Solaris 11 X86 STIG SCAP Benchmark V3R4 (SCAP)

b

The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.

RMF Control: AU-3
Severity: M
CCI: CCI-001487
Version: SOL-11.1-010040
Vuln IDs: V-216011
Rule IDs: SV-216011r986460_rule

Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked.

Fix: F-17247r986459_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone to be secured. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.

RMF Control: AU-7
Severity: M
CCI: CCI-000158
Version: SOL-11.1-010080
Vuln IDs: V-216014
Rule IDs: SV-216014r958430_rule

Without an audit reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17250r372425_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.

RMF Control: AU-12
Severity: M
CCI: CCI-000169
Version: SOL-11.1-010100
Vuln IDs: V-216015
Rule IDs: SV-216015r958442_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17251r372428_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: SOL-11.1-010120
Vuln IDs: V-216016
Rule IDs: SV-216016r958446_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17252r372431_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include what type of events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: SOL-11.1-010140
Vuln IDs: V-216018
Rule IDs: SV-216018r958412_rule

Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Fix: F-17254r372437_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include when (date and time) the events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000131
Version: SOL-11.1-010150
Vuln IDs: V-216019
Rule IDs: SV-216019r958414_rule

Without accurate time stamps malicious activity cannot be accurately tracked.

Fix: F-17255r372440_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include where the events occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000132
Version: SOL-11.1-010160
Vuln IDs: V-216020
Rule IDs: SV-216020r958416_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-17256r372443_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include the sources of the events that occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000133
Version: SOL-11.1-010170
Vuln IDs: V-216021
Rule IDs: SV-216021r958418_rule

Without accurate source information malicious activity cannot be accurately tracked.

Fix: F-17257r372446_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

Audit records must include the outcome (success or failure) of the events that occurred.

RMF Control: AU-3
Severity: M
CCI: CCI-000134
Version: SOL-11.1-010180
Vuln IDs: V-216022
Rule IDs: SV-216022r958420_rule

Tracking both the successful and unsuccessful attempts aids in identifying threats to the system.

Fix: F-17258r372449_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

c

The operating system must alert designated organizational officials in the event of an audit processing failure.

RMF Control: AU-5
Severity: H
CCI: CCI-000139
Version: SOL-11.1-010390
Vuln IDs: V-216038
Rule IDs: SV-216038r958424_rule

Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.

Fix: F-17274r372497_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

b

All run control scripts must have mode 0755 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020300
Vuln IDs: V-216064
Rule IDs: SV-216064r959010_rule

If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.

Fix: F-17300r372575_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod go-w <startupfile>

b

Run control scripts executable search paths must contain only authorized paths.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020320
Vuln IDs: V-216066
Rule IDs: SV-216066r959010_rule

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.

Fix: F-17302r372581_fix

Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

b

All system start-up files must be owned by root.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020360
Vuln IDs: V-216070
Rule IDs: SV-216070r959010_rule

System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.

Fix: F-17306r372593_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

b

All system start-up files must be group-owned by root, sys, or bin.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020370
Vuln IDs: V-216071
Rule IDs: SV-216071r959010_rule

If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.

Fix: F-17307r372596_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

b

All .Xauthority files must have mode 0600 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-020510
Vuln IDs: V-216074
Rule IDs: SV-216074r959010_rule

.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.

Fix: F-17310r372605_fix

Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority

b

User passwords must be at least 15 characters in length.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040040
Vuln IDs: V-216089
Rule IDs: SV-216089r1016285_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Fix: F-17325r986428_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: PASSLENGTH Change the line to read: PASSLENGTH=15

b

The system must require at least eight characters be changed between the old and new passwords during a password change.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040060
Vuln IDs: V-216091
Rule IDs: SV-216091r1016286_rule

To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.

Fix: F-17327r372656_fix

The root role is required. # pfedit /etc/default/passwd Search for MINDIFF. Change the line to read: MINDIFF=8

b

The system must require passwords to contain at least one uppercase alphabetic character.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040070
Vuln IDs: V-216092
Rule IDs: SV-216092r1016287_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17328r986433_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINUPPER Change the line to read: MINUPPER=1

b

The operating system must enforce password complexity requiring that at least one lowercase character is used.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040080
Vuln IDs: V-216093
Rule IDs: SV-216093r1016288_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17329r986436_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINLOWER Change the line to read: MINLOWER=1

b

The system must require passwords to contain at least one numeric character.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040090
Vuln IDs: V-216094
Rule IDs: SV-216094r1016289_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17330r986439_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINDIGIT Change the line to read: MINDIGIT=1

b

The system must require passwords to contain at least one special character.

RMF Control
Severity: M
CCI: CCI-004066
Version: SOL-11.1-040100
Vuln IDs: V-216095
Rule IDs: SV-216095r1016290_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17331r986442_fix

The root role is required. # pfedit /etc/default/passwd a Locate the line containing: MINSPECIAL Change the line to read: MINSPECIAL=1

a

The system must require passwords to contain no more than three consecutive repeating characters.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040110
Vuln IDs: V-216096
Rule IDs: SV-216096r959010_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17332r372671_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MAXREPEATS Change the line to read: MAXREPEATS=3

b

The system must not have accounts configured with blank or null passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040120
Vuln IDs: V-216097
Rule IDs: SV-216097r959010_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Fix: F-17333r372674_fix

The root role is required. Remove, lock, or configure a password for any account with a blank password. # passwd [username] or Use the passwd -l command to lock accounts that are not permitted to execute commands. or Use the passwd -N command to set accounts to be non-login.

b

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.

RMF Control
Severity: M
CCI: CCI-004062
Version: SOL-11.1-040130
Vuln IDs: V-216098
Rule IDs: SV-216098r1016291_rule

Cryptographic hashes provide quick password authentication while not actually storing the password.

Fix: F-17334r986445_fix

The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the following lines exist and are not commented out: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6

b

The system must disable accounts after three consecutive unsuccessful login attempts.

RMF Control: AC-7
Severity: M
CCI: CCI-000044
Version: SOL-11.1-040140
Vuln IDs: V-216099
Rule IDs: SV-216099r958388_rule

Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.

Fix: F-17335r372680_fix

The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]

b

The delay between login prompts following a failed login attempt must be at least 4 seconds.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040160
Vuln IDs: V-216100
Rule IDs: SV-216100r959010_rule

As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.

Fix: F-17336r372683_fix

The root role is required. # pfedit the /etc/default/login Locate the line containing: SLEEPTIME Change the line to read: SLEEPTIME=4

b

The system must require users to re-authenticate to unlock a graphical desktop environment.

RMF Control: AC-11
Severity: M
CCI: CCI-000056
Version: SOL-11.1-040170
Vuln IDs: V-216101
Rule IDs: SV-216101r958400_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Fix: F-17337r372686_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True

b

Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.

RMF Control: AC-11
Severity: M
CCI: CCI-000057
Version: SOL-11.1-040180
Vuln IDs: V-216102
Rule IDs: SV-216102r958402_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Fix: F-17338r372689_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout:0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 lock: True

b

The system must prevent the use of dictionary words for passwords.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040190
Vuln IDs: V-216103
Rule IDs: SV-216103r959010_rule

The use of common words in passwords simplifies password-cracking attacks.

Fix: F-17339r372692_fix

The root role is required. # pfedit /etc/default/passwd Insert the lines: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd Generate the password dictionary by running the mkpwdict command. # mkpwdict -s /usr/share/lib/dict/words

b

The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

RMF Control
Severity: M
CCI: CCI-004045
Version: SOL-11.1-040230
Vuln IDs: V-216105
Rule IDs: SV-216105r1016292_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Fix: F-17341r372698_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

b

The default umask for system and users must be 077.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040250
Vuln IDs: V-216106
Rule IDs: SV-216106r959010_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Fix: F-17342r372701_fix

The root role is required. Edit local and global initialization files containing "umask" and change them to use 077. # pfedit /etc/default/login Insert the line UMASK=077 # pfedit [user initialization file] Insert the line umask 077

a

The default umask for FTP users must be 077.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040260
Vuln IDs: V-216107
Rule IDs: SV-216107r959010_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Fix: F-17343r372704_fix

The root role is required. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Otherwise, edit the FTP configuration file. # pfedit /etc/proftpd.conf Locate the line containing: Umask Change the line to read: Umask 077

b

Login services for serial ports must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040310
Vuln IDs: V-216112
Rule IDs: SV-216112r959010_rule

Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.

Fix: F-17348r372719_fix

The Service Operator profile is required. Disable serial terminal services. # pfexec svcadm disable svc:/system/console-login:terma # pfexec svcadm disable svc:/system/console-login:termb

b

The nobody access for RPC encryption key storage service must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040320
Vuln IDs: V-216113
Rule IDs: SV-216113r959010_rule

If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.

Fix: F-17349r462443_fix

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO

b

X11 forwarding for SSH must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040330
Vuln IDs: V-216114
Rule IDs: SV-216114r959010_rule

As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.

Fix: F-17350r372725_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: X11Forwarding Change it to: X11Forwarding no Restart the SSH service. # svcadm restart svc:/network/ssh

a

Consecutive login attempts for SSH must be limited to 3.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-040340
Vuln IDs: V-216115
Rule IDs: SV-216115r1155803_rule

Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.

Fix: F-17351r1155802_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the lines containing: MaxAuthTries MaxAuthTriesLog Change them to: MaxAuthTries 6 MaxAuthTriesLog 6 Restart the SSH service. # svcadm restart svc:/network/ssh Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.

b

The rhost-based authentication for SSH must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040350
Vuln IDs: V-216116
Rule IDs: SV-216116r959010_rule

Setting this parameter forces users to enter a password when authenticating with SSH.

Fix: F-17352r372731_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

b

Direct root account login must not be permitted for SSH access.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040360
Vuln IDs: V-216117
Rule IDs: SV-216117r959010_rule

The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.

Fix: F-17353r372734_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitRootLogin Change it to: PermitRootLogin no Restart the SSH service. # svcadm restart svc:/network/ssh

c

Login must not be permitted with empty/null passwords for SSH.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040370
Vuln IDs: V-216118
Rule IDs: SV-216118r959010_rule

Permitting login without a password is inherently risky.

Fix: F-17354r372737_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitEmptyPasswords Change it to: PermitEmptyPasswords no Restart the SSH service. # svcadm restart svc:/network/ssh

a

The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.

RMF Control: SC-10
Severity: L
CCI: CCI-001133
Version: SOL-11.1-040380
Vuln IDs: V-216119
Rule IDs: SV-216119r970703_rule

This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

Fix: F-17355r372740_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Modify or add the lines containing: ClientAliveInterval ClientAliveCountMax Change them to: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service: # svcadm restart svc:/network/ssh

b

Host-based authentication for login-based services must be disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040390
Vuln IDs: V-216120
Rule IDs: SV-216120r959010_rule

The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.

Fix: F-17356r372743_fix

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. The root role is required. # ls -l /etc/pam.d to identify the various configuration files used by PAM. Search each file for the pam_rhosts_auth.so.1 entry. # grep pam_rhosts_auth.so.1 [filename] Identify the file with the line pam_hosts_auth.so.1 in it. # pfedit [filename] Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".

b

The use of FTP must be restricted.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040400
Vuln IDs: V-216121
Rule IDs: SV-216121r959010_rule

FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default "system" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user "oracle" and the account which the web server process runs under.

Fix: F-17357r372746_fix

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> /etc/ftpd/ftpusers) done # sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp # mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers

c

The system must not allow autologin capabilities from the GNOME desktop.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040410
Vuln IDs: V-216122
Rule IDs: SV-216122r959010_rule

As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.

Fix: F-17358r372749_fix

The root role is required. Modify the /etc/pam.d/gdm-autologin file. # pfedit /etc/pam.d/gdm-autologin Locate the lines: auth required pam_unix_cred.so.1 auth sufficient pam_allow.so.1 account sufficient pam_allow.so.1 Change the lines to read: #auth required pam_unix_cred.so.1 #auth sufficient pam_allow.so.1 #account sufficient pam_allow.so.1

b

Logins to the root account must be restricted to the system console only.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-040430
Vuln IDs: V-216124
Rule IDs: SV-216124r959010_rule

Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.

Fix: F-17360r372755_fix

The root role is required. Modify the /etc/default/login file # pfedit /etc/default/login Locate the line containing: CONSOLE Change it to read: CONSOLE=/dev/console

a

The operating system, upon successful logon, must display to the user the date and time of the last logon (access).

RMF Control: AC-9
Severity: L
CCI: CCI-000052
Version: SOL-11.1-040450
Vuln IDs: V-216125
Rule IDs: SV-216125r987814_rule

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Fix: F-17361r372758_fix

The root role is required for this action. # pfedit /etc/ssh/sshd_config Locate the line containing: PrintLastLog no and place a comment sign ("# ")at the beginning of the line or delete the line # PrintLastLog no Restart the ssh service # pfexec svcadm restart svc:/network/ssh

b

The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

RMF Control: AC-11
Severity: M
CCI: CCI-000060
Version: SOL-11.1-040470
Vuln IDs: V-216127
Rule IDs: SV-216127r958404_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.

Fix: F-17363r372764_fix

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select "Screensaver" icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Click on Mode's pull-down. Select: "Blank Screen Only". Ensure that "Blank Screen Only" is selected.

c

The operating system must not allow logins for users with blank passwords.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-040480
Vuln IDs: V-216128
Rule IDs: SV-216128r959010_rule

If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.

Fix: F-17364r372767_fix

The root role is required. Modify the /etc/default/login file. # pfedit /etc/default/login Insert the line: PASSREQ=YES

b

The operating system must terminate all sessions and network connections when nonlocal maintenance is completed.

RMF Control: SC-10
Severity: M
CCI: CCI-001133
Version: SOL-11.1-050460
Vuln IDs: V-216162
Rule IDs: SV-216162r986457_rule

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. The operating system needs to ensure all sessions and network connections are terminated when nonlocal maintenance is completed.

Fix: F-17398r372869_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. # pfedit /etc/ssh/sshd_config Insert the two lines: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service with the new configuration. # svcadm restart svc:/network/ssh

b

Permissions on user home directories must be 750 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070020
Vuln IDs: V-216181
Rule IDs: SV-216181r959010_rule

Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Fix: F-17417r372926_fix

The root role is required. Change the permissions on users' directories to 750 or less permissive. # chmod 750 [directory name]

b

Permissions on user .netrc files must be 750 or less permissive.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070040
Vuln IDs: V-216183
Rule IDs: SV-216183r959010_rule

.netrc files may contain unencrypted passwords that can be used to attack other systems.

Fix: F-17419r372932_fix

The root role is required. Change the permissions on users' .netrc files to 750 or less permissive. # chmod 750 [file name]

c

There must be no user .rhosts files.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-070050
Vuln IDs: V-216184
Rule IDs: SV-216184r959010_rule

Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Fix: F-17420r372935_fix

The root role is required. Remove any .rhosts files found. # rm [file name]

b

Groups assigned to users must exist in the /etc/group file.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070060
Vuln IDs: V-216185
Rule IDs: SV-216185r959010_rule

Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.

Fix: F-17421r372938_fix

The root role is required. Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.

a

Users must have a valid home directory assignment.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-070070
Vuln IDs: V-216186
Rule IDs: SV-216186r959010_rule

All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.

Fix: F-17422r372941_fix

The root role is required. Correct or justify any items discovered in the check step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy. This generally means deleting the user or creating a valid home directory.

b

Reserved UIDs 0-99 must only be used by system accounts.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070130
Vuln IDs: V-216192
Rule IDs: SV-216192r959010_rule

If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.

Fix: F-17428r462482_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any accounts using these reserved UIDs, and work with their owners to determine the best course of action in accordance with site policy. This may require deleting users or changing UIDs for users.

b

User .netrc files must not exist.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070160
Vuln IDs: V-216195
Rule IDs: SV-216195r959010_rule

The .netrc file presents a significant security risk since it stores passwords in unencrypted form.

Fix: F-17431r372968_fix

The root role is required. Determine if any .netrc files exist, and work with the owners to determine the best course of action in accordance with site policy.

b

The system must not allow users to configure .forward files.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070170
Vuln IDs: V-216196
Rule IDs: SV-216196r959010_rule

Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.

Fix: F-17432r372971_fix

The root role is required. Remove any .forward files that are found. # pfexec rm [filename]

b

The root account must be the only account with GID of 0.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-070220
Vuln IDs: V-216201
Rule IDs: SV-216201r959010_rule

All accounts with a GID of 0 have root group privileges and must be limited to the group account only.

Fix: F-17437r372986_fix

The root role is required. Change the default GID of non-root accounts to a valid GID other than 0.

a

The operating system must reveal error messages only to authorized personnel.

RMF Control: SI-11
Severity: L
CCI: CCI-001314
Version: SOL-11.1-070240
Vuln IDs: V-216202
Rule IDs: SV-216202r958566_rule

Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.

Fix: F-17438r372989_fix

The root role is required. Change the permissions and owner on the /var/adm/messages file: # chmod 640 /var/adm/messages # chown root /var/adm/messages # chgrp root /var/adm/messages Change the permissions and owner on the /var/adm directory: # chmod 750 /var/adm # chown root /var/adm # chgrp sys /var/adm

c

The operating system must be a supported release.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: SOL-11.1-080010
Vuln IDs: V-216205
Rule IDs: SV-216205r1155804_rule

An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Release Released Premier Support Extended Support 11 09 Nov 2011 NA NA 11.1 03 Oct 2012 NA NA 11.2 29 Apr 2014 NA NA 11.3 26 Oct 2015 01 Jan 2021 01 Jan 2027 11.4 28 Aug 2018 01 Nov 2031 01 Nov 2037

Fix: F-17441r372998_fix

Upgrade to a supported version of the operating system.

a

The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-080140
Vuln IDs: V-216218
Rule IDs: SV-216218r959010_rule

The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots.

Fix: F-17454r373037_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Update GRUB to use a custom configuration file. # pfedit /rpool/boot/grub/grub.cfg Insert the line: source $prefix/custom.cfg Create a password hash. # /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is ....... Copy the long password hash in its entirety. # pfedit /rpool/boot/grub/custom.cfg Insert the lines: set superusers="[username]" password_pbkdf2 [username] [password hash] Restart the system.

b

The operating system must implement transaction recovery for transaction-based systems.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-080150
Vuln IDs: V-216219
Rule IDs: SV-216219r959010_rule

Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. While this is typically a database function, operating systems could be transactional in nature with respect to file processing.

Fix: F-17455r373040_fix

The root role is required. Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. If any UFS file systems are mounted with the "nologging" options, remove that option from the /etc/vfstab file. # pfedit /etc/vfstab Locate any file systems listed with the "nologging" option and delete the keyword "nologging".

a

The limitpriv zone option must be set to the vendor default or less permissive.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: SOL-11.1-100020
Vuln IDs: V-216239
Rule IDs: SV-216239r959010_rule

Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.

Fix: F-17475r373094_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Change the "limitpriv" setting to default. # pfexec zonecfg -z [zone] set limitpriv=default

b

The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: SOL-11.1-120410
Vuln IDs: V-216243
Rule IDs: SV-216243r959010_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.

Fix: F-17479r373106_fix

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Modify the /etc/system file. Determine the OS version you are currently securing. # uname -v For Solaris 11GA and 11.1 # pfedit /etc/system Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect. For Solaris 11.2 or newer Modify an /etc/system.d file. # pfedit /etc/system.d/USB:MassStorage Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect.

b

The audit system must support an audit reduction capability.

RMF Control: AU-7
Severity: M
CCI: CCI-001877
Version: SOL-11.1-010060
Vuln IDs: V-219988
Rule IDs: SV-219988r958768_rule

Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack.

Fix: F-21697r372419_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system records must be able to be used by a report generation capability.

RMF Control: AU-7
Severity: M
CCI: CCI-001880
Version: SOL-11.1-010070
Vuln IDs: V-219989
Rule IDs: SV-219989r958774_rule

Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-21698r372422_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.

RMF Control: AU-12
Severity: M
CCI: CCI-000169
Version: SOL-11.1-010130
Vuln IDs: V-219990
Rule IDs: SV-219990r958442_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.

Fix: F-21699r372434_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

b

The audit system must alert the SA when the audit storage volume approaches its capacity.

RMF Control: AU-5
Severity: M
CCI: CCI-001855
Version: SOL-11.1-010370
Vuln IDs: V-219993
Rule IDs: SV-219993r971542_rule

Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.

Fix: F-21702r372491_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

c

The audit system must alert the System Administrator (SA) if there is any type of audit failure.

RMF Control: AU-5
Severity: H
CCI: CCI-001858
Version: SOL-11.1-010380
Vuln IDs: V-219994
Rule IDs: SV-219994r958758_rule

Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.

Fix: F-21703r372494_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

b

The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.

RMF Control: SC-18
Severity: M
CCI: CCI-001170
Version: SOL-11.1-030060
Vuln IDs: V-220000
Rule IDs: SV-220000r958548_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Auto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.

Fix: F-21709r372638_fix

The Service Management profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable the rmvolmgr service. # pfexec svcadm disable svc:/system/filesystem/rmvolmgr:default

b

The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.

RMF Control: AC-6
Severity: M
CCI: CCI-002235
Version: SOL-11.1-040200
Vuln IDs: V-220001
Rule IDs: SV-220001r958726_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Fix: F-21710r372695_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]