Solaris 11 SPARC STIG SCAP Benchmark V3R1 (SCAP)

b

The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.

RMF Control: AU-3
Severity: M
CCI: CCI-001487
Version: SOL-11.1-010040
Vuln IDs: V-216246
Rule IDs: SV-216246r986419_rule

Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked.

Fix: F-17480r986418_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone to be secured. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.

RMF Control: AU-7
Severity: M
CCI: CCI-000158
Version: SOL-11.1-010080
Vuln IDs: V-216249
Rule IDs: SV-216249r958430_rule

Without an audit reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17483r370836_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: SOL-11.1-010120
Vuln IDs: V-216251
Rule IDs: SV-216251r958446_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17485r370842_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include what type of events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: SOL-11.1-010140
Vuln IDs: V-216253
Rule IDs: SV-216253r958412_rule

Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Fix: F-17487r370848_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include when (date and time) the events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000131
Version: SOL-11.1-010150
Vuln IDs: V-216254
Rule IDs: SV-216254r958414_rule

Without accurate time stamps malicious activity cannot be accurately tracked.

Fix: F-17488r370851_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include where the events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000132
Version: SOL-11.1-010160
Vuln IDs: V-216255
Rule IDs: SV-216255r958416_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17489r370854_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include the sources of the events that occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000133
Version: SOL-11.1-010170
Vuln IDs: V-216256
Rule IDs: SV-216256r958418_rule

Without accurate source information malicious activity cannot be accurately tracked.

Fix: F-17490r370857_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include the outcome (success or failure) of the events that occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000134
Version: SOL-11.1-010180
Vuln IDs: V-216257
Rule IDs: SV-216257r958420_rule

Tracking both the successful and unsuccessful attempts aids in identifying threats to the system.

Fix: F-17491r370860_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

c

The operating system must alert designated organizational officials in the event of an audit processing failure.

RMF Control: AU-5
Severity: H
CCI: CCI-000139
Version: SOL-11.1-010390
Vuln IDs: V-216273
Rule IDs: SV-216273r958424_rule

Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.

Fix: F-17507r370908_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

b

All run control scripts must have mode 0755 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020300
Vuln IDs: V-216299
Rule IDs: SV-216299r959010_rule

If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.

Fix: F-17533r370986_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod go-w <startupfile>

b

Run control scripts executable search paths must contain only authorized paths.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020320
Vuln IDs: V-216301
Rule IDs: SV-216301r959010_rule

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.

Fix: F-17535r370992_fix

Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

b

All system start-up files must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020360
Vuln IDs: V-216305
Rule IDs: SV-216305r959010_rule

System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.

Fix: F-17539r371004_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

b

All system start-up files must be group-owned by root, sys, or bin.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020370
Vuln IDs: V-216306
Rule IDs: SV-216306r959010_rule

If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.

Fix: F-17540r371007_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

b

All .Xauthority files must have mode 0600 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020510
Vuln IDs: V-216309
Rule IDs: SV-216309r959010_rule

.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.

Fix: F-17543r371016_fix

Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority

b

User passwords must be at least 15 characters in length.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040040
Vuln IDs: V-216324
Rule IDs: SV-216324r986398_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Fix: F-17558r986397_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: PASSLENGTH Change the line to read: PASSLENGTH=15

b

The system must require at least eight characters be changed between the old and new passwords during a password change.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040060
Vuln IDs: V-216326
Rule IDs: SV-216326r986399_rule

To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.

Fix: F-17560r371067_fix

The root role is required. # pfedit /etc/default/passwd Search for MINDIFF. Change the line to read: MINDIFF=8

b

The system must require passwords to contain at least one uppercase alphabetic character.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040070
Vuln IDs: V-216327
Rule IDs: SV-216327r986400_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17561r371070_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINUPPER Change the line to read: MINUPPER=1

b

The operating system must enforce password complexity requiring that at least one lowercase character is used.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040080
Vuln IDs: V-216328
Rule IDs: SV-216328r986401_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17562r371073_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINLOWER Change the line to read: MINLOWER=1

b

The system must require passwords to contain at least one numeric character.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040090
Vuln IDs: V-216329
Rule IDs: SV-216329r986402_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17563r371076_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINDIGIT Change the line to read: MINDIGIT=1

b

The system must require passwords to contain at least one special character.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040100
Vuln IDs: V-216330
Rule IDs: SV-216330r986403_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17564r371079_fix

The root role is required. # pfedit /etc/default/passwd a Locate the line containing: MINSPECIAL Change the line to read: MINSPECIAL=1

a

The system must require passwords to contain no more than three consecutive repeating characters.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040110
Vuln IDs: V-216331
Rule IDs: SV-216331r959010_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17565r371082_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MAXREPEATS Change the line to read: MAXREPEATS=3

b

The system must not have accounts configured with blank or null passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040120
Vuln IDs: V-216332
Rule IDs: SV-216332r959010_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17566r371085_fix

The root role is required. Remove, lock, or configure a password for any account with a blank password. # passwd [username] or Use the passwd -l command to lock accounts that are not permitted to execute commands. or Use the passwd -N command to set accounts to be non-login.

b

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.

RMF Control
Severity: M
CCI: CCI-004062
Version: SOL-11.1-040130
Vuln IDs: V-216333
Rule IDs: SV-216333r986406_rule

Cryptographic hashes provide quick password authentication while not actually storing the password.

Fix: F-17567r986405_fix

The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the following lines exist and are not commented out: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6

b

The system must disable accounts after three consecutive unsuccessful login attempts.

RMF Control: AC-7
Severity: M
CCI: CCI-000044
Version: SOL-11.1-040140
Vuln IDs: V-216334
Rule IDs: SV-216334r958388_rule

Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.

Fix: F-17568r371091_fix

The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]

b

The delay between login prompts following a failed login attempt must be at least 4 seconds.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040160
Vuln IDs: V-216335
Rule IDs: SV-216335r959010_rule

As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.

Fix: F-17569r371094_fix

The root role is required. # pfedit the /etc/default/login Locate the line containing: SLEEPTIME Change the line to read: SLEEPTIME=4

b

The system must require users to re-authenticate to unlock a graphical desktop environment.

RMF Control: AC-11
Severity: M
CCI: CCI-000056
Version: SOL-11.1-040170
Vuln IDs: V-216336
Rule IDs: SV-216336r958400_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Fix: F-17570r371097_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True

b

Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.

RMF Control: AC-11
Severity: M
CCI: CCI-000057
Version: SOL-11.1-040180
Vuln IDs: V-216337
Rule IDs: SV-216337r958402_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Fix: F-17571r371100_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout:0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 lock: True

b

The system must prevent the use of dictionary words for passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040190
Vuln IDs: V-216338
Rule IDs: SV-216338r959010_rule

The use of common words in passwords simplifies password-cracking attacks.

Fix: F-17572r371103_fix

The root role is required. # pfedit /etc/default/passwd Insert the lines: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd Generate the password dictionary by running the mkpwdict command. # mkpwdict -s /usr/share/lib/dict/words

b

The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

RMF Control
Severity: M
CCI: CCI-004045
Version: SOL-11.1-040230
Vuln IDs: V-216340
Rule IDs: SV-216340r986407_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Fix: F-17574r371109_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

b

The default umask for system and users must be 077.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040250
Vuln IDs: V-216341
Rule IDs: SV-216341r959010_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Fix: F-17575r371112_fix

The root role is required. Edit local and global initialization files containing "umask" and change them to use 077. # pfedit /etc/default/login Insert the line UMASK=077 # pfedit [user initialization file] Insert the line umask 077

a

The default umask for FTP users must be 077.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040260
Vuln IDs: V-216342
Rule IDs: SV-216342r959010_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Fix: F-17576r371115_fix

The root role is required. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Otherwise, edit the FTP configuration file. # pfedit /etc/proftpd.conf Locate the line containing: Umask Change the line to read: Umask 077

b

Login services for serial ports must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040310
Vuln IDs: V-216347
Rule IDs: SV-216347r959010_rule

Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.

Fix: F-17581r371130_fix

The Service Operator profile is required. Disable serial terminal services. # pfexec svcadm disable svc:/system/console-login:terma # pfexec svcadm disable svc:/system/console-login:termb

b

The nobody access for RPC encryption key storage service must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040320
Vuln IDs: V-216350
Rule IDs: SV-216350r959010_rule

If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.

Fix: F-17584r462488_fix

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO

b

X11 forwarding for SSH must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040330
Vuln IDs: V-216351
Rule IDs: SV-216351r959010_rule

As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.

Fix: F-17585r371142_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: X11Forwarding Change it to: X11Forwarding no Restart the SSH service. # svcadm restart svc:/network/ssh

a

Consecutive login attempts for SSH must be limited to 3.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040340
Vuln IDs: V-216352
Rule IDs: SV-216352r959010_rule

Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.

Fix: F-17586r462491_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: MaxAuthTries Change it to: MaxAuthTries 6 Restart the SSH service. # svcadm restart svc:/network/ssh Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.

b

The rhost-based authentication for SSH must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040350
Vuln IDs: V-216353
Rule IDs: SV-216353r959010_rule

Setting this parameter forces users to enter a password when authenticating with SSH.

Fix: F-17587r371148_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

b

Direct root account login must not be permitted for SSH access.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040360
Vuln IDs: V-216354
Rule IDs: SV-216354r959010_rule

The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.

Fix: F-17588r371151_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitRootLogin Change it to: PermitRootLogin no Restart the SSH service. # svcadm restart svc:/network/ssh

c

Login must not be permitted with empty/null passwords for SSH.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040370
Vuln IDs: V-216355
Rule IDs: SV-216355r959010_rule

Permitting login without a password is inherently risky.

Fix: F-17589r371154_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitEmptyPasswords Change it to: PermitEmptyPasswords no Restart the SSH service. # svcadm restart svc:/network/ssh

a

The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.

RMF Control: SC-10
Severity: L
CCI: CCI-001133
Version: SOL-11.1-040380
Vuln IDs: V-216356
Rule IDs: SV-216356r970703_rule

This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

Fix: F-17590r371157_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Modify or add the lines containing: ClientAliveInterval ClientAliveCountMax Change them to: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service: # svcadm restart svc:/network/ssh

b

Host-based authentication for login-based services must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040390
Vuln IDs: V-216357
Rule IDs: SV-216357r959010_rule

The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.

Fix: F-17591r371160_fix

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. The root role is required. # ls -l /etc/pam.d to identify the various configuration files used by PAM. Search each file for the pam_rhosts_auth.so.1 entry. # grep pam_rhosts_auth.so.1 [filename] Identify the file with the line pam_hosts_auth.so.1 in it. # pfedit [filename] Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".

b

The use of FTP must be restricted.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040400
Vuln IDs: V-216358
Rule IDs: SV-216358r959010_rule

FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default "system" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user "oracle" and the account which the web server process runs under.

Fix: F-17592r371163_fix

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> /etc/ftpd/ftpusers) done # sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp # mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers

c

The system must not allow autologin capabilities from the GNOME desktop.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040410
Vuln IDs: V-216359
Rule IDs: SV-216359r959010_rule

As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.

Fix: F-17593r371166_fix

The root role is required. Modify the /etc/pam.d/gdm-autologin file. # pfedit /etc/pam.d/gdm-autologin Locate the lines: auth required pam_unix_cred.so.1 auth sufficient pam_allow.so.1 account sufficient pam_allow.so.1 Change the lines to read: #auth required pam_unix_cred.so.1 #auth sufficient pam_allow.so.1 #account sufficient pam_allow.so.1

b

Logins to the root account must be restricted to the system console only.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040430
Vuln IDs: V-216361
Rule IDs: SV-216361r959010_rule

Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.

Fix: F-17595r371172_fix

The root role is required. Modify the /etc/default/login file # pfedit /etc/default/login Locate the line containing: CONSOLE Change it to read: CONSOLE=/dev/console

a

The operating system, upon successful logon, must display to the user the date and time of the last logon (access).

RMF Control: AC-9
Severity: L
CCI: CCI-000052
Version: SOL-11.1-040450
Vuln IDs: V-216362
Rule IDs: SV-216362r987814_rule

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Fix: F-17596r371175_fix

The root role is required for this action. # pfedit /etc/ssh/sshd_config Locate the line containing: PrintLastLog no and place a comment sign ("# ")at the beginning of the line or delete the line # PrintLastLog no Restart the ssh service # pfexec svcadm restart svc:/network/ssh

b

The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

RMF Control: AC-11
Severity: M
CCI: CCI-000060
Version: SOL-11.1-040470
Vuln IDs: V-216364
Rule IDs: SV-216364r958404_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.

Fix: F-17598r371181_fix

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select “Screensaver” icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Click on Mode's pull-down. Select: "Blank Screen Only". Ensure that "Blank Screen Only" is selected.

c

The operating system must not allow logins for users with blank passwords.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040480
Vuln IDs: V-216365
Rule IDs: SV-216365r959010_rule

If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.

Fix: F-17599r371184_fix

The root role is required. Modify the /etc/default/login file. # pfedit /etc/default/login Insert the line: PASSREQ=YES

b

The operating system must terminate all sessions and network connections when nonlocal maintenance is completed.

RMF Control: SC-10
Severity: M
CCI: CCI-001133
Version: SOL-11.1-050460
Vuln IDs: V-216399
Rule IDs: SV-216399r986416_rule

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. The operating system needs to ensure all sessions and network connections are terminated when nonlocal maintenance is completed.

Fix: F-17633r371286_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. # pfedit /etc/ssh/sshd_config Insert the two lines: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service with the new configuration. # svcadm restart svc:/network/ssh

b

Permissions on user home directories must be 750 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070020
Vuln IDs: V-216418
Rule IDs: SV-216418r959010_rule

Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Fix: F-17652r371343_fix

The root role is required. Change the permissions on users' directories to 750 or less permissive. # chmod 750 [directory name]

b

Permissions on user .netrc files must be 750 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070040
Vuln IDs: V-216420
Rule IDs: SV-216420r959010_rule

.netrc files may contain unencrypted passwords that can be used to attack other systems.

Fix: F-17654r371349_fix

The root role is required. Change the permissions on users' .netrc files to 750 or less permissive. # chmod 750 [file name]

c

There must be no user .rhosts files.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-070050
Vuln IDs: V-216421
Rule IDs: SV-216421r959010_rule

Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Fix: F-17655r371352_fix

The root role is required. Remove any .rhosts files found. # rm [file name]

b

Groups assigned to users must exist in the /etc/group file.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070060
Vuln IDs: V-216422
Rule IDs: SV-216422r959010_rule

Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.

Fix: F-17656r371355_fix

The root role is required. Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.

a

Users must have a valid home directory assignment.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-070070
Vuln IDs: V-216423
Rule IDs: SV-216423r959010_rule

All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.

Fix: F-17657r371358_fix

The root role is required. Correct or justify any items discovered in the check step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy. This generally means deleting the user or creating a valid home directory.

b

Reserved UIDs 0-99 must only be used by system accounts.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070130
Vuln IDs: V-216429
Rule IDs: SV-216429r959010_rule

If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.

Fix: F-17663r462494_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any accounts using these reserved UIDs, and work with their owners to determine the best course of action in accordance with site policy. This may require deleting users or changing UIDs for users.

b

User .netrc files must not exist.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070160
Vuln IDs: V-216432
Rule IDs: SV-216432r959010_rule

The .netrc file presents a significant security risk since it stores passwords in unencrypted form.

Fix: F-17666r371385_fix

The root role is required. Determine if any .netrc files exist, and work with the owners to determine the best course of action in accordance with site policy.

b

The system must not allow users to configure .forward files.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070170
Vuln IDs: V-216433
Rule IDs: SV-216433r959010_rule

Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.

Fix: F-17667r371388_fix

The root role is required. Remove any .forward files that are found. # pfexec rm [filename]

b

The root account must be the only account with GID of 0.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070220
Vuln IDs: V-216438
Rule IDs: SV-216438r959010_rule

All accounts with a GID of 0 have root group privileges and must be limited to the group account only.

Fix: F-17672r371403_fix

The root role is required. Change the default GID of non-root accounts to a valid GID other than 0.

a

The operating system must reveal error messages only to authorized personnel.

RMF Control: SI-11
Severity: L
CCI: CCI-001314
Version: SOL-11.1-070240
Vuln IDs: V-216439
Rule IDs: SV-216439r958566_rule

Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.

Fix: F-17673r371406_fix

The root role is required. Change the permissions and owner on the /var/adm/messages file: # chmod 640 /var/adm/messages # chown root /var/adm/messages # chgrp root /var/adm/messages Change the permissions and owner on the /var/adm directory: # chmod 750 /var/adm # chown root /var/adm # chgrp sys /var/adm

c

The operating system must be a supported release.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-080010
Vuln IDs: V-216442
Rule IDs: SV-216442r959010_rule

An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Fix: F-17676r371415_fix

Upgrade to a supported version of the operating system.

b

The operating system must implement transaction recovery for transaction-based systems.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-080150
Vuln IDs: V-216455
Rule IDs: SV-216455r959010_rule

Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. While this is typically a database function, operating systems could be transactional in nature with respect to file processing.

Fix: F-17689r371454_fix

The root role is required. Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. If any UFS file systems are mounted with the "nologging" options, remove that option from the /etc/vfstab file. # pfedit /etc/vfstab Locate any file systems listed with the "nologging" option and delete the keyword "nologging".

a

The limitpriv zone option must be set to the vendor default or less permissive.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-100020
Vuln IDs: V-216475
Rule IDs: SV-216475r959010_rule

Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.

Fix: F-17709r371508_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Change the "limitpriv" setting to default. # pfexec zonecfg -z [zone] set limitpriv=default

b

The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-120410
Vuln IDs: V-216479
Rule IDs: SV-216479r959010_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.

Fix: F-17713r371520_fix

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Modify the /etc/system file. Determine the OS version you are currently securing. # uname –v For Solaris 11GA and 11.1 # pfedit /etc/system Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect. For Solaris 11.2 or newer Modify an /etc/system.d file. # pfedit /etc/system.d/USB:MassStorage Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect.

b

The audit system must support an audit reduction capability.

RMF Control: AU-7
Severity: M
CCI: CCI-001877
Version: SOL-11.1-010060
Vuln IDs: V-219959
Rule IDs: SV-219959r958768_rule

Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack.

Fix: F-21668r370830_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system records must be able to be used by a report generation capability.

RMF Control: AU-7
Severity: M
CCI: CCI-001880
Version: SOL-11.1-010070
Vuln IDs: V-219960
Rule IDs: SV-219960r958774_rule

Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-21669r370833_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.

RMF Control: AU-12
Severity: M
CCI: CCI-000169
Version: SOL-11.1-010100
Vuln IDs: V-219961
Rule IDs: SV-219961r958442_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-21670r370839_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.

RMF Control: AU-12
Severity: M
CCI: CCI-000169
Version: SOL-11.1-010130
Vuln IDs: V-219962
Rule IDs: SV-219962r958442_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-21671r370845_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system must alert the SA when the audit storage volume approaches its capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: SOL-11.1-010370
Vuln IDs: V-219965
Rule IDs: SV-219965r971542_rule

Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.

Fix: F-21674r370902_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

c

The audit system must alert the System Administrator (SA) if there is any type of audit failure.

RMF Control: AU-5
Severity: H
CCI: CCI-001858
Version: SOL-11.1-010380
Vuln IDs: V-219966
Rule IDs: SV-219966r958758_rule

Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.

Fix: F-21675r370905_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

b

The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.

RMF Control: SC-18
Severity: M
CCI: CCI-001170
Version: SOL-11.1-030060
Vuln IDs: V-219972
Rule IDs: SV-219972r958548_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Auto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.

Fix: F-21681r371049_fix

The Service Management profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable the rmvolmgr service. # pfexec svcadm disable svc:/system/filesystem/rmvolmgr:default

b

The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.

RMF Control: SC-18
Severity: M
CCI: CCI-001170
Version: SOL-11.1-040200
Vuln IDs: V-219973
Rule IDs: SV-219973r958726_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Fix: F-21682r371106_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]