View SCAP - Solaris 11 SPARC V1R11

View

Open a previous version of this SCAP benchmark.

Developed by Oracle in coordination with DISA for the DoD. The Solaris 11 (SPARC) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Sort by

b

The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.

RMF Control: AU-3
Severity: M
CCI: CCI-001487
Version: SOL-11.1-010040
Vuln IDs: V-47781
Rule IDs: SV-60657r1_rule

Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked.

Fix: F-51401r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system must support an audit reduction capability.

RMF Control: AU-7
Severity: M
CCI: CCI-000156
Version: SOL-11.1-010060
Vuln IDs: V-47783
Rule IDs: SV-60659r1_rule

Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack.

Fix: F-51403r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system records must be able to be used by a report generation capability.

RMF Control: AU-7
Severity: M
CCI: CCI-000157
Version: SOL-11.1-010070
Vuln IDs: V-47785
Rule IDs: SV-60661r1_rule

Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-51405r2_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.

RMF Control: AU-7
Severity: M
CCI: CCI-000158
Version: SOL-11.1-010080
Vuln IDs: V-47787
Rule IDs: SV-60663r1_rule

Without an audit reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-51407r2_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.

RMF Control: AU-12
Severity: M
CCI: CCI-000169
Version: SOL-11.1-010100
Vuln IDs: V-47789
Rule IDs: SV-60665r1_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-51409r2_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: SOL-11.1-010120
Vuln IDs: V-47791
Rule IDs: SV-60667r1_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-51411r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.

RMF Control: AU-12
Severity: M
CCI: CCI-000174
Version: SOL-11.1-010130
Vuln IDs: V-47793
Rule IDs: SV-60669r1_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-51413r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include what type of events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: SOL-11.1-010140
Vuln IDs: V-47795
Rule IDs: SV-60671r1_rule

Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Fix: F-51415r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include when (date and time) the events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000131
Version: SOL-11.1-010150
Vuln IDs: V-47797
Rule IDs: SV-60673r1_rule

Without accurate time stamps malicious activity cannot be accurately tracked.

Fix: F-51417r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include where the events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000132
Version: SOL-11.1-010160
Vuln IDs: V-47799
Rule IDs: SV-60675r1_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-51419r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include the sources of the events that occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000133
Version: SOL-11.1-010170
Vuln IDs: V-47801
Rule IDs: SV-60677r1_rule

Without accurate source information malicious activity cannot be accurately tracked.

Fix: F-51421r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include the outcome (success or failure) of the events that occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000134
Version: SOL-11.1-010180
Vuln IDs: V-47803
Rule IDs: SV-60679r1_rule

Tracking both the successful and unsuccessful attempts aids in identifying threats to the system.

Fix: F-51423r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system must alert the SA when the audit storage volume approaches its capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-000143
Version: SOL-11.1-010370
Vuln IDs: V-47835
Rule IDs: SV-60709r1_rule

Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.

Fix: F-51453r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

c

The audit system must alert the System Administrator (SA) if there is any type of audit failure.

RMF Control: AU-5
Severity: H
CCI: CCI-000144
Version: SOL-11.1-010380
Vuln IDs: V-47843
Rule IDs: SV-60717r1_rule

Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.

Fix: F-51461r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

c

The operating system must alert designated organizational officials in the event of an audit processing failure.

RMF Control: AU-5
Severity: H
CCI: CCI-000139
Version: SOL-11.1-010390
Vuln IDs: V-47845
Rule IDs: SV-60719r1_rule

Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.

Fix: F-51463r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

a

The finger daemon package must not be installed.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-020090
Vuln IDs: V-47893
Rule IDs: SV-60765r1_rule

Finger is an insecure protocol.

Fix: F-51505r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/finger

a

The limitpriv zone option must be set to the vendor default or less permissive.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-100020
Vuln IDs: V-47895
Rule IDs: SV-60767r3_rule

Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.

Fix: F-51507r1_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Change the "limitpriv" setting to default. # pfexec zonecfg -z [zone] set limitpriv=default

a

The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-100010
Vuln IDs: V-47897
Rule IDs: SV-60769r1_rule

Incorrect ownership can result in unauthorized changes or theft of data.

Fix: F-51509r3_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Software Installation profile is required. Change the ownership and permissions of the files and directories to the factory default. # pkg fix system/zones

b

The legacy remote network access utilities daemons must not be installed.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020100
Vuln IDs: V-47901
Rule IDs: SV-60773r1_rule

Legacy remote access utilities allow remote control of a system without proper authentication.

Fix: F-51513r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/legacy-remote-utilities

c

The NIS package must not be installed.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-020110
Vuln IDs: V-47905
Rule IDs: SV-60777r1_rule

NIS is an insecure protocol.

Fix: F-51517r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/nis

a

The pidgin IM client package must not be installed.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-020120
Vuln IDs: V-47909
Rule IDs: SV-60781r1_rule

Instant messaging is an insecure protocol.

Fix: F-51521r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall communication/im/pidgin

c

The FTP daemon must not be installed unless required.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-020130
Vuln IDs: V-47911
Rule IDs: SV-60783r1_rule

FTP is an insecure protocol.

Fix: F-51523r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/ftp

c

The TFTP service daemon must not be installed unless required.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-020140
Vuln IDs: V-47913
Rule IDs: SV-60785r2_rule

TFTP is an insecure protocol.

Fix: F-51525r2_fix

The Software Installation Profile is required. # pfexec pkg uninstall install/installadm # pfexec pkg uninstall service/network/tftp

c

The telnet service daemon must not be installed unless required.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-020150
Vuln IDs: V-47915
Rule IDs: SV-60787r2_rule

Telnet is an insecure protocol.

Fix: F-51527r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/telnet

a

The UUCP service daemon must not be installed unless required.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-020160
Vuln IDs: V-47917
Rule IDs: SV-60789r2_rule

UUCP is an insecure protocol.

Fix: F-51529r3_fix

The Software Installation Profile is required. # pfexec pkg uninstall /service/network/uucp

b

The VNC server package must not be installed unless required.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020180
Vuln IDs: V-47921
Rule IDs: SV-60793r1_rule

The VNC service uses weak authentication capabilities and provides the user complete graphical system access.

Fix: F-51533r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall x11/server/xvnc

b

The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.

RMF Control: AC-19
Severity: M
CCI: CCI-000087
Version: SOL-11.1-030060
Vuln IDs: V-47939
Rule IDs: SV-60811r1_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Auto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.

Fix: F-51551r1_fix

The Service Management profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable the rmvolmgr service. # pfexec svcadm disable svc:/system/filesystem/rmvolmgr:default

b

User passwords must be at least 15 characters in length.

RMF Control: IA-5
Severity: M
CCI: CCI-000205
Version: SOL-11.1-040040
Vuln IDs: V-47957
Rule IDs: SV-60829r1_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Fix: F-51569r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: PASSLENGTH Change the line to read PASSLENGTH=15

b

Users must not reuse the last 5 passwords.

RMF Control: IA-5
Severity: M
CCI: CCI-000200
Version: SOL-11.1-040050
Vuln IDs: V-47961
Rule IDs: SV-60833r1_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the operating system allows the user to consecutively reuse their password when the password has exceeded its defined lifetime, the end result is a password that is not changed, per policy requirements.

Fix: F-51573r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: HISTORY Change the line to read: HISTORY=5

b

The system must require at least eight characters be changed between the old and new passwords during a password change.

RMF Control: IA-5
Severity: M
CCI: CCI-000195
Version: SOL-11.1-040060
Vuln IDs: V-47967
Rule IDs: SV-60839r2_rule

To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.

Fix: F-51579r1_fix

The root role is required. # pfedit /etc/default/passwd Search for MINDIFF. Change the line to read: MINDIFF=8

b

The system must require passwords to contain at least one uppercase alphabetic character.

RMF Control: IA-5
Severity: M
CCI: CCI-000192
Version: SOL-11.1-040070
Vuln IDs: V-47971
Rule IDs: SV-60843r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-51583r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINUPPER Change the line to read: MINUPPER=1

b

The operating system must enforce password complexity requiring that at least one lowercase character is used.

RMF Control: IA-5
Severity: M
CCI: CCI-000193
Version: SOL-11.1-040080
Vuln IDs: V-47981
Rule IDs: SV-60853r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-51593r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINLOWER Change the line to read: MINLOWER=1

b

The system must require passwords to contain at least one numeric character.

RMF Control: IA-5
Severity: M
CCI: CCI-000194
Version: SOL-11.1-040090
Vuln IDs: V-47989
Rule IDs: SV-60861r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-51601r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINDIGIT Change the line to read: MINDIGIT=1

b

The system must require passwords to contain at least one special character.

RMF Control: IA-5
Severity: M
CCI: CCI-001619
Version: SOL-11.1-040100
Vuln IDs: V-47991
Rule IDs: SV-60863r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-51603r1_fix

The root role is required. # pfedit /etc/default/passwd a Locate the line containing: MINSPECIAL Change the line to read: MINSPECIAL=1

a

The system must require passwords to contain no more than three consecutive repeating characters.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040110
Vuln IDs: V-47993
Rule IDs: SV-60865r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-51605r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MAXREPEATS Change the line to read: MAXREPEATS=3

b

The operating system must implement transaction recovery for transaction-based systems.

RMF Control: CP-10
Severity: M
CCI: CCI-000553
Version: SOL-11.1-080150
Vuln IDs: V-47997
Rule IDs: SV-60869r1_rule

Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. While this is typically a database function, operating systems could be transactional in nature with respect to file processing.

Fix: F-51609r1_fix

The root role is required. Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. If any UFS file systems are mounted with the "nologging" options, remove that option from the /etc/vfstab file. # pfedit /etc/vfstab Locate any file systems listed with the "nologging" option and delete the keyword "nologging".

b

The system must not have accounts configured with blank or null passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040120
Vuln IDs: V-47999
Rule IDs: SV-60871r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-51611r1_fix

The root role is required. Remove, lock, or configure a password for any account with a blank password. # passwd [username] or Use the passwd -l command to lock accounts that are not permitted to execute commands. or Use the passwd -N command to set accounts to be non-login.

c

The operating system must be a supported release.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-080010
Vuln IDs: V-48027
Rule IDs: SV-60899r1_rule

An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Fix: F-51639r1_fix

Upgrade to a supported version of the operating system.

a

The operating system must reveal error messages only to authorized personnel.

RMF Control: SI-11
Severity: L
CCI: CCI-001314
Version: SOL-11.1-070240
Vuln IDs: V-48033
Rule IDs: SV-60905r2_rule

Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.

Fix: F-51645r2_fix

The root role is required. Change the permissions and owner on the /var/adm/messages file: # chmod 640 /var/adm/messages # chown root /var/adm/messages # chgrp root /var/adm/messages Change the permissions and owner on the /var/adm directory: # chmod 750 /var/adm # chown root /var/adm # chgrp sys /var/adm

b

The root account must be the only account with GID of 0.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070220
Vuln IDs: V-48035
Rule IDs: SV-60907r1_rule

All accounts with a GID of 0 have root group privileges and must be limited to the group account only.

Fix: F-51647r1_fix

The root role is required. Change the default GID of non-root accounts to a valid GID other than 0.

b

The delay between login prompts following a failed login attempt must be at least 4 seconds.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040160
Vuln IDs: V-48043
Rule IDs: SV-60915r1_rule

As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.

Fix: F-51655r1_fix

The root role is required. # pfedit the /etc/default/login Locate the line containing: SLEEPTIME Change the line to read: SLEEPTIME=4

b

The system must require users to re-authenticate to unlock a graphical desktop environment.

RMF Control: AC-11
Severity: M
CCI: CCI-000056
Version: SOL-11.1-040170
Vuln IDs: V-48045
Rule IDs: SV-60917r4_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Fix: F-51657r3_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True

b

Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.

RMF Control: AC-11
Severity: M
CCI: CCI-000057
Version: SOL-11.1-040180
Vuln IDs: V-48047
Rule IDs: SV-60919r2_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Fix: F-51659r1_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout:0:15:00 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:15:00 lock: True

b

The system must prevent the use of dictionary words for passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040190
Vuln IDs: V-48053
Rule IDs: SV-60925r1_rule

The use of common words in passwords simplifies password-cracking attacks.

Fix: F-51661r1_fix

The root role is required. # pfedit /etc/default/passwd Insert the lines: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd Generate the password dictionary by running the mkpwdict command. # mkpwdict -s /usr/share/lib/dict/words

b

The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.

RMF Control: CM-5
Severity: M
CCI: CCI-000345
Version: SOL-11.1-040200
Vuln IDs: V-48055
Rule IDs: SV-60927r2_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Fix: F-51663r2_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

b

The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

RMF Control: IA-2
Severity: M
CCI: CCI-000770
Version: SOL-11.1-040230
Vuln IDs: V-48057
Rule IDs: SV-60929r2_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Fix: F-51665r2_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

b

The default umask for system and users must be 077.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040250
Vuln IDs: V-48061
Rule IDs: SV-60933r2_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Fix: F-51667r2_fix

The root role is required. Edit local and global initialization files containing "umask" and change them to use 077. # pfedit /etc/default/login Insert the line UMASK=077 # pfedit [user initialization file] Insert the line umask 077

b

The system must not allow users to configure .forward files.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070170
Vuln IDs: V-48065
Rule IDs: SV-60937r1_rule

Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.

Fix: F-51673r1_fix

The root role is required. Remove any .forward files that are found. # pfexec rm [filename]

b

User .netrc files must not exist.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070160
Vuln IDs: V-48067
Rule IDs: SV-60939r2_rule

The .netrc file presents a significant security risk since it stores passwords in unencrypted form.

Fix: F-51675r1_fix

The root role is required. Determine if any .netrc files exist, and work with the owners to determine the best course of action in accordance with site policy.

a

The default umask for FTP users must be 077.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040260
Vuln IDs: V-48071
Rule IDs: SV-60943r1_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Fix: F-51679r1_fix

The root role is required. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Otherwise, edit the FTP configuration file. # pfedit /etc/proftpd.conf Locate the line containing: Umask Change the line to read: Umask 077

b

Reserved UIDs 0-99 must only be used by system accounts.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070130
Vuln IDs: V-48077
Rule IDs: SV-60949r5_rule

If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.

Fix: F-51685r1_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any accounts using these reserved UIDs, and work with their owners to determine the best course of action in accordance with site policy. This may require deleting users or changing UIDs for users.

b

Login services for serial ports must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040310
Vuln IDs: V-48087
Rule IDs: SV-60959r1_rule

Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.

Fix: F-51695r1_fix

The Service Operator profile is required. Disable serial terminal services. # pfexec svcadm disable svc:/system/console-login:terma # pfexec svcadm disable svc:/system/console-login:termb

b

The nobody access for RPC encryption key storage service must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040320
Vuln IDs: V-48089
Rule IDs: SV-60961r1_rule

If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.

Fix: F-51697r1_fix

The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO

b

X11 forwarding for SSH must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040330
Vuln IDs: V-48093
Rule IDs: SV-60965r1_rule

As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.

Fix: F-51701r1_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: X11Forwarding Change it to: X11Forwarding no Restart the SSH service. # svcadm restart svc:/network/ssh

a

Consecutive login attempts for SSH must be limited to 3.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040340
Vuln IDs: V-48099
Rule IDs: SV-60971r1_rule

Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.

Fix: F-51707r1_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: MaxAuthTries Change it to: MaxAuthTries 6 Restart the SSH service. # svcadm restart svc:/network/ssh Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.

b

The rhost-based authentication for SSH must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040350
Vuln IDs: V-48101
Rule IDs: SV-60973r1_rule

Setting this parameter forces users to enter a password when authenticating with SSH.

Fix: F-51709r1_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

b

Direct root account login must not be permitted for SSH access.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040360
Vuln IDs: V-48103
Rule IDs: SV-60975r1_rule

The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.

Fix: F-51713r1_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitRootLogin Change it to: PermitRootLogin no Restart the SSH service. # svcadm restart svc:/network/ssh

c

Login must not be permitted with empty/null passwords for SSH.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040370
Vuln IDs: V-48107
Rule IDs: SV-60979r1_rule

Permitting login without a password is inherently risky.

Fix: F-51715r1_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitEmptyPasswords/ Change it to: PermitEmptyPasswords/ no Restart the SSH service. # svcadm restart svc:/network/ssh

a

Users must have a valid home directory assignment.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-070070
Vuln IDs: V-48109
Rule IDs: SV-60981r1_rule

All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.

Fix: F-51717r1_fix

The root role is required. Correct or justify any items discovered in the check step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy. This generally means deleting the user or creating a valid home directory.

a

The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.

RMF Control: SC-10
Severity: L
CCI: CCI-001133
Version: SOL-11.1-040380
Vuln IDs: V-48111
Rule IDs: SV-60983r2_rule

This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

Fix: F-51719r2_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Modify or add the lines containing: ClientAliveInterval ClientAliveCountMax Change them to: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service: # svcadm restart svc:/network/ssh

b

Host-based authentication for login-based services must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040390
Vuln IDs: V-48113
Rule IDs: SV-60985r4_rule

The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.

Fix: F-51721r3_fix

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. The root role is required. # ls -l /etc/pam.d to identify the various configuration files used by PAM. Search each file for the pam_rhosts_auth.so.1 entry. # grep pam_rhosts_auth.so.1 [filename] Identify the file with the line pam_hosts_auth.so.1 in it. # pfedit [filename] Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".

b

Groups assigned to users must exist in the /etc/group file.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070060
Vuln IDs: V-48115
Rule IDs: SV-60987r1_rule

Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.

Fix: F-51723r1_fix

The root role is required. Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.

b

The use of FTP must be restricted.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040400
Vuln IDs: V-48117
Rule IDs: SV-60989r1_rule

FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default "system" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user "oracle" and the account which the web server process runs under.

Fix: F-51725r2_fix

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> /etc/ftpd/ftpusers) done # sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp # mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers

c

There must be no user .rhosts files.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-070050
Vuln IDs: V-48119
Rule IDs: SV-60991r1_rule

Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Fix: F-51727r1_fix

The root role is required. Remove any .rhosts files found. # rm [file name]

c

The system must not allow autologin capabilities from the GNOME desktop.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040410
Vuln IDs: V-48121
Rule IDs: SV-60993r1_rule

As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.

Fix: F-51729r1_fix

The root role is required. Modify the /etc/pam.d/gdm-autologin file. # pfedit /etc/pam.d/gdm-autologin Locate the lines: auth required pam_unix_cred.so.1 auth sufficient pam_allow.so.1 account sufficient pam_allow.so.1 Change the lines to read: #auth required pam_unix_cred.so.1 #auth sufficient pam_allow.so.1 #account sufficient pam_allow.so.1

b

Permissions on user .netrc files must be 750 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070040
Vuln IDs: V-48123
Rule IDs: SV-60995r1_rule

.netrc files may contain unencrypted passwords that can be used to attack other systems.

Fix: F-51731r1_fix

The root role is required. Change the permissions on users' .netrc files to 750 or less permissive. # chmod 750 [file name]

b

Logins to the root account must be restricted to the system console only.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040430
Vuln IDs: V-48127
Rule IDs: SV-60999r1_rule

Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.

Fix: F-51735r1_fix

The root role is required. Modify the /etc/default/login file # pfedit /etc/default/login Locate the line containing: CONSOLE Change it to read: CONSOLE=/dev/console

a

The operating system, upon successful logon, must display to the user the date and time of the last logon (access).

RMF Control: AC-9
Severity: L
CCI: CCI-000052
Version: SOL-11.1-040450
Vuln IDs: V-48131
Rule IDs: SV-61003r1_rule

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Fix: F-51739r1_fix

The root role is required for this action. # pfedit /etc/ssh/sshd_config Locate the line containing: PrintLastLog no and place a comment sign ("# ")at the beginning of the line or delete the line # PrintLastLog no Restart the ssh service # pfexec svcadm restart svc:/network/ssh

b

Permissions on user home directories must be 750 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070020
Vuln IDs: V-48133
Rule IDs: SV-61005r1_rule

Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Fix: F-51741r1_fix

The root role is required. Change the permissions on users' directories to 750 or less permissive. # chmod 750 [directory name]

b

The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

RMF Control: AC-11
Severity: M
CCI: CCI-000060
Version: SOL-11.1-040470
Vuln IDs: V-48139
Rule IDs: SV-61011r2_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.

Fix: F-51747r3_fix

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select “Screensaver” icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Click on Mode's pull-down. Select: "Blank Screen Only". Ensure that "Blank Screen Only" is selected.

c

The operating system must not allow logins for users with blank passwords.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040480
Vuln IDs: V-48143
Rule IDs: SV-61015r1_rule

If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.

Fix: F-51751r1_fix

The root role is required. Modify the /etc/default/login file. # pfedit /etc/default/login Insert the line: PASSREQ=YES

b

The operating system must terminate all sessions and network connections when non-local maintenance is completed.

RMF Control: MA-4
Severity: M
CCI: CCI-000879
Version: SOL-11.1-050460
Vuln IDs: V-48195
Rule IDs: SV-61067r1_rule

Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The operating system needs to ensure all sessions and network connections are terminated when non-local maintenance is completed.

Fix: F-51803r2_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. # pfedit /etc/ssh/sshd_config Insert the two lines: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service with the new configuration. # svcadm restart svc:/network/ssh

a

The FTP service must display the DoD approved system use notification message or banner before granting access to the system.

RMF Control: AC-8
Severity: L
CCI: CCI-000048
Version: SOL-11.1-050430
Vuln IDs: V-48199
Rule IDs: SV-61071r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Fix: F-51807r2_fix

The root role is required. The package: pkg:/service/network/ftp must be installed. # pfedit /etc/issue Insert the proper DoD banner message text. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." # echo "DisplayConnect /etc/issue" >> /etc/proftpd.conf # svcadm restart ftp

a

The GNOME service must display the DoD approved system use notification message or banner before granting access to the system.

RMF Control: AC-8
Severity: L
CCI: CCI-000048
Version: SOL-11.1-050410
Vuln IDs: V-48203
Rule IDs: SV-61075r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Fix: F-51809r1_fix

The root role is required. If the system does not use XWindows, this is not applicable. # pfedit /etc/issue Insert the proper DoD banner message text. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." # pfedit /etc/gdm/Init/Default Add the following content before the "exit 0" line of the file. /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" --filename=/etc/issue

a

The operating system must display the DoD approved system use notification message or banner for SSH connections.

RMF Control: AC-8
Severity: L
CCI: CCI-000048
Version: SOL-11.1-050390
Vuln IDs: V-48205
Rule IDs: SV-61077r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Fix: F-51815r1_fix

The root role is required. Edit the SSH configuration file. # pfedit /etc/ssh/sshd_config Locate the file containing: Banner Change the line to read: Banner /etc/issue Edit the /etc/issue file # pfedit /etc/issue The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Restart the SSH service # svcadm restart svc:/network/ssh

a

The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.

RMF Control: AC-8
Severity: L
CCI: CCI-000048
Version: SOL-11.1-050380
Vuln IDs: V-48209
Rule IDs: SV-61081r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Fix: F-51817r1_fix

The root role is required. Edit the contents of these two files and ensure that the proper DoD banner message is viewable. # pfedit /etc/motd # pfedit /etc/issue The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

b

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.

RMF Control: IA-5
Severity: M
CCI: CCI-000196
Version: SOL-11.1-040130
Vuln IDs: V-48243
Rule IDs: SV-61115r4_rule

Cryptographic hashes provide quick password authentication while not actually storing the password.

Fix: F-51851r3_fix

The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 exist and are not commented out.

b

The system must disable accounts after three consecutive unsuccessful login attempts.

RMF Control: AC-7
Severity: M
CCI: CCI-000044
Version: SOL-11.1-040140
Vuln IDs: V-48245
Rule IDs: SV-61117r1_rule

Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.

Fix: F-51853r1_fix

The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]

b

The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.

RMF Control: AC-19
Severity: M
CCI: CCI-000085
Version: SOL-11.1-120410
Vuln IDs: V-49635
Rule IDs: SV-62559r1_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.

Fix: F-53137r1_fix

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Modify the /etc/system file. # pfedit /etc/system Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect.

b

All run control scripts must have mode 0755 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020300
Vuln IDs: V-59827
Rule IDs: SV-74257r1_rule

If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.

Fix: F-65237r1_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod go-w <startupfile>

b

Run control scripts executable search paths must contain only authorized paths.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020320
Vuln IDs: V-59831
Rule IDs: SV-74261r3_rule

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.

Fix: F-65241r2_fix

Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

b

All system start-up files must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020360
Vuln IDs: V-59839
Rule IDs: SV-74269r1_rule

System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.

Fix: F-65249r1_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

b

All system start-up files must be group-owned by root, sys, or bin.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020370
Vuln IDs: V-59841
Rule IDs: SV-74271r1_rule

If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.

Fix: F-65251r1_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

b

All .Xauthority files must have mode 0600 or less permissive.

RMF Control: AC-6
Severity: M
CCI: CCI-000225
Version: SOL-11.1-020510
Vuln IDs: V-61005
Rule IDs: SV-75473r2_rule

.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.

Fix: F-66737r1_fix

Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority