Select any old version/release of this SCAP to view the previous requirements
Edit /etc/issue and add one of the DoD login banners (based on the character limitations imposed by the system). DoD Login Banners: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR "I've read & consent to terms in IS user agreem't."
Set RETRIES to 3 in the /etc/default/login file. #vi /etc/default/login Set LOCK_AFTER_RETRIES to YES in the /etc/security/policy.conf file. #vi /etc/security/policy.conf
Edit the /etc/default/login file and set SLEEPTIME to 4.
Remove, lock, or configure a password for any account with a blank password.
Remove or change the UID of accounts other than root that have UID 0.
The root home directory should be something other than / (such as /rootdir). Procedure: # mkdir /rootdir # chown root /rootdir # chgrp root /rootdir # chmod 700 /rootdir # cp -r /.??* /rootdir Edit the passwd file and change the root home directory to /rootdir. The cp -r /.??* command copies all files and subdirectories of file names beginning with "." into the new root directory, which preserves the previous root environment. The cp command must be executed from the / directory.
The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory. # chmod 0700 /rootdir.
Edit the root user's local initialization files. Remove any empty path entries. Remove any relative path entries that have not been documented with the ISSO. Edit the root user’s local initialization files and remove any empty entry that is defined.
Edit the /etc/default/login file and uncomment the line containing /dev/console if it is commented out.
Add a group to the system for each GID referenced that does not have a corresponding group. #/usr/sbin/groupadd < group >
Change the mode of the system log file(s) to 0640 or less permissive. Procedure: # chmod "0640" /path/to/system-log-file NOTE: Do not confuse system log files with audit logs. Any subsystems that require less stringent permissions must be documented.
Change the mode of skeleton files with incorrect mode. # chmod 0644 <skeleton file>
Change the ownership of NIS/NIS+/yp files to root, bin, or sys. Procedure: # chown -R root /usr/lib/netsvc/yp /var/yp
Change the group owner of the NIS files to root, bin, or sys. Procedure: # chgrp -R root /usr/lib/netsvc/yp /var/yp
Change the mode of NIS/NIS+/yp command files to 0755 or less permissive. Procedure: # chmod -R 0755 /usr/lib/netsvc/yp /var/yp
Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod 0755 /path/to/library-file NOTE: Library files should have an extension of .a or .so, possibly followed by a version number.
Change the group owner of system files to a system group. Procedure: # chgrp root /path/to/system/file (System groups other than root may be used.)
Change the ownership of the /etc/shadow file. # chown root /etc/shadow
Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd Document all changes.
Change the mode of the /etc/shadow (or equivalent) file. # chmod <mode> <file>
Change the ownership of the audit log file(s). Procedure: # chown root <audit log file>
Change the mode of the audit log directories/files. # chmod 0750 <audit directory> # chmod 0640 <audit file>
Edit /etc/security/audit_control and add the fr or -fr flags to the flags list. Load the new audit configuration. # auditconfig -conf
Edit /etc/security/audit_control and add the fd to the flags list. Load the new audit configuration. # auditconfig -conf
Edit /etc/security/audit_control and add am to the flags list. Load the new audit configuration. # auditconfig -conf
Edit /etc/security/audit_control and add lo to the flags list and naflags list. Load the new audit configuration. # auditconfig -conf
Edit /etc/security/audit_control and add fm to the flags list. Load the new audit configuration. # auditconfig -conf
Change the mode of the inetd.conf file. # chmod 0440 /etc/inet/inetd.conf
Change the ownership of the services file to root or bin. Procedure: # chown root /etc/services
Change the mode of the services file to 0444 or less permissive. Procedure: # chmod 0444 /etc/services
Edit /etc/profile or another global initialization script and add the mesg -n command.
Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root. Procedure: # chown root /etc/mail/aliases
Edit the sendmail.conf file, locate the "O L" or LogLevel entry and change it to 9.
Edit the syslog.conf file and add a configuration line specifying an appropriate destination for mail.crit syslogs.
Create a /etc/ftpd/ftpusers file containing a list of accounts not authorized for FTP.
Change the owner of the ftpusers file to root. # chown root /etc/ftpd/ftpusers
Change the mode of the ftpusers file to 0640. # chmod 0640 /etc/ftpd/ftpusers
Edit /etc/inet/inetd.conf and add the -s parameter to TFTPD. # inetconv OR Update the SMF entry for the TFTP daemon. # svccfg -s tftp/udp6 setprop inetd_start/exec = "astring:\"/usr/sbin/in.tftpd -s <other TFTPD options>\""
Change the mode of the TFTP daemon. Procedure: # chmod 0755 /usr/sbin/in.tftpd
Disable the use of NIS. Possible replacements are NIS+ and LDAP.
Assign a home directory to any user without one.
Edit the run control script and remove the relative path entries from the executable search path variable that are not documented with the ISSO. Edit the run control script and remove any empty entry that is defined.
Create a /etc/shells file containing a list of valid system shells. The list below contains the default shells from the shells(4) man page. Procedure (the command is 24 lines long): cat >/etc/shells <<EOF /bin/bash /bin/csh /bin/jsh /bin/ksh /bin/pfcsh /bin/pfksh /bin/pfsh /bin/sh /bin/tcsh /bin/zsh /sbin/jsh /sbin/sh /usr/bin/bash /usr/bin/csh /usr/bin/jsh /usr/bin/ksh /usr/bin/pfcsh /usr/bin/pfksh /usr/bin/pfsh /usr/bin/sh /usr/bin/tcsh /usr/bin/zsh EOF
Change the owner of the dfstab file to root. Example: # chown root /etc/dfs/dfstab
Change the permissions of the dfstab file to 664 or less permissive. # chmod 0644 /etc/dfs/dfstab
Create the /usr/aset/userlist file and populate it with a list of authorized users.
Use the chmod command to change the owner of the /usr/aset/userlist file. # chown root /usr/aset/userlist
Change the mode of the /usr/aset/userlist file to 0600. # chmod 0600 /usr/aset/userlist
Create /etc/cron.d/cron.allow and/or /etc/cron.d/cron.deny with appropriate content.
Change the mode of the cron.allow file to 0600. Procedure: # chmod 0600 /etc/cron.d/cron.allow
Change the mode of the crontab files. # chmod 0600 /var/spool/cron/crontabs/*
Change the mode of the crontab directory. # chmod 0755 /var/spool/cron/crontabs
Change the owner of the crontab directory. # chown root /var/spool/cron/crontabs
Change the group owner of the crontab directories to root, sys, or bin. Procedure: # chgrp root /var/spool/cron/crontabs
Change the mode of the cron log file. # chmod 0600 /var/cron/log
Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.
Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.
Change the mode of the at.allow file. # chmod 0600 /etc/cron.d/at.allow
Disable the INN server.
Change the ownership of the smb.conf file. Procedure: # chown root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf
Change the mode of the smb.conf file to 0644 or less permissive. Procedure: # chmod 0644 /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf
Use the chown command to configure the smb passwd file. # chown root /etc/sfw/private/smbpasswd
Edit the configuration file and set the PermitRootLogin option to no.
Change the owner of the audio device. # chown root <audio device>
Change the group owner of the smb.conf file. Procedure: # chgrp root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf
Use the chgrp command to ensure the group owner of the smbpasswd file is root. # chgrp root /etc/sfw/private/smbpasswd
Change the mode of the smbpasswd file to 0600. Procedure: # chmod 0600 /etc/sfw/private/smbpasswd
Change the group owner of the audio device. Procedure: # chgrp system <audio device>
Edit /etc/default/passwd and set HISTORY to 5.
Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>
Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>
Change the mode of the audit_user file to 0640. # chmod 0640 /etc/security/audit_user
Configure the system to use the GRUB bootloader.
The GRUB console boot loader can be configured to use an MD5 encrypted password by adding password --md5 password-hash to the /pool-name/boot/grub/menu.lst or /boot/grub/menu.lst file. Use grub-md5-crypt to generate MD5 passwords from the command line.
Change the mode of the /etc/news/hosts.nntp file to 0600. # chmod 0600 /etc/news/hosts.nntp
Change the mode of /etc/news/hosts.nntp.nolimit to 0600. # chmod 0600 /etc/news/hosts.nntp.nolimit
Change the mode of the /etc/news/nnrp.access file to 0600. # chmod 0600 /etc/news/nnrp.access
Change the mode of the /etc/news/passwd.nntp file. # chmod 0600 /etc/news/passwd.nntp
Change the ownership of the /etc/news directory and the files in it to root. Procedure: # chown -R root /etc/news
Change the group owner of the /etc/news directory and the files in it to root. Procedure: # chgrp -R root /etc/news
Edit the configuration file and modify the Protocol line to look like: Protocol 2 Reload sshd: kill -HUP <PID of sshd>
Edit /etc/dfs/dfstab and add the log option to all exported filesystems. Run the shareall command for the changes to take effect. NFS version 2 or 3 must be forced by updating the NFS_SERVER_VERSMAX variable appropriately in /etc/default/nfs and restarting the NFS daemon.
Implement file system journaling for the root file system, or use a file system using other mechanisms to ensure consistency. If the root file system supports journaling, enable it. If the file system does not support journaling or another mechanism to ensure consistency, a migration to a different file system will be necessary.
If there is no functional need for Samba and the daemon is running, disable the daemon by killing the process ID as noted from the output of ps -ef |grep smbd. The utility should also be removed or not installed if there is no functional requirement.
Change the group owner of the audit_user file to root, bin, or sys. Example: # chgrp root /etc/security/audit_user
Change the owner of the /etc/security/audit_user file to root. # chown root /etc/security/audit_user
Change the mode of the cron.deny file. # chmod 0600 /etc/cron.d/cron.deny
# chown root /etc/cron.d/cron.allow
Change the owner of the at.allow file. # chown root /etc/cron.d/at.allow
Change the owner of the at.deny file. # chown root /etc/cron.d/at.deny
Change the owner of the traceroute command to root. Example procedure: # chown root /usr/sbin/traceroute
Change the group-owner of the traceroute command to root. Procedure: # chgrp root /usr/sbin/traceroute
Configure anonymous FTP accounts to use a non-functional shell. If necessary, edit the /etc/passwd file to remove any functioning shells associated with the FTP account and replace them with non-functioning shells, such as, /dev/null.
Use the chown command to set the owner to root. # chown root /etc/syslog.conf
Change the group owner of the /etc/syslog.conf file to root, bin, or sys. Procedure: # chgrp root /etc/syslog.conf
Change the ownership of the cron.deny file to root, sys, or bin. # chown root /etc/cron.d/cron.deny
Disable the remote shell service and restart inetd. Procedure: # svcadm disable network/shell # svcadm refresh inetd
# svcadm disable rexec # svcadm refresh inetd
Disable the finger service and restart inetd. Procedure: # svcadm disable finger # svcadm refresh inetd
Edit /etc/default/passwd and set the PASSLENGTH variable to 15 or greater.
Change the ownership of skeleton files with incorrect mode. # chown bin <skeleton file>
Edit the global initialization file(s) with PATH variables containing relative paths and remove any relative path form the PATH variables that have not been documented with the ISSO. Edit the global initialization file(s) and remove any empty entry that is defined.
Remove the .rhosts, .shosts, hosts.equiv, and/or shosts.equiv files.
Edit /etc/pam.conf and remove the reference(s) to the rhosts_auth module.
Change the owner of the kernel core dump data directory to root. # chown root /var/crash
This action applies to the global zone only. Determine the type of zone that you are currently securing. # zonename If the command output is "global", this action applies. Edit /etc/system and set the noexec_user_stack parameter to 1. Restart the system for the setting to take effect.
Edit /etc/default/inetinit and set the TCP_STRONG_ISS parameter to 2.
Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority
Add appropriate IP restrictions for SSH to the /etc/hosts.deny and/or /etc/hosts.allow files.
Edit the /etc/hosts.allow and /etc/hosts.deny files to configure access restrictions.
Edit /etc/rmmount.conf and add the nosuid mount option to the configuration.
Change the default GID of non-root accounts to a valid GID other than 0.
Determine the type of zone that you are currently securing. # zonename If the command output is not "global", then NTP must be disabled. # svcadm disable ntp If the output from "zonename" is "global", then NTP must be enabled. # svcadm enable ntp
Change the owner of the NTP configuration file to root. # chown root /etc/inet/ntp.conf
Change the group owner of the NTP configuration file. Procedure: # chgrp root /etc/inet/ntp.conf
Change the mode of the NTP configuration file to 0640 or less permissive. # chmod 0640 /etc/inet/ntp.conf
If the /etc/security/crypt.conf file does not support FIPS 140-2 approved cryptographic hashing algorithms, upgrade to at least the Solaris 10 8/07 release. Edit the /etc/security/policy.conf file. # vi /etc/security/policy.conf Uncomment or add the CRYPT_ALGORITHMS_ALLOW line and set it to "5,6". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable. CRYPT_ALGORITHMS_ALLOW=5,6 CRYPT_DEFAULT=6 Update passwords for all accounts with non-compliant password hashes.
Edit /etc/default/passwd and set or add a MINDIFF setting equal to or greater than 8.
Edit the root user initialization files and remove any definition of LD_LIBRARY_PATH.
Edit the root user initialization files and remove any definition of LD_PRELOAD.
Change the owner of the /etc/resolv.conf file to root. # chown root /etc/resolv.conf
Change the group owner of the /etc/resolv.conf file to root, bin, or sys. Procedure: # chgrp root /etc/resolv.conf
Change the mode of the /etc/resolv.conf file to 0644 or less permissive. # chmod 0644 /etc/resolv.conf
Change the owner of the /etc/hosts file to root. # chown root /etc/hosts
Change the group owner of the /etc/hosts file to root, sys, or bin. Procedure: # chgrp root /etc/hosts
Change the mode of the /etc/hosts file to 0644 or less permissive. # chmod 0644 /etc/hosts
Change the owner of the /etc/nsswitch.conf file to root. # chown root /etc/nsswitch.conf
Change the group owner of the /etc/nsswitch.conf file to root, bin, or sys. Procedure: # chgrp root /etc/nsswitch.conf
Change the mode of the /etc/nsswitch.conf file to 0644 or less permissive. Procedure: # chmod 0644 /etc/nsswitch.conf
Change the owner of the /etc/passwd file to root. # chown root /etc/passwd
Change the group owner of the /etc/passwd file to root, bin, or sys. Procedure: # chgrp root /etc/passwd
Change the owner of the /etc/group file to root. # chown root /etc/group
Change the group owner of the /etc/group file. Procedure: # chgrp root /etc/group
Change the mode of the /etc/group file to 0644 or less permissive. # chmod 0644 /etc/group
Change the group owner of the /etc/shadow file. Procedure: # chgrp root /etc/shadow
Migrate /etc/passwd password hashes to /etc/shadow. # pwconv
Edit /etc/group and change the password field to an exclamation point (!) to lock the group password.
Change the group owner of the skeleton file to root. Procedure: # chgrp <group> /etc/skel/[skeleton file]
Change the owner of the audit tool executable to root. # chown root [audit tool executable]
Change the group-owner of the audit tool executable to root, bin, or sys. Procedure: # chgrp root <audit tool executable>
Change the mode of the audit tool executable to 0750, or less permissive. # chmod 0750 [audit tool executable]
Edit /etc/security/audit_control and add the as flag to the flag parameter.
Change the group ownership of the file. Procedure: # chgrp root /etc/cron.d/cron.allow
Change the mode of the file. # chmod 0600 /etc/cron.d/at.deny
Change the group ownership of the file to root, sys, or bin. Procedure: # chgrp root /etc/cron.d/cron.deny
Change the group ownership of the file. Procedure: # chgrp root /etc/cron.d/at.allow
Change the group ownership of the at.deny file to root, bin, or sys. Procedure: # chgrp root /etc/cron.d/at.deny
Edit /etc/ipf/ipf.conf and add rules to block outgoing source-routed packets, such as: block out log quick all with opt lsrr block out log quick all with opt ssrr Reload the IPF rules. Procedure: # ipf -Fa -A -f /etc/ipf/ipf.conf
Edit /etc/ipf/ipf.conf and add rules to block incoming source-routed packets, such as: block in log quick all with opt lsrr block in log quick all with opt ssrr Reload the IPF rules. Procedure: # ipf -Fa -A -f /etc/ipf/ipf.conf
Change the group-owner of the services file. Procedure: # chgrp root /etc/services
Disable the portmap service. # svcadm disable network/rpc/bind
Remove the SUNWrcmdr package. Procedure: # pkgrm SUNWrcmdr
Disable the rlogind service. # svcadm disable rlogin # svcadm refresh inetd
Remove the SUNWrcmdr package. Procedure: # pkgrm SUNWrcmdr
Remove the SUNWrcmdr package. Procedure: # pkgrm SUNWrcmdr
Change the group owner of the ftpusers file. Procedure: # chgrp root /etc/ftpusers
Change the permissions of the syslog configuration file. # chmod 0640 /etc/syslog.conf
Edit the /etc/ssh/ssh_config file and add or edit a Protocol configuration line that does not allow versions less than 2.
Edit /etc/ssh/sshd_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the sshd_config manpage. Restart the SSH daemon.
Edit /etc/ssh/ssh_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the ssh_config manpage.
Change the permissions for the SSH public host key files. # chmod 0644 /etc/ssh/*key.pub
Change the permissions for the SSH private host key files. # chmod 0600 /etc/ssh/*key
Edit the SSH daemon configuration and set (add if necessary) a GSSAPIAuthentication directive set to no.
Edit the SSH client configuration and set (add if necessary) a GSSAPIAuthentication directive set to no.
Edit the SSH daemon configuration and add or edit the Compression setting value to no or delayed.
Edit the SSH daemon configuration and add (or edit) a banner setting referencing a file containing a logon warning banner. DoD Login Banners: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR "I've read & consent to terms in IS user agreem't."
Change the group ownership of the NFS export configuration file. Procedure: # chgrp root /etc/dfs/dfstab
Edit the smb.conf file and change the security setting to user or another valid setting other than share.
Edit the smb.conf file and change the guest ok setting to no.
Delete the DHCP client configuration. # rm /etc/dhcp.*
Change the permissions of the files. # chmod 0600 /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
Change the owner of the files. # chown root /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
Change the group-owner of the files to root, bin, or sys. Procedure: # chgrp root /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
Stop and disable the autofs service. # svcadm disable autofs
Remove the SUNWusb package. # pkgrm SUNWusb
Enable the system's local firewall. # svcadm enable network/ipfilter
Edit /var/sadm/install/admin/default and set the authentication setting to quit.
Change the group ownership of the file. # chgrp root /usr/aset/userlist
Change the ownership of the files and directories. # chown -R root /etc/zones
Change the group ownership of the files and directories. # chgrp -R sys /etc/zones # chgrp root /etc/zones/*.xml # chgrp bin /etc/zones/SUN*.xml
Change the mode of the file or directory. # chmod 0644 <file> For directories: # chmod 0755 <directory>
Change the group ownership of the audit log file(s). Procedure: # chgrp root <audit log file>
Migrate the /tmp path onto a separate file system.
Disable the telnet daemon. # svcadm disable telnet # svcadm refresh inetd