60659
Checks: C-21698r372418_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-21697r372419_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-7
- Severity
- Medium
- CCI
- CCI-001880
- Version
- SOL-11.1-010070
- Vuln IDs
-
- V-219989
- V-47785
- Rule IDs
-
- SV-219989r854552_rule
- SV-60661
Checks: C-21699r372421_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-21698r372422_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SOL-11.1-010130
- Vuln IDs
-
- V-219990
- V-47793
- Rule IDs
-
- SV-219990r603268_rule
- SV-60669
Checks: C-21700r372433_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.
Fix: F-21699r372434_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SOL-11.1-010320
- Vuln IDs
-
- V-219991
- V-47821
- Rule IDs
-
- SV-219991r603268_rule
- SV-60697
Checks: C-21701r372475_chk
The Audit Configuration profile is required. Check that the audit flag for auditing file access is enabled. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "fm" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "fm" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-21700r372476_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SOL-11.1-010330
- Vuln IDs
-
- V-219992
- V-47823
- Rule IDs
-
- SV-219992r916461_rule
- SV-60699
Checks: C-21702r916460_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.
Fix: F-21701r877461_fix
The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- SOL-11.1-010370
- Vuln IDs
-
- V-219993
- V-47835
- Rule IDs
-
- SV-219993r854553_rule
- SV-60709
Checks: C-21703r372490_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The root role is required. Verify the presence of an audit_warn entry in /etc/mail/aliases. # /usr/lib/sendmail -bv audit_warn If the response is: audit_warn... User unknown this is a finding. Review the output of the command and verify that the audit_warn alias notifies the appropriate users in this form: audit_warn:user1,user2 If an appropriate user is not listed, this is a finding.
Fix: F-21702r372491_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases
- RMF Control
- AU-5
- Severity
- High
- CCI
- CCI-001858
- Version
- SOL-11.1-010380
- Vuln IDs
-
- V-219994
- V-47843
- Rule IDs
-
- SV-219994r854554_rule
- SV-60717
Checks: C-21704r372493_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The root role is required. Verify the presence of an audit_warn entry in /etc/mail/aliases. # /usr/lib/sendmail -bv audit_warn If the response is: audit_warn... User unknown this is a finding. Review the output of the command and verify that the audit_warn alias notifies the appropriate users in this form: audit_warn:user1,user2 If an appropriate user is not listed, this is a finding.
Fix: F-21703r372494_fix
The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001849
- Version
- SOL-11.1-010400
- Vuln IDs
-
- V-219995
- V-47857
- Rule IDs
-
- SV-219995r854555_rule
- SV-60731
Checks: C-21705r372499_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Review the current audit file space limitations # pfexec auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) The output of the command will appear in this form. Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=2 If p_minfree is not equal to "2" of greater, this is a finding. p_dir defines the current audit file system. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Check that zfs compression is enabled for the audit file system. # zfs get compression [poolname/filesystemname] If compression is off, this is a finding. Check that a ZFS quota is enforced for the audit filesystem. # zfs get quota [poolname/filesystemname] If quota is set to "none", this is a finding. Ensure that a reservation of space is enforced on /var/share so that other users do not use up audit space. # zfs get quota,reservation [poolname/filesystemname] If reservation is set to "none", this is a finding.
Fix: F-21704r372500_fix
The Audit Configuration, Audit Control and ZFS File System Management profiles are required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the audit system directory name: # pfexec auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) The output of the command will appear in this form: Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1; p_dir defines the current audit file system. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Set a minimum percentage of free space on the audit_binfile plugin to 2%. # pfexec auditconfig -setplugin audit_binfile p_minfree=2 Restart the audit system. # pfexec audit -s Enable compression for the audit filesystem. # pfexec zfs set compression=on [poolname/filesystemname] Set a ZFS quota on the default /var/share filesystem for audit records to ensure that the root pool is not filled up with audit logs. # pfexec zfs set quota=XXG [poolname/filesystemname] This commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements. Set a ZFS reservation on the default /var/share filesystem for audit records to ensure that the audit file system is guaranteed a fixed amount of storage. # pfexec zfs set reservation=XXG [poolname/filesystemname] This commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements.
- RMF Control
- AU-4
- Severity
- High
- CCI
- CCI-001849
- Version
- SOL-11.1-010410
- Vuln IDs
-
- V-219996
- V-49621
- Rule IDs
-
- SV-219996r854556_rule
- SV-62545
Checks: C-21706r372502_chk
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getplugin If the output of this command does not contain: p_fsize=4M this is a finding.
Fix: F-21705r372503_fix
The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Set the size of a binary audit file to a specific size. The size is specified in megabytes. # pfexec auditconfig -setplugin audit_binfile p_fsize=4M Restart the audit system. # pfexec audit -s
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001749
- Version
- SOL-11.1-020020
- Vuln IDs
-
- V-219997
- V-47883
- Rule IDs
-
- SV-219997r854557_rule
- SV-60755
Checks: C-21707r372520_chk
Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding.
Fix: F-21706r372521_fix
The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- SOL-11.1-020190
- Vuln IDs
-
- V-219998
- V-47923
- Rule IDs
-
- SV-219998r854558_rule
- SV-60795
Checks: C-21708r372565_chk
The Software Installation Profile is required. Display the installation history of packages on the system to ensure that no undesirable packages have been installed: # pkg history -o finish,user,operation,command |grep install If the install command is listed as "/usr/bin/packagemanager", execute the command: # pkg history -l to determine which packages were installed during package manager sessions. If undocumented or unapproved packages have been installed, this is a finding.
Fix: F-21707r372566_fix
The Software Installation Profile is required. Review and report any unauthorized package installation operations. If necessary, remove unauthorized packages. # pfexec pkg uninstall [package name]
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-001764
- Version
- SOL-11.1-020230
- Vuln IDs
-
- V-219999
- V-47927
- Rule IDs
-
- SV-219999r854559_rule
- SV-60799
Checks: C-21709r372571_chk
Identify the packages installed on the system. # pkg list Any unauthorized software packages listed in the output are a finding.
Fix: F-21708r372572_fix
The Software Installation profile is required. Identify packages installed on the system: # pkg list uninstall unauthorized packages: # pfexec pkg uninstall [ package name]
- RMF Control
- SC-18
- Severity
- Medium
- CCI
- CCI-001170
- Version
- SOL-11.1-030060
- Vuln IDs
-
- V-220000
- V-47939
- Rule IDs
-
- SV-220000r603268_rule
- SV-60811
Checks: C-21710r372637_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if the removable media volume manager is running. # svcs -Ho state svc:/system/filesystem/rmvolmgr:default If the output reports that the service is "online", this is a finding.
Fix: F-21709r372638_fix
The Service Management profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable the rmvolmgr service. # pfexec svcadm disable svc:/system/filesystem/rmvolmgr:default
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002235
- Version
- SOL-11.1-040200
- Vuln IDs
-
- V-220001
- V-48055
- Rule IDs
-
- SV-220001r854560_rule
- SV-60927
Checks: C-21711r372694_chk
Verify the root user is configured as a role, rather than a normal user. # userattr type root If the command does not return the word "role", this is a finding. Verify at least one local user has been assigned the root role. # grep '[:;]roles=root[^;]*' /etc/user_attr If no lines are returned, or no users are permitted to assume the root role, this is a finding.
Fix: F-21710r372695_fix
The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- SOL-11.1-060060
- Vuln IDs
-
- V-220003
- V-48183
- Rule IDs
-
- SV-220003r854561_rule
- SV-61055
Checks: C-21713r372880_chk
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Crypto Management profile is required to execute this command. Check to ensure that FIPS-140 encryption mode is enabled. # cryptoadm list fips-140| grep -c "is disabled" If the output of this command is not "0", this is a finding.
Fix: F-21712r372881_fix
The Crypto Management profile is required to execute this command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable FIPS-140 mode. # pfexec cryptoadm enable fips-140 Reboot the system as requested.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002418
- Version
- SOL-11.1-060070
- Vuln IDs
-
- V-220004
- V-48179
- Rule IDs
-
- SV-220004r854562_rule
- SV-61051
Checks: C-21714r372883_chk
All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.
Fix: F-21713r372884_fix
All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002421
- Version
- SOL-11.1-060080
- Vuln IDs
-
- V-220005
- V-48175
- Rule IDs
-
- SV-220005r877040_rule
- SV-61047
Checks: C-21715r372886_chk
All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.
Fix: F-21714r372887_fix
All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002420
- Version
- SOL-11.1-060090
- Vuln IDs
-
- V-220006
- V-48171
- Rule IDs
-
- SV-220006r854564_rule
- SV-61043
Checks: C-21716r372889_chk
All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.
Fix: F-21715r372890_fix
All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002418
- Version
- SOL-11.1-060100
- Vuln IDs
-
- V-220007
- V-48167
- Rule IDs
-
- SV-220007r854565_rule
- SV-61039
Checks: C-21717r372892_chk
All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.
Fix: F-21716r372893_fix
All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002421
- Version
- SOL-11.1-060110
- Vuln IDs
-
- V-220008
- V-48163
- Rule IDs
-
- SV-220008r877040_rule
- SV-61035
Checks: C-21718r372895_chk
All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.
Fix: F-21717r372896_fix
All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002420
- Version
- SOL-11.1-060120
- Vuln IDs
-
- V-220009
- V-48161
- Rule IDs
-
- SV-220009r854567_rule
- SV-61033
Checks: C-21719r372898_chk
All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.
Fix: F-21718r372899_fix
All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.
- RMF Control
- SC-28
- Severity
- Low
- CCI
- CCI-002475
- Version
- SOL-11.1-060150
- Vuln IDs
-
- V-220010
- V-48155
- Rule IDs
-
- SV-220010r854568_rule
- SV-61027
Checks: C-21720r372907_chk
Determine if file system encryption is required by your organization. If not required, this item does not apply. Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets. # zfs list Using the file system name, determine if the file system is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.
Fix: F-21719r372908_fix
The ZFS file system management profile is required. ZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created. First, stop running applications using the file systems, archive the data, unmount, and then remove the file system. # umount [file system name] # zfs destroy [file system name] When creating ZFS file systems, ensure that they are created as encrypted file systems. # pfexec zfs create -o encryption=on [file system name] Enter passphrase for '[file system name]': xxxxxxx Enter again: xxxxxxx Store the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.
- RMF Control
- SC-28
- Severity
- Low
- CCI
- CCI-002475
- Version
- SOL-11.1-060170
- Vuln IDs
-
- V-220011
- V-48149
- Rule IDs
-
- SV-220011r854569_rule
- SV-61021
Checks: C-21721r372913_chk
Determine if file system encryption is required by your organization. If not required, this item does not apply. Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets. # zfs list Using the file system name, determine if the file system is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.
Fix: F-21720r372914_fix
The ZFS file system management profile is required. ZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created. First, stop running applications using the file systems, archive the data, unmount, and then remove the file system. # umount [file system name] # zfs destroy [file system name] When creating ZFS file systems, ensure that they are created as encrypted file systems. # pfexec zfs create -o encryption=on [file system name] Enter passphrase for '[file system name]': xxxxxxx Enter again: xxxxxxx Store the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002418
- Version
- SOL-11.1-060190
- Vuln IDs
-
- V-220012
- V-48141
- Rule IDs
-
- SV-220012r854570_rule
- SV-61013
Checks: C-21722r372919_chk
The operator shall determine if IPsec is being used to encrypt data for activities such as cluster interconnects or other non-SSH, SFTP data connections. On both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation. Check that the IPsec policy service is online: # svcs svc:/network/ipsec/policy:default If the IPsec service is not online, this is a finding. If encrypted protocols are not used between systems, this is a finding.
Fix: F-21721r372920_fix
The Service Management profile is required. Configure IPsec encrypted tunneling between two systems. On both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation. Ensure that the IPsec policy service is online: Enable the IPsec service: # svcadm enable svc:/network/ipsec/policy:default
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002234
- Version
- SOL-11.1-070250
- Vuln IDs
-
- V-220013
- V-48031
- Rule IDs
-
- SV-220013r854571_rule
- SV-60903
Checks: C-21723r372991_chk
The audit configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the local audit trail files. # auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;" In this example, the audit files can be found in /var/audit. Check that the permissions on the audit files are 640 (rw- r-- --) or less permissive. # ls -al /var/audit # ls -l /var/audit/* If the permissions are more permissive than 640, this is a finding. Note: The default Solaris 11 location for /var/audit is a link to /var/share/audit.
Fix: F-21722r372992_fix
The root role is required. Determine the location of the local audit trail files. # pfexec auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1 In this example, the audit files can be found in /var/audit. Change the permissions on the audit trail files and the audit directory. # chmod 640 /var/share/audit/* # chmod 750 /var/share/audit Note: The default Solaris 11 location for /var/audit is a link to /var/share/audit.
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-002046
- Version
- SOL-11.1-090020
- Vuln IDs
-
- V-220014
- V-47985
- Rule IDs
-
- SV-220014r876975_rule
- SV-60857
Checks: C-21724r462448_chk
NTP must be used and used only in the global zone. Determine the zone that you are currently securing. # zonename If the command output is not "global", then NTP must be disabled. Check the system for a running NTP daemon. # svcs -Ho state ntp If NTP is online, this is a finding. If the output from "zonename" is "global", then NTP must be enabled. Check the system for a running NTP daemon. # svcs -Ho state ntp If NTP is not online, this is a finding. If NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative U.S. DoD source. For the NTP daemon # more /etc/inet/ntp.conf If a non-local/non-authoritative (non-U.S. DoD source, non-USNO-based, or non-GPS) time server is used, this is a finding. Determine if the time synchronization frequency is correct. # grep "maxpoll" /etc/inet/ntp.conf If the command returns "File not found" or any value for maxpoll, this is a finding. Determine if the running NTP server is configured properly. # ntpq -p | awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1" "$6 }' This will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.
Fix: F-21723r462449_fix
The root role is required. Determine the zone that you are currently securing. # zonename If the command output is not "global", then NTP must be disabled. # svcadm disable ntp If the output from "zonename" is "global", then NTP must be enabled. To activate the ntpd daemon, the ntp.conf file must first be created. # cp /etc/inet/ntp.client /etc/inet/ntp.conf # pfedit /etc/inet/ntp.conf Make site-specific changes to this file as needed in the form. server [ntpserver] Locate the line containing maxpoll (if it exists). Delete the line. Start the ntpd daemon. # svcadm enable ntp Use a local authoritative time server synchronizing to an authorized DoD time source, a USNO-based time server, or a GPS. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server. Edit the NTP configuration files and make the necessary changes to add the approved time servers per Solaris documentation.
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- SOL-11.1-090250
- Vuln IDs
-
- V-220015
- V-47907
- Rule IDs
-
- SV-220015r854573_rule
- SV-60779
Checks: C-21725r373084_chk
Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis. If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.
Fix: F-21724r373085_fix
Install, configure, and run DoD-approved SCAP compliance checking software on a periodic basis. Review the output of the software and document any out-of-compliance issues.
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002235
- Version
- SOL-11.1-090120
- Vuln IDs
-
- V-224672
- V-47963
- Rule IDs
-
- SV-224672r854574_rule
- SV-60835
Checks: C-26361r462454_chk
The operator will ensure that anti-virus software is installed and operating. If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.
Fix: F-26349r462455_fix
The operator will ensure that anti-virus software is installed and operating.
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- SOL-11.1-090270
- Vuln IDs
-
- V-224673
- V-47903
- Rule IDs
-
- SV-224673r854575_rule
- SV-60775
Checks: C-26362r462457_chk
Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis. If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.
Fix: F-26350r462458_fix
Install, configure, and run DoD-approved SCAP compliance checking software on a periodic basis. Review the output of the software and document any out-of-compliance issues.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SOL-11.1-040331
- Vuln IDs
-
- V-233301
- Rule IDs
-
- SV-233301r603283_rule
Checks: C-36496r622215_chk
Determine if the X11 forwarding server is bound to the loopback address. # grep "^X11UseLocalhost" /etc/ssh/sshd_config If the output of this command is not: X11UseLocalhost yes this is a finding.
Fix: F-36460r622216_fix
The root role is required. Modify the sshd_config file. # vi /etc/ssh/sshd_config Locate the line containing: X11UseLocalhost Change it to: X11UseLocalhost yes Restart the SSH service. # svcadm restart svc:/network/ssh