Solaris 11 SPARC Security Technical Implementation Guide

V001.012R1 2019-07-26       U_Solaris_11_SPARC_V1R12_STIG_SCAP_1-2_Benchmark.xml
Developed by Oracle in coordination with DISA for the DoD. The Solaris 11 (SPARC) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-60657r1_rule SOL-11.1-010040 CCI-001487 MEDIUM The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event. Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked.
SV-60659r1_rule SOL-11.1-010060 CCI-000156 MEDIUM The audit system must support an audit reduction capability. Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack.
SV-60661r1_rule SOL-11.1-010070 CCI-000157 MEDIUM The audit system records must be able to be used by a report generation capability. Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.
SV-60663r1_rule SOL-11.1-010080 CCI-000158 MEDIUM The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.
SV-60665r1_rule SOL-11.1-010100 CCI-000169 MEDIUM The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components. Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SV-60667r1_rule SOL-11.1-010120 CCI-000172 MEDIUM The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events. Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SV-60669r1_rule SOL-11.1-010130 CCI-000174 MEDIUM The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SV-60671r1_rule SOL-11.1-010140 CCI-000130 MEDIUM Audit records must include what type of events occurred. Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SV-60673r1_rule SOL-11.1-010150 CCI-000131 MEDIUM Audit records must include when (date and time) the events occurred. Without accurate time stamps malicious activity cannot be accurately tracked.
SV-60675r1_rule SOL-11.1-010160 CCI-000132 MEDIUM Audit records must include where the events occurred. Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SV-60677r1_rule SOL-11.1-010170 CCI-000133 MEDIUM Audit records must include the sources of the events that occurred. Without accurate source information malicious activity cannot be accurately tracked.
SV-60679r1_rule SOL-11.1-010180 CCI-000134 MEDIUM Audit records must include the outcome (success or failure) of the events that occurred. Tracking both the successful and unsuccessful attempts aids in identifying threats to the system.
SV-60709r1_rule SOL-11.1-010370 CCI-000143 MEDIUM The audit system must alert the SA when the audit storage volume approaches its capacity. Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.
SV-60717r1_rule SOL-11.1-010380 CCI-000144 HIGH The audit system must alert the System Administrator (SA) if there is any type of audit failure. Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.
SV-60719r1_rule SOL-11.1-010390 CCI-000139 HIGH The operating system must alert designated organizational officials in the event of an audit processing failure. Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.
SV-60765r1_rule SOL-11.1-020090 CCI-000366 LOW The finger daemon package must not be installed. Finger is an insecure protocol.
SV-60767r3_rule SOL-11.1-100020 CCI-000366 LOW The limitpriv zone option must be set to the vendor default or less permissive. Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.
SV-60769r1_rule SOL-11.1-100010 CCI-000366 LOW The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions. Incorrect ownership can result in unauthorized changes or theft of data.
SV-60773r1_rule SOL-11.1-020100 CCI-000366 MEDIUM The legacy remote network access utilities daemons must not be installed. Legacy remote access utilities allow remote control of a system without proper authentication.
SV-60777r1_rule SOL-11.1-020110 CCI-000366 HIGH The NIS package must not be installed. NIS is an insecure protocol.
SV-60781r1_rule SOL-11.1-020120 CCI-000366 LOW The pidgin IM client package must not be installed. Instant messaging is an insecure protocol.
SV-60783r1_rule SOL-11.1-020130 CCI-000366 HIGH The FTP daemon must not be installed unless required. FTP is an insecure protocol.
SV-60785r2_rule SOL-11.1-020140 CCI-000366 HIGH The TFTP service daemon must not be installed unless required. TFTP is an insecure protocol.
SV-60787r2_rule SOL-11.1-020150 CCI-000366 HIGH The telnet service daemon must not be installed unless required. Telnet is an insecure protocol.
SV-60789r2_rule SOL-11.1-020160 CCI-000366 LOW The UUCP service daemon must not be installed unless required. UUCP is an insecure protocol.
SV-60793r1_rule SOL-11.1-020180 CCI-000366 MEDIUM The VNC server package must not be installed unless required. The VNC service uses weak authentication capabilities and provides the user complete graphical system access.
SV-60811r1_rule SOL-11.1-030060 CCI-000087 MEDIUM The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Auto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.
SV-60829r1_rule SOL-11.1-040040 CCI-000205 MEDIUM User passwords must be at least 15 characters in length. Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
SV-60833r1_rule SOL-11.1-040050 CCI-000200 MEDIUM Users must not reuse the last 5 passwords. Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the operating system allows the user to consecutively reuse their password when the password has exceeded its defined lifetime, the end result is a password that is not changed, per policy requirements.
SV-60839r2_rule SOL-11.1-040060 CCI-000195 MEDIUM The system must require at least eight characters be changed between the old and new passwords during a password change. To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.
SV-60843r1_rule SOL-11.1-040070 CCI-000192 MEDIUM The system must require passwords to contain at least one uppercase alphabetic character. Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SV-60853r1_rule SOL-11.1-040080 CCI-000193 MEDIUM The operating system must enforce password complexity requiring that at least one lowercase character is used. Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SV-60861r1_rule SOL-11.1-040090 CCI-000194 MEDIUM The system must require passwords to contain at least one numeric character. Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SV-60863r1_rule SOL-11.1-040100 CCI-001619 MEDIUM The system must require passwords to contain at least one special character. Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SV-60865r1_rule SOL-11.1-040110 CCI-000366 LOW The system must require passwords to contain no more than three consecutive repeating characters. Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SV-60869r1_rule SOL-11.1-080150 CCI-000553 MEDIUM The operating system must implement transaction recovery for transaction-based systems. Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. While this is typically a database function, operating systems could be transactional in nature with respect to file processing.
SV-60871r1_rule SOL-11.1-040120 CCI-000366 MEDIUM The system must not have accounts configured with blank or null passwords. Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SV-60899r1_rule SOL-11.1-080010 CCI-000366 HIGH The operating system must be a supported release. An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
SV-60905r2_rule SOL-11.1-070240 CCI-001314 LOW The operating system must reveal error messages only to authorized personnel. Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.
SV-60907r1_rule SOL-11.1-070220 CCI-000366 MEDIUM The root account must be the only account with GID of 0. All accounts with a GID of 0 have root group privileges and must be limited to the group account only.
SV-60915r1_rule SOL-11.1-040160 CCI-000366 MEDIUM The delay between login prompts following a failed login attempt must be at least 4 seconds. As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.
SV-60917r4_rule SOL-11.1-040170 CCI-000056 MEDIUM The system must require users to re-authenticate to unlock a graphical desktop environment. Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.
SV-60919r2_rule SOL-11.1-040180 CCI-000057 MEDIUM Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity. Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.
SV-60925r1_rule SOL-11.1-040190 CCI-000366 MEDIUM The system must prevent the use of dictionary words for passwords. The use of common words in passwords simplifies password-cracking attacks.
SV-60927r2_rule SOL-11.1-040200 CCI-000345 MEDIUM The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools. Allowing any user to elevate their privileges can allow them excessive control of the system tools.
SV-60929r2_rule SOL-11.1-040230 CCI-000770 MEDIUM The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. Allowing any user to elevate their privileges can allow them excessive control of the system tools.
SV-60933r2_rule SOL-11.1-040250 CCI-000366 MEDIUM The default umask for system and users must be 077. Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.
SV-60937r1_rule SOL-11.1-070170 CCI-000366 MEDIUM The system must not allow users to configure .forward files. Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.
SV-60939r2_rule SOL-11.1-070160 CCI-000366 MEDIUM User .netrc files must not exist. The .netrc file presents a significant security risk since it stores passwords in unencrypted form.
SV-60943r1_rule SOL-11.1-040260 CCI-000366 LOW The default umask for FTP users must be 077. Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.
SV-60949r5_rule SOL-11.1-070130 CCI-000366 MEDIUM Reserved UIDs 0-99 must only be used by system accounts. If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.
SV-60959r1_rule SOL-11.1-040310 CCI-000366 MEDIUM Login services for serial ports must be disabled. Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.
SV-60961r1_rule SOL-11.1-040320 CCI-000366 MEDIUM The nobody access for RPC encryption key storage service must be disabled. If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.
SV-60965r1_rule SOL-11.1-040330 CCI-000366 MEDIUM X11 forwarding for SSH must be disabled. As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.
SV-60971r1_rule SOL-11.1-040340 CCI-000366 LOW Consecutive login attempts for SSH must be limited to 3. Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.
SV-60973r1_rule SOL-11.1-040350 CCI-000366 MEDIUM The rhost-based authentication for SSH must be disabled. Setting this parameter forces users to enter a password when authenticating with SSH.
SV-60975r1_rule SOL-11.1-040360 CCI-000366 MEDIUM Direct root account login must not be permitted for SSH access. The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.
SV-60979r2_rule SOL-11.1-040370 CCI-000366 HIGH Login must not be permitted with empty/null passwords for SSH. Permitting login without a password is inherently risky.
SV-60981r1_rule SOL-11.1-070070 CCI-000366 LOW Users must have a valid home directory assignment. All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.
SV-60983r2_rule SOL-11.1-040380 CCI-001133 LOW The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity. This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.
SV-60985r4_rule SOL-11.1-040390 CCI-000366 MEDIUM Host-based authentication for login-based services must be disabled. The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.
SV-60987r1_rule SOL-11.1-070060 CCI-000366 MEDIUM Groups assigned to users must exist in the /etc/group file. Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.
SV-60989r1_rule SOL-11.1-040400 CCI-000366 MEDIUM The use of FTP must be restricted. FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default "system" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user "oracle" and the account which the web server process runs under.
SV-60991r1_rule SOL-11.1-070050 CCI-000366 HIGH There must be no user .rhosts files. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.
SV-60993r1_rule SOL-11.1-040410 CCI-000366 HIGH The system must not allow autologin capabilities from the GNOME desktop. As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.
SV-60995r1_rule SOL-11.1-070040 CCI-000366 MEDIUM Permissions on user .netrc files must be 750 or less permissive. .netrc files may contain unencrypted passwords that can be used to attack other systems.
SV-60999r1_rule SOL-11.1-040430 CCI-000366 MEDIUM Logins to the root account must be restricted to the system console only. Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.
SV-61003r1_rule SOL-11.1-040450 CCI-000052 LOW The operating system, upon successful logon, must display to the user the date and time of the last logon (access). Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
SV-61005r1_rule SOL-11.1-070020 CCI-000366 MEDIUM Permissions on user home directories must be 750 or less permissive. Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.
SV-61011r2_rule SOL-11.1-040470 CCI-000060 MEDIUM The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.
SV-61015r1_rule SOL-11.1-040480 CCI-000366 HIGH The operating system must not allow logins for users with blank passwords. If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.
SV-61067r1_rule SOL-11.1-050460 CCI-000879 MEDIUM The operating system must terminate all sessions and network connections when non-local maintenance is completed. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The operating system needs to ensure all sessions and network connections are terminated when non-local maintenance is completed.
SV-61071r1_rule SOL-11.1-050430 CCI-000048 LOW The FTP service must display the DoD approved system use notification message or banner before granting access to the system. Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SV-61075r1_rule SOL-11.1-050410 CCI-000048 LOW The GNOME service must display the DoD approved system use notification message or banner before granting access to the system. Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SV-61077r1_rule SOL-11.1-050390 CCI-000048 LOW The operating system must display the DoD approved system use notification message or banner for SSH connections. Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SV-61081r1_rule SOL-11.1-050380 CCI-000048 LOW The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons. Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SV-61115r4_rule SOL-11.1-040130 CCI-000196 MEDIUM Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. Cryptographic hashes provide quick password authentication while not actually storing the password.
SV-61117r1_rule SOL-11.1-040140 CCI-000044 MEDIUM The system must disable accounts after three consecutive unsuccessful login attempts. Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.
SV-62559r2_rule SOL-11.1-120410 CCI-000085 MEDIUM The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.
SV-74257r1_rule SOL-11.1-020300 CCI-000366 MEDIUM All run control scripts must have mode 0755 or less permissive. If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.
SV-74261r3_rule SOL-11.1-020320 CCI-000366 MEDIUM Run control scripts executable search paths must contain only authorized paths. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
SV-74269r1_rule SOL-11.1-020360 CCI-000366 MEDIUM All system start-up files must be owned by root. System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.
SV-74271r1_rule SOL-11.1-020370 CCI-000366 MEDIUM All system start-up files must be group-owned by root, sys, or bin. If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.
SV-75473r2_rule SOL-11.1-020510 CCI-000225 MEDIUM All .Xauthority files must have mode 0600 or less permissive. .Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.