Solaris 10 SPARC Security Technical Implementation Guide
V1R23· · · Published 26 Feb 2020· 182 rules
View
Open a previous version of this SCAP benchmark.
The Solaris 10 (SPARC) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Sort by
b
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.System AdministratorECWM-1
Fix: F-25868r1_fix
Edit /etc/issue and add one of the DoD login banners (based on the character limitations imposed by the system).
DoD Login Banners:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
OR
"I've read & consent to terms in IS user agreem't."
b
The system must disable accounts after three consecutive unsuccessful login attempts.
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.System AdministratorECLO-1, ECLO-2
Fix: F-33972r1_fix
Set RETRIES to 3 in the /etc/default/login file.
#vi /etc/default/login
Set LOCK_AFTER_RETRIES to YES in the /etc/security/policy.conf file.
#vi /etc/security/policy.conf
b
The delay between login prompts following a failed login attempt must be at least 4 seconds.
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
System AdministratorECLO-1, ECLO-2
Fix: F-24360r1_fix
Edit the /etc/default/login file and set SLEEPTIME to 4.
c
The system must not have accounts configured with blank or null passwords.
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value. System AdministratorIAIA-1, IAIA-2
Fix: F-24370r2_fix
Remove, lock, or configure a password for any account with a blank password.
b
The root account must be the only account having an UID of 0.
If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.System AdministratorECLP-1
Fix: F-24403r1_fix
Remove or change the UID of accounts other than root that have UID 0.
a
The root user's home directory must not be the root directory (/).
Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.System AdministratorECCD-1, ECCD-2
Fix: F-928r2_fix
The root home directory should be something other than / (such as /rootdir).
Procedure:
# mkdir /rootdir
# chown root /rootdir
# chgrp root /rootdir
# chmod 700 /rootdir
# cp -r /.??* /rootdir
Edit the passwd file and change the root home directory to /rootdir. The cp -r /.??* command copies all files and subdirectories of file names beginning with "." into the new root directory, which preserves the previous root environment. The cp command must be executed from the / directory.
b
The root account's home directory (other than /) must have mode 0700.
Permissions greater than 0700 could allow unauthorized users access to the root home directory.System AdministratorECCD-1, ECCD-2
Fix: F-929r2_fix
The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory.
# chmod 0700 /rootdir.
b
The root accounts executable search path must contain only authorized paths.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.System Administrator
Fix: F-930r3_fix
Edit the root user's local initialization files. Remove any empty path entries. Remove any relative path entries that have not been documented with the ISSO.
Edit the root user’s local initialization files and remove any empty entry that is defined.
b
The system must prevent the root account from directly logging in except from the system console.
Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
System AdministratorECPA-1
Fix: F-24417r1_fix
Edit the /etc/default/login file and uncomment the line containing /dev/console if it is commented out.
a
All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
If a user is assigned the GID of a group not existing on the system, and a group with the same GID is subsequently created, the user may have unintended rights to the group.
System AdministratorECSC-1
Fix: F-33975r1_fix
Add a group to the system for each GID referenced that does not have a corresponding group.
#/usr/sbin/groupadd < group >
b
System log files must have mode 0640 or less permissive.
If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.System Administrator
Fix: F-941r3_fix
Change the mode of the system log file(s) to 0640 or less permissive.
Procedure:
# chmod "0640" /path/to/system-log-file
NOTE: Do not confuse system log files with audit logs. Any subsystems that require less stringent permissions must be documented.
b
All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
System AdministratorECLP-1
Fix: F-942r2_fix
Change the mode of skeleton files with incorrect mode.
# chmod 0644 <skeleton file>
b
NIS/NIS+/yp files must be owned by root, sys, or bin.
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
System AdministratorECLP-1
Fix: F-34044r1_fix
Change the ownership of NIS/NIS+/yp files to root, bin, or sys.
Procedure:
# chown -R root /usr/lib/netsvc/yp /var/yp
b
NIS/NIS+/yp files must be group-owned by root, sys, or bin.
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
System AdministratorECLP-1
Fix: F-34043r1_fix
Change the group owner of the NIS files to root, bin, or sys.
Procedure:
# chgrp -R root /usr/lib/netsvc/yp /var/yp
b
The NIS/NIS+/yp command files must have mode 0755 or less permissive.
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and the system.System AdministratorECLP-1
Fix: F-34672r1_fix
Change the mode of NIS/NIS+/yp command files to 0755 or less permissive.
Procedure:
# chmod -R 0755 /usr/lib/netsvc/yp /var/yp
b
Library files must have mode 0755 or less permissive.
Unauthorized access could destroy the integrity of the library files.System AdministratorDCSL-1
Fix: F-947r2_fix
Change the mode of library files to 0755 or less permissive.
Procedure (example):
# chmod 0755 /path/to/library-file
NOTE: Library files should have an extension of .a or .so, possibly followed by a version number.
b
System files, programs, and directories must be group-owned by a system group.
The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-34673r1_fix
Change the ownership of the /etc/shadow file.
# chown root /etc/shadow
b
The /etc/passwd file must have mode 0644 or less permissive.
If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.System AdministratorECLP-1
Fix: F-952r2_fix
Change the mode of the passwd file to 0644.
Procedure:
# chmod 0644 /etc/passwd
Document all changes.
b
The /etc/shadow (or equivalent) file must have mode 0400.
The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.System AdministratorECLP-1
Fix: F-954r2_fix
Change the mode of the /etc/shadow (or equivalent) file.
# chmod <mode> <file>
Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.System AdministratorECTP-1
Fix: F-966r2_fix
Change the ownership of the audit log file(s).
Procedure:
# chown root <audit log file>
b
System audit logs must have mode 0640 or less permissive.
If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do not include activity, error, or other log files created by application software.System AdministratorECTP-1
Fix: F-967r2_fix
Change the mode of the audit log directories/files.
# chmod 0750 <audit directory>
# chmod 0640 <audit file>
b
The audit system must be configured to audit failed attempts to access files and programs.
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-24523r1_fix
Edit /etc/security/audit_control and add the fr or -fr flags to the flags list.
Load the new audit configuration.
# auditconfig -conf
b
The audit system must be configured to audit file deletions.
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-24528r1_fix
Edit /etc/security/audit_control and add the fd to the flags list.
Load the new audit configuration.
# auditconfig -conf
b
The audit system must be configured to audit all administrative, privileged, and security actions.
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-24539r1_fix
Edit /etc/security/audit_control and add am to the flags list.
Load the new audit configuration.
# auditconfig -conf
b
The audit system must be configured to audit login, logout, and session initiation.
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-24546r1_fix
Edit /etc/security/audit_control and add lo to the flags list and naflags list.
Load the new audit configuration.
# auditconfig -conf
b
The audit system must be configured to audit all discretionary access control permission modifications.
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-24552r1_fix
Edit /etc/security/audit_control and add fm to the flags list.
Load the new audit configuration.
# auditconfig -conf
b
The inetd.conf file must have mode 0440 or less permissive.
The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system.System AdministratorECLP-1
Fix: F-34403r1_fix
Change the mode of the inetd.conf file.
# chmod 0440 /etc/inet/inetd.conf
Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-977r2_fix
Change the ownership of the services file to root or bin.
Procedure:
# chown root /etc/services
b
The services file must have mode 0444 or less permissive.
The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.System AdministratorECLP-1
Fix: F-978r2_fix
Change the mode of the services file to 0444 or less permissive.
Procedure:
# chmod 0444 /etc/services
a
Global initialization files must contain the mesg -n or mesg n commands.
If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack.System AdministratorECSC-1
Fix: F-979r2_fix
Edit /etc/profile or another global initialization script and add the mesg -n command.
If the alias file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.System AdministratorECLP-1
Fix: F-34503r1_fix
Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root.
Procedure:
# chown root /etc/mail/aliases
a
Sendmail logging must not be set to less than nine in the sendmail.cf file.
If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the Sendmail service.System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-989r2_fix
Edit the sendmail.conf file, locate the "O L" or LogLevel entry and change it to 9.
b
The system syslog service must log informational and more severe SMTP service messages.
The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.
System AdministratorECCD-1, ECCD-2
Fix: F-25675r1_fix
Create a /etc/ftpd/ftpusers file containing a list of accounts not authorized for FTP.
If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
System AdministratorECLP-1
Fix: F-25695r1_fix
Change the owner of the ftpusers file to root.
# chown root /etc/ftpd/ftpusers
b
The ftpusers file must have mode 0640 or less permissive.
Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users to access the FTP service.System AdministratorECLP-1
Fix: F-25698r1_fix
Change the mode of the ftpusers file to 0640.
# chmod 0640 /etc/ftpd/ftpusers
c
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
Secure mode limits TFTP requests to a specific directory. If TFTP is not running in secure mode, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability.
System AdministratorECSC-1
Fix: F-25710r3_fix
Edit /etc/inet/inetd.conf and add the -s parameter to TFTPD.
# inetconv
OR
Update the SMF entry for the TFTP daemon.
# svccfg -s tftp/udp6 setprop inetd_start/exec = "astring:\"/usr/sbin/in.tftpd -s <other TFTPD options>\""
c
The TFTP daemon must have mode 0755 or less permissive.
If TFTP runs with the setuid or setgid bit set, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability.System AdministratorECPA-1
Fix: F-34365r1_fix
Change the mode of the TFTP daemon.
Procedure:
# chmod 0755 /usr/sbin/in.tftpd
b
The Network Information System (NIS) protocol must not be used.
Due to numerous security vulnerabilities existing within NIS, it must not be used. Possible alternative directory services are NIS+ and LDAP.System AdministratorInformation Assurance OfficerECSC-1
Fix: F-1021r2_fix
Disable the use of NIS. Possible replacements are NIS+ and LDAP.
a
All interactive users must be assigned a home directory in the /etc/passwd file.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.System Administrator
Fix: F-1061r4_fix
Edit the run control script and remove the relative path entries from the executable search path variable that are not documented with the ISSO.
Edit the run control script and remove any empty entry that is defined.
The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure.System AdministratorECSC-1
Fix: F-34658r1_fix
Create a /etc/shells file containing a list of valid system shells. The list below contains the default shells from the shells(4) man page.
Procedure (the command is 24 lines long):
cat >/etc/shells <<EOF
/bin/bash
/bin/csh
/bin/jsh
/bin/ksh
/bin/pfcsh
/bin/pfksh
/bin/pfsh
/bin/sh
/bin/tcsh
/bin/zsh
/sbin/jsh
/sbin/sh
/usr/bin/bash
/usr/bin/csh
/usr/bin/jsh
/usr/bin/ksh
/usr/bin/pfcsh
/usr/bin/pfksh
/usr/bin/pfsh
/usr/bin/sh
/usr/bin/tcsh
/usr/bin/zsh
EOF
b
The NFS export configuration file must be owned by root.
Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-25755r1_fix
Change the owner of the dfstab file to root.
Example:
# chown root /etc/dfs/dfstab
a
The NFS export configuration file must have mode 0644 or less permissive.
Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of additional unauthorized exports.System AdministratorECCD-1, ECCD-2, ECLP-1
Fix: F-25759r1_fix
Change the permissions of the dfstab file to 664 or less permissive.
# chmod 0644 /etc/dfs/dfstab
The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If neither cron.allow nor cron.deny exists, then any account may use the cron facility. This may open the facility up for abuse by system intruders and malicious users.System AdministratorECLP-1
Fix: F-24557r1_fix
Create /etc/cron.d/cron.allow and/or /etc/cron.d/cron.deny with appropriate content.
b
The cron.allow file must have mode 0600 or less permissive.
A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is allowed to execute cron programs, which could be harmful to overall system and network security.System AdministratorECLP-1
Fix: F-24563r1_fix
Change the mode of the cron.allow file to 0600.
Procedure:
# chmod 0600 /etc/cron.d/cron.allow
b
Crontab files must have mode 0600 or less permissive.
To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.
System AdministratorECLP-1
Fix: F-24579r1_fix
Change the mode of the crontab files.
# chmod 0600 /var/spool/cron/crontabs/*
b
Cron and crontab directories must have mode 0755 or less permissive.
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.
System AdministratorECLP-1
Fix: F-24581r1_fix
Change the mode of the crontab directory.
# chmod 0755 /var/spool/cron/crontabs
b
Cron and crontab directories must be owned by root or bin.
Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-24583r1_fix
Change the owner of the crontab directory.
# chown root /var/spool/cron/crontabs
b
Cron and crontab directories must be group-owned by root, sys, or bin.
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group-ownership of cron or crontab directories to a system group provides the designated group and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-24590r1_fix
Change the group owner of the crontab directories to root, sys, or bin.
Procedure:
# chgrp root /var/spool/cron/crontabs
b
The cronlog file must have mode 0600 or less permissive.
Cron logs contain reports of scheduled system activities and must be protected from unauthorized access or manipulation.
System AdministratorECLP-1, ECTP-1
Fix: F-24598r1_fix
Change the mode of the cron log file.
# chmod 0600 /var/cron/log
b
Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no at.allow file, there is no ready documentation of who is allowed to submit at jobs.System AdministratorECLP-1
Fix: F-11346r2_fix
Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.
On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in the case of malicious users or system intruders.trueSystem AdministratorInformation Assurance OfficerECLP-1
Fix: F-1139r2_fix
Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.
b
The at.allow file must have mode 0600 or less permissive.
Permissions more permissive than 0600 (read and write for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files.System AdministratorECLP-1
Fix: F-24632r1_fix
Change the mode of the at.allow file.
# chmod 0600 /etc/cron.d/at.allow
b
The system must not run an Internet Network News (INN) server.
Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the server and from the server to authorized remote hosts.
If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.System AdministratorInformation Assurance OfficerECSC-1
The smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.System Administrator
Fix: F-34289r2_fix
Change the ownership of the smb.conf file.
Procedure:
# chown root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf
b
The smb.conf file must have mode 0644 or less permissive.
If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.System Administrator
Fix: F-34291r2_fix
Change the mode of the smb.conf file to 0644 or less permissive.
Procedure:
# chmod 0644 /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf
If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.System AdministratorECLP-1
Fix: F-34280r1_fix
Use the chown command to configure the smb passwd file.
# chown root /etc/sfw/private/smbpasswd
b
The system must not permit root logins using remote access programs such as SSH.
Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account preserves the audit trail.System AdministratorECPA-1
Fix: F-24426r1_fix
Edit the configuration file and set the PermitRootLogin option to no.
Globally Accessible audio and video devices have proven to be security hazards. There is software that can activate system microphones and video devices connected to user workstations and/or X terminals. Once the microphone has been activated, it is possible to eavesdrop on otherwise private conversations without the victim being aware of it. This action effectively changes the user's microphone to a bugging device.System AdministratorECLP-1
Fix: F-1203r2_fix
Change the owner of the audio device.
# chown root <audio device>
b
The smb.conf file must be group-owned by root, bin, or sys.
If the group owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised.System Administrator
Fix: F-34290r4_fix
Change the group owner of the smb.conf file.
Procedure:
# chgrp root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf
If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.System AdministratorECLP-1
Fix: F-34282r1_fix
Use the chgrp command to ensure the group owner of the smbpasswd file is root.
# chgrp root /etc/sfw/private/smbpasswd
b
The smbpasswd file must have mode 0600 or less permissive.
If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.System AdministratorECLP-1
Fix: F-34284r1_fix
Change the mode of the smbpasswd file to 0600.
Procedure:
# chmod 0600 /etc/sfw/private/smbpasswd
b
Audio devices must be group-owned by root, sys, or bin.
Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information.
System AdministratorECLP-1
Fix: F-1215r2_fix
Change the group owner of the audio device.
Procedure:
# chgrp system <audio device>
b
The system must prohibit the reuse of passwords within five iterations.
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.
System AdministratorIAIA-1, IAIA-2
System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.
System AdministratorECLP-1
Fix: F-4022r2_fix
Change the ownership of the run control script(s) with incorrect ownership.
# chown root <run control script>
b
All system start-up files must be group-owned by root, sys, or bin.
If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.System AdministratorECLP-1
Fix: F-24459r1_fix
Change the group ownership of the run control script(s) with incorrect group ownership.
Procedure:
# chgrp root <run control script>
b
The /etc/security/audit_user file must have mode 0640 or less permissive.
Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore his sessions. This would allow malicious operations the auditing subsystem would not log for that user.System AdministratorECLP-1
Fix: F-4156r2_fix
Change the mode of the audit_user file to 0640.
# chmod 0640 /etc/security/audit_user
b
The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
Excessive permissions on the hosts.nntp file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.System AdministratorECLP-1
Fix: F-4184r2_fix
Change the mode of the /etc/news/hosts.nntp file to 0600.
# chmod 0600 /etc/news/hosts.nntp
b
The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
Excessive permissions on the hosts.nntp.nolimit file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.System AdministratorECLP-1
Fix: F-4185r2_fix
Change the mode of /etc/news/hosts.nntp.nolimit to 0600.
# chmod 0600 /etc/news/hosts.nntp.nolimit
b
The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
Excessive permissions on the nnrp.access file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.System AdministratorECLP-1
Fix: F-4186r2_fix
Change the mode of the /etc/news/nnrp.access file to 0600.
# chmod 0600 /etc/news/nnrp.access
b
The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users.System AdministratorECLP-1
Fix: F-4187r2_fix
Change the mode of the /etc/news/passwd.nntp file.
# chmod 0600 /etc/news/passwd.nntp
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.System AdministratorDCPP-1
Fix: F-34272r1_fix
Edit the configuration file and modify the Protocol line to look like:
Protocol 2
Reload sshd:
kill -HUP <PID of sshd>
Filesystem logging, especially for NFS exported file systems, can be critical to detecting data misuse and possible hardware/system errors that may, otherwise, go unnoticed.System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-34153r1_fix
Edit /etc/dfs/dfstab and add the log option to all exported filesystems. Run the shareall command for the changes to take effect.
NFS version 2 or 3 must be forced by updating the NFS_SERVER_VERSMAX variable appropriately in /etc/default/nfs and restarting the NFS daemon.
b
The root file system must employ journaling or another mechanism ensuring file system consistency.
File system journaling, or logging, can allow reconstruction of file system data after a system crash, thus, preserving the integrity of data that may have otherwise been lost. Journaling file systems typically do not require consistent checks upon booting after a crash, which can improve system availability. Some file systems employ other mechanisms to ensure consistency which also satisfy this requirement.System AdministratorECAR-1, ECAR-2, ECAR-3
Fix: F-4215r2_fix
Implement file system journaling for the root file system, or use a file system using other mechanisms to ensure consistency. If the root file system supports journaling, enable it. If the file system does not support journaling or another mechanism to ensure consistency, a migration to a different file system will be necessary.
Samba is a tool used for the sharing of files and printers between Windows and UNIX operating systems. It provides access to sensitive files and, therefore, poses a security risk if compromised.System AdministratorECSC-1
Fix: F-4232r2_fix
If there is no functional need for Samba and the daemon is running, disable the daemon by killing the process ID as noted from the output of ps -ef |grep smbd. The utility should also be removed or not installed if there is no functional requirement.
b
The /etc/security/audit_user file must be group-owned by root, sys, or bin.
The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could cause the loss of valuable forensics data in the case of a system compromise.System AdministratorECLP-1
Fix: F-4262r2_fix
Change the group owner of the audit_user file to root, bin, or sys.
Example:
# chgrp root /etc/security/audit_user
b
The /etc/security/audit_user file must be owned by root.
If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users.
System AdministratorECLP-1
Fix: F-24605r1_fix
Change the mode of the cron.deny file.
# chmod 0600 /etc/cron.d/cron.deny
b
The cron.allow file must be owned by root, bin, or sys.
If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information.System AdministratorECLP-1
Fix: F-24611r1_fix
# chown root /etc/cron.d/cron.allow
b
The at.allow file must be owned by root, bin, or sys.
If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.System AdministratorECLP-1
Fix: F-24640r1_fix
Change the owner of the at.allow file.
# chown root /etc/cron.d/at.allow
b
The at.deny file must be owned by root, bin, or sys.
If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.System AdministratorECLP-1
Fix: F-24644r1_fix
Change the owner of the at.deny file.
# chown root /etc/cron.d/at.deny
If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.System AdministratorECLP-1
Fix: F-25664r1_fix
Change the owner of the traceroute command to root.
Example procedure:
# chown root /usr/sbin/traceroute
b
The traceroute command must be group-owned by sys, bin, or root.
If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.System AdministratorECLP-1
Fix: F-25667r1_fix
Change the group-owner of the traceroute command to root.
Procedure:
# chgrp root /usr/sbin/traceroute
c
Anonymous FTP accounts must not have a functional shell.
If an anonymous FTP account has been configured to use a functional shell, attackers could gain access to the shell if the account is compromised.System AdministratorECCD-1, ECCD-2
Fix: F-4298r2_fix
Configure anonymous FTP accounts to use a non-functional shell. If necessary, edit the /etc/passwd file to remove any functioning shells associated with the FTP account and replace them with non-functioning shells, such as, /dev/null.
If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
Fix: F-4304r2_fix
Use the chown command to set the owner to root.
# chown root /etc/syslog.conf
b
The /etc/syslog.conf file must be group-owned by root, bin, or sys.
If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
Fix: F-34049r1_fix
Change the group owner of the /etc/syslog.conf file to root, bin, or sys.
Procedure:
# chgrp root /etc/syslog.conf
b
The cron.deny file must be owned by root, bin, or sys.
The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
System AdministratorInformation Assurance OfficerEBRU-1
Fix: F-24707r1_fix
Disable the remote shell service and restart inetd.
Procedure:
# svcadm disable network/shell
# svcadm refresh inetd
The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
trueInformation Assurance OfficerSystem AdministratorECSC-1
Fix: F-24710r1_fix
# svcadm disable rexec
# svcadm refresh inetd
a
The system must not have the finger service active.
The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks.
System Administrator
Fix: F-24713r1_fix
Disable the finger service and restart inetd.
Procedure:
# svcadm disable finger
# svcadm refresh inetd
b
The system must require passwords contain a minimum of 15 characters.
The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.System Administrator
Fix: F-24373r2_fix
Edit /etc/default/passwd and set the PASSLENGTH variable to 15 or greater.
b
All skeleton files and directories (typically in /etc/skel) must be owned by root.
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System Administrator
Fix: F-11245r3_fix
Change the ownership of skeleton files with incorrect mode.
# chown root <skeleton file>
b
All global initialization files executable search paths must contain only authorized paths.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.System Administrator
Fix: F-11246r4_fix
Edit the global initialization file(s) with PATH variables containing relative paths and remove any relative path form the PATH variables that have not been documented with the ISSO.
Edit the global initialization file(s) and remove any empty entry that is defined.
c
There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
The .rhosts, .shosts, hosts.equiv, and shosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for preventing unauthorized access to the system.Information Assurance OfficerSystem AdministratorECCD-1, ECCD-2
Fix: F-11249r2_fix
Remove the .rhosts, .shosts, hosts.equiv, and/or shosts.equiv files.
The .rhosts files are used to specify a list of hosts that are permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authentication requirements.Information Assurance OfficerSystem AdministratorECCD-1, ECCD-2
Fix: F-11250r2_fix
Edit /etc/pam.conf and remove the reference(s) to the rhosts_auth module.
a
The kernel core dump data directory must be owned by root.
Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.System AdministratorECLP-1
Fix: F-24679r1_fix
Change the owner of the kernel core dump data directory to root.
# chown root /var/crash
b
The system must implement non-executable program stacks.
A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.System Administrator
Fix: F-24684r2_fix
This action applies to the global zone only. Determine the type of zone that you are currently securing.
# zonename
If the command output is "global", this action applies.
Edit /etc/system and set the noexec_user_stack parameter to 1. Restart the system for the setting to take effect.
b
The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection originator. If the initial TCP sequence numbers for a host can be determined by an attacker, it may be possible to establish a TCP connection from a spoofed source address without bidirectional communication.System AdministratorECSC-1
Fix: F-24688r1_fix
Edit /etc/default/inetinit and set the TCP_STRONG_ISS parameter to 2.
b
All .Xauthority files must have mode 0600 or less permissive.
.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.System AdministratorECLP-1
Fix: F-11274r2_fix
Change the mode of the .Xauthority files.
Procedure:
# chmod 0600 .Xauthority
b
The SSH daemon must be configured for IP filtering.
The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.System AdministratorECSC-1
Fix: F-11281r2_fix
Add appropriate IP restrictions for SSH to the /etc/hosts.deny and/or /etc/hosts.allow files.
b
The system's access control program must be configured to grant or deny system access to specific hosts.
If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.System AdministratorECSC-1
Fix: F-11287r2_fix
Edit the /etc/hosts.allow and /etc/hosts.deny files to configure access restrictions.
b
The nosuid option must be configured in the /etc/rmmount.conf file.
The rmmount.conf file controls the mounting of removable media on a Solaris system. Removable media is not to be trusted with privileged access, and therefore the filesystems must be mounted with the nosuid option, which prevents any executables with the setuid bit set on this filesystem from running with owner privileges.System Administrator
Fix: F-11288r2_fix
Edit /etc/rmmount.conf and add the nosuid mount option to the configuration.
c
The root account must be the only account with GID of 0.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and require periodic resynchronization to ensure their accuracy. Software, such as NTPD, can be used to continuously synchronize the system clock with authoritative sources. Alternatively, the system may be synchronized periodically, with a maximum of one day between synchronizations.
If the system is completely isolated (no connections to networks or other systems), time synchronization is not required as no correlation of events or operation of time-dependent protocols between systems will be necessary. If the system is completely isolated, this requirement is not applicable.System Administrator
Fix: F-23443r3_fix
Determine the type of zone that you are currently securing.
# zonename
If the command output is not "global", then NTP must be disabled.
# svcadm disable ntp
If the output from "zonename" is "global", then NTP must be enabled.
# svcadm enable ntp
b
The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.System AdministratorECLP-1
Fix: F-23445r1_fix
Change the owner of the NTP configuration file to root.
# chown root /etc/inet/ntp.conf
b
The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.System AdministratorECLP-1
Fix: F-23448r1_fix
Change the group owner of the NTP configuration file.
Procedure:
# chgrp root /etc/inet/ntp.conf
b
The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.System AdministratorECLP-1
Fix: F-23450r1_fix
Change the mode of the NTP configuration file to 0640 or less permissive.
# chmod 0640 /etc/inet/ntp.conf
b
The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.System Administrator
Fix: F-34652r2_fix
If the /etc/security/crypt.conf file does not support FIPS 140-2 approved cryptographic hashing algorithms, upgrade to at least the Solaris 10 8/07 release.
Edit the /etc/security/policy.conf file.
# vi /etc/security/policy.conf
Uncomment or add the CRYPT_ALGORITHMS_ALLOW line and set it to "5,6". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable.
CRYPT_ALGORITHMS_ALLOW=5,6
CRYPT_DEFAULT=6
Update passwords for all accounts with non-compliant password hashes.
b
The system must require at least eight characters be changed between the old and new passwords during a password change.
To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.System Administrator
Fix: F-23479r2_fix
Edit /etc/default/passwd and set or add a MINDIFF setting equal to or greater than 8.
b
The root account's library search path must be the system default and must contain only absolute paths.
The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.System AdministratorECSC-1
Fix: F-23538r1_fix
Edit the root user initialization files and remove any definition of LD_LIBRARY_PATH.
b
The root account's list of preloaded libraries must be empty.
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with (/) are absolute paths.System AdministratorECSC-1
Fix: F-23540r1_fix
Edit the root user initialization files and remove any definition of LD_PRELOAD.
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.
System AdministratorECLP-1
Fix: F-23586r1_fix
Change the owner of the /etc/resolv.conf file to root.
# chown root /etc/resolv.conf
b
The /etc/resolv.conf file must be group-owned by root, bin, or sys.
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Fix: F-34051r1_fix
Change the group owner of the /etc/resolv.conf file to root, bin, or sys.
Procedure:
# chgrp root /etc/resolv.conf
b
The /etc/resolv.conf file must have mode 0644 or less permissive.
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Fix: F-23588r1_fix
Change the mode of the /etc/resolv.conf file to 0644 or less permissive.
# chmod 0644 /etc/resolv.conf
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System Administrator
Fix: F-23597r1_fix
Change the owner of the /etc/hosts file to root.
# chown root /etc/hosts
b
The /etc/hosts file must be group-owned by root, bin, or sys.
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Fix: F-34053r1_fix
Change the group owner of the /etc/hosts file to root, sys, or bin.
Procedure:
# chgrp root /etc/hosts
b
The /etc/hosts file must have mode 0644 or less permissive.
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Fix: F-23599r1_fix
Change the mode of the /etc/hosts file to 0644 or less permissive.
# chmod 0644 /etc/hosts
b
The /etc/nsswitch.conf file must be owned by root.
The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.System AdministratorECLP-1
Fix: F-23604r1_fix
Change the owner of the /etc/nsswitch.conf file to root.
# chown root /etc/nsswitch.conf
b
The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.System AdministratorECLP-1
Fix: F-34054r1_fix
Change the group owner of the /etc/nsswitch.conf file to root, bin, or sys.
Procedure:
# chgrp root /etc/nsswitch.conf
b
The /etc/nsswitch.conf file must have mode 0644 or less permissive.
The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.System AdministratorECLP-1
Fix: F-23606r1_fix
Change the mode of the /etc/nsswitch.conf file to 0644 or less permissive.
Procedure:
# chmod 0644 /etc/nsswitch.conf
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
Fix: F-23612r1_fix
Change the owner of the /etc/passwd file to root.
# chown root /etc/passwd
b
The /etc/passwd file must be group-owned by root, bin, or sys.
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
Fix: F-34055r1_fix
Change the group owner of the /etc/passwd file to root, bin, or sys.
Procedure:
# chgrp root /etc/passwd
The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Fix: F-23621r1_fix
Change the owner of the /etc/group file to root.
# chown root /etc/group
b
The /etc/group file must be group-owned by root, bin, or sys.
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Fix: F-34057r1_fix
Change the group owner of the /etc/group file.
Procedure:
# chgrp root /etc/group
b
The /etc/group file must have mode 0644 or less permissive.
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Fix: F-23623r1_fix
Change the mode of the /etc/group file to 0644 or less permissive.
# chmod 0644 /etc/group
b
The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.System AdministratorECLP-1
Fix: F-34058r1_fix
Change the group owner of the /etc/shadow file.
Procedure:
# chgrp root /etc/shadow
b
The /etc/passwd file must not contain password hashes.
If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.System AdministratorECLP-1
Fix: F-23657r1_fix
Migrate /etc/passwd password hashes to /etc/shadow.
# pwconv
b
The /etc/group file must not contain any group password hashes.
Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.System AdministratorECLP-1
Fix: F-23639r1_fix
Edit /etc/group and change the password field to an exclamation point (!) to lock the group password.
b
All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.System AdministratorECLP-1
Fix: F-34059r1_fix
Change the group owner of the skeleton file to root.
Procedure:
# chgrp <group> /etc/skel/[skeleton file]
a
System audit tool executables must be owned by root.
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.System AdministratorECLP-1
Fix: F-23742r1_fix
Change the owner of the audit tool executable to root.
# chown root [audit tool executable]
a
System audit tool executables must be group-owned by root, bin, or sys.
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.System AdministratorECLP-1
Fix: F-34061r1_fix
Change the group-owner of the audit tool executable to root, bin, or sys.
Procedure:
# chgrp root <audit tool executable>
a
System audit tool executables must have mode 0750 or less permissive.
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.System AdministratorECLP-1
Fix: F-23745r1_fix
Change the mode of the audit tool executable to 0750, or less permissive.
# chmod 0750 [audit tool executable]
b
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.System AdministratorECAR-1
Fix: F-23766r1_fix
Edit /etc/security/audit_control and add the as flag to the flag parameter.
b
The cron.allow file must be group-owned by root, bin, or sys.
If the group of the cron.allow is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
Fix: F-23797r1_fix
Change the group ownership of the file.
Procedure:
# chgrp root /etc/cron.d/cron.allow
b
The at.deny file must have mode 0600 or less permissive.
The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.System AdministratorECLP-1
Fix: F-23800r1_fix
Change the mode of the file.
# chmod 0600 /etc/cron.d/at.deny
b
The cron.deny file must be group-owned by root, bin, or sys.
Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
Fix: F-23807r1_fix
Change the group ownership of the file to root, sys, or bin.
Procedure:
# chgrp root /etc/cron.d/cron.deny
b
The at.allow file must be group-owned by root, bin, or sys.
If the group owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.System AdministratorECLP-1
Fix: F-23816r1_fix
Change the group ownership of the file.
Procedure:
# chgrp root /etc/cron.d/at.allow
b
The at.deny file must be group-owned by root, bin, or sys.
If the group owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized modification could result in Denial of Service to authorized "at" users or provide unauthorized users with the ability to run "at" jobs.System AdministratorECLP-1
Fix: F-23819r1_fix
Change the group ownership of the at.deny file to root, bin, or sys.
Procedure:
# chgrp root /etc/cron.d/at.deny
b
The system must prevent local applications from generating source-routed packets.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.System AdministratorECSC-1
Fix: F-26887r1_fix
Edit /etc/ipf/ipf.conf and add rules to block outgoing source-routed packets, such as:
block out log quick all with opt lsrr
block out log quick all with opt ssrr
Reload the IPF rules.
Procedure:
# ipf -Fa -A -f /etc/ipf/ipf.conf
b
The system must not accept source-routed IPv4 packets.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.System Administrator
Fix: F-26888r1_fix
Edit /etc/ipf/ipf.conf and add rules to block incoming source-routed packets, such as:
block in log quick all with opt lsrr
block in log quick all with opt ssrr
Reload the IPF rules.
Procedure:
# ipf -Fa -A -f /etc/ipf/ipf.conf
b
The services file must be group-owned by root, bin, or sys.
Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-34062r1_fix
Change the group-owner of the services file.
Procedure:
# chgrp root /etc/services
b
The portmap or rpcbind service must not be running unless needed.
The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using remote procedure calls (RPCs).System Administrator
Fix: F-23906r1_fix
Disable the portmap service.
# svcadm disable network/rpc/bind
The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.System AdministratorDCPP-1
Fix: F-23910r1_fix
Remove the SUNWrcmdr package.
Procedure:
# pkgrm SUNWrcmdr
The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.System AdministratorDCPP-1
The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.System AdministratorDCPP-1
Fix: F-23910r1_fix
Remove the SUNWrcmdr package.
Procedure:
# pkgrm SUNWrcmdr
The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.System AdministratorECSC-1
Fix: F-23910r1_fix
Remove the SUNWrcmdr package.
Procedure:
# pkgrm SUNWrcmdr
b
The ftpusers file must be group-owned by root, bin, or sys.
If the ftpusers file is not group-owned by root or a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.System AdministratorECLP-1
Fix: F-34064r1_fix
Change the group owner of the ftpusers file.
Procedure:
# chgrp root /etc/ftpusers
b
The /etc/syslog.conf file must have mode 0640 or less permissive.
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client.System AdministratorDCPP-1
Fix: F-23999r1_fix
Edit the /etc/ssh/ssh_config file and add or edit a Protocol configuration line that does not allow versions less than 2.
b
The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
System Administrator
Fix: F-24001r2_fix
Edit /etc/ssh/sshd_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the sshd_config manpage.
Restart the SSH daemon.
b
The SSH client must be configured to not use CBC-based ciphers.
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
System AdministratorECSC-1
Fix: F-24004r1_fix
Edit /etc/ssh/ssh_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the ssh_config manpage.
b
The SSH public host key files must have mode 0644 or less permissive.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.System AdministratorECSC-1
Fix: F-24016r1_fix
Edit the SSH daemon configuration and set (add if necessary) a GSSAPIAuthentication directive set to no.
a
The SSH client must not permit GSSAPI authentication unless needed.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.System AdministratorECSC-1
Fix: F-24017r1_fix
Edit the SSH client configuration and set (add if necessary) a GSSAPIAuthentication directive set to no.
b
The SSH daemon must not allow compression or must only allow compression after successful authentication.
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.System AdministratorECSC-1
Fix: F-24036r1_fix
Edit the SSH daemon configuration and add or edit the Compression setting value to no or delayed.
b
The SSH daemon must be configured with the Department of Defense (DoD) login banner.
Failure to display the DoD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
The SSH service must be configured to display the DoD logon warning banner through the SSH daemon configuration.
The SSH daemon may also be used to provide SFTP service. The warning banner configuration for SSH will apply to SFTP.System AdministratorECWM-1
Fix: F-24046r1_fix
Edit the SSH daemon configuration and add (or edit) a banner setting referencing a file containing a logon warning banner.
DoD Login Banners:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
OR
"I've read & consent to terms in IS user agreem't."
b
The NFS export configuration file must be group-owned by root, bin, or sys.
Failure to give group ownership of the NFS export configuration file to root or system groups provides the designated group owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.System AdministratorECLP-1
Fix: F-24056r1_fix
Change the group ownership of the NFS export configuration file.
Procedure:
# chgrp root /etc/dfs/dfstab
b
Samba must be configured to use an authentication mechanism other than "share."
DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server.System AdministratorECSC-1
Fix: F-24174r1_fix
Delete the DHCP client configuration.
# rm /etc/dhcp.*
b
If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Fix: F-34588r1_fix
Change the permissions of the files.
# chmod 0600 /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
b
If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Fix: F-34589r1_fix
Change the owner of the files.
# chown root /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
b
If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Fix: F-34068r1_fix
Change the group-owner of the files to root, bin, or sys.
Procedure:
# chgrp root /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
a
Automated file system mounting tools must not be enabled unless needed.
Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be disabled to reduce the risk of unauthorized access to these resources.System AdministratorECSC-1
Fix: F-24227r1_fix
Stop and disable the autofs service.
# svcadm disable autofs
USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
trueSystem AdministratorECSC-1
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.System Administrator
Fix: F-24236r1_fix
Enable the system's local firewall.
# svcadm enable network/ipfilter
a
The system package management tool must cryptographically verify the authenticity of software packages during installation.
To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic.System AdministratorECSC-1
Fix: F-24257r1_fix
Edit /var/sadm/install/admin/default and set the authentication setting to quit.
b
The /usr/aset/userlist file must be group-owned by root.
Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system.System AdministratorECLP-1, ECTP-1
Fix: F-24520r1_fix
Change the group ownership of the audit log file(s).
Procedure:
# chgrp root <audit log file>
a
The system must use a separate filesystem for /tmp (or equivalent).
The use of separate filesystems for different paths can protect the system from failures resulting from a filesystem becoming full or failing.System AdministratorECSC-1
Fix: F-25907r1_fix
Migrate the /tmp path onto a separate file system.
The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised.GEN003850If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated, and this is not a finding.System AdministratorDCPP-1