Solaris 11 SPARC Security Technical Implementation Guide

Version

SOL-11.1-010220

Vuln IDs

V-47805

Rule IDs

SV-60681r2_rule

Without auditing, malicious activity cannot be detected.

Checks: C-50261r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active |cut -f2 -d= If "fd" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "fd" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51425r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The audit system must be configured to audit account creation.

AC-2 - Medium - CCI-000018 - V-47807 - SV-60683r2_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000018

Version

SOL-11.1-010230

Vuln IDs

V-47807

Rule IDs

SV-60683r2_rule

Without auditing, malicious activity cannot be detected.

Checks: C-50263r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51427r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The audit system must be configured to audit account modification.

AC-2 - Medium - CCI-001403 - V-47809 - SV-60685r2_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001403

Version

SOL-11.1-010250

Vuln IDs

V-47809

Rule IDs

SV-60685r2_rule

Without auditing, malicious activity cannot be detected.

Checks: C-50265r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51429r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The operating system must automatically audit account disabling actions.

AC-2 - Medium - CCI-001404 - V-47811 - SV-60687r2_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001404

Version

SOL-11.1-010260

Vuln IDs

V-47811

Rule IDs

SV-60687r2_rule

Without auditing, malicious activity cannot be detected.

Checks: C-50267r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51431r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The operating system must automatically audit account termination.

AC-2 - Medium - CCI-001405 - V-47813 - SV-60689r2_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001405

Version

SOL-11.1-010270

Vuln IDs

V-47813

Rule IDs

SV-60689r2_rule

Without auditing, malicious activity cannot be detected.

Checks: C-50269r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51433r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.

CM-6 - Medium - CCI-001589 - V-47815 - SV-60691r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-001589

Version

SOL-11.1-010290

Vuln IDs

V-47815

Rule IDs

SV-60691r2_rule

Without auditing, malicious activity cannot be detected.

Checks: C-50271r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51435r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The audit system must be configured to audit all administrative, privileged, and security actions.

AC-6 - Medium - CCI-000040 - V-47817 - SV-60693r2_rule

RMF Control

AC-6

Severity

M

CCI

CCI-000040

Version

SOL-11.1-010300

Vuln IDs

V-47817

Rule IDs

SV-60693r2_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Checks: C-50273r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51437r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

a

The audit system must be configured to audit login, logout, and session initiation.

AC-17 - Low - CCI-000067 - V-47819 - SV-60695r2_rule

RMF Control

AC-17

Severity

L

CCI

CCI-000067

Version

SOL-11.1-010310

Vuln IDs

V-47819

Rule IDs

SV-60695r2_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Checks: C-50275r2_chk

The Audit Configuration profile is required. Check that the audit flag for auditing login and logout is enabled. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "lo" audit flag is not included in output, this is a finding # pfexec auditconfig -getnaflags | grep active | cut -f2 -d= If "na" and "lo" audit flags are not included in output, this is a finding For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding # pfexec auditconfig -t -getnaflags | cut -f2 -d= If "na" and "lo" audit flags are not included in output, this is a finding Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51439r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm # pfexec auditconfig -setnaflags lo,na For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm # pfexec auditconfig -setnaflags lo,na Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The audit system must be configured to audit all discretionary access control permission modifications.

CM-6 - Medium - CCI-001589 - V-47821 - SV-60697r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-001589

Version

SOL-11.1-010320

Vuln IDs

V-47821

Rule IDs

SV-60697r2_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Checks: C-50277r2_chk

The Audit Configuration profile is required. Check that the audit flag for auditing file access is enabled. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "fm" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "fm" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51441r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

b

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

CM-6 - Medium - CCI-001589 - V-47823 - SV-60699r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-001589

Version

SOL-11.1-010330

Vuln IDs

V-47823

Rule IDs

SV-60699r2_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Checks: C-50279r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51443r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

a

The audit system must be configured to audit failed attempts to access files and programs.

CM-6 - Low - CCI-000366 - V-47825 - SV-60701r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-010340

Vuln IDs

V-47825

Rule IDs

SV-60701r2_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Checks: C-50281r2_chk

The Audit Configuration profile is required. Check that the audit flag for auditing file access is enabled. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "-fa" and "-ps" audit flags are not displayed, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "-fa", "-ex", and "-ps" audit flags are not displayed, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-51445r2_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

a

The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.

AU-10 - Low - CCI-000166 - V-47827 - SV-60703r3_rule

RMF Control

AU-10

Severity

L

CCI

CCI-000166

Version

SOL-11.1-010350

Vuln IDs

V-47827

Rule IDs

SV-60703r3_rule

Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood of an individual being able to deny performing an action. Solaris has supported rsyslog since version 11.1 and the differences between syslog and rsyslog are numerous. Solaris 11.4 installs rsyslog by default, but previous versions require a manual installation. When establishing a rsyslog server to forward to, it is important to consider the network requirements for this action. Note the following configuration options: There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. Examples of each configuration: UDP *.* @remotesystemname TCP *.* @@remotesystemname RELP *.* :omrelp:remotesystemname:2514 Please note that a port number was given as there is no standard port for RELP.

Checks: C-50283r3_chk

Audit Configuration rights profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the syslog audit plugin is enabled. # pfexec auditconfig -getplugin | grep audit_syslog If "inactive" appears, this is a finding. Determine which system-log service instance is online. # pfexec svcs system-log Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly: # grep audit.notice /etc/syslog.conf or # grep @@ /etc/rsyslog.conf If audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration) or *.* @@remotesystemname (rsyslog configuration) points to an invalid remote system or is commented out, this is a finding. If no output is produced, this is a finding. Check the remote syslog host to ensure that audit records can be found for this host.

Fix: F-51447r4_fix

Service Management, Audit Configuration and Audit Control rights profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Configure Solaris 11 to use the syslog audit plugin # pfexec auditconfig -setplugin audit_syslog active Determine which system-log service instance is online. # pfexec svcs system-log If the default system-log service is online: # pfedit /etc/syslog.conf Add the line: audit.notice @[remotesystemname] or audit.notice ![remotesystemname] Replacing the remote system name with the correct hostname. If the rsyslog service is online, modify the /etc/rsyslog.conf file. # pfedit /etc/rsyslog.conf Add the line: *.* @@[remotesystemname] Or *.* :omrelp:[remotesystemname]:[designatedportnumber] Replacing the remote system name with the correct hostname. Create the log file on the remote system # touch /var/adm/auditlog Refresh the syslog service # pfexec svcadm refresh system/system-log:default or # pfexec svcadm refresh system/system-log:rsyslog Refresh the audit service # pfexec audit -s

a

The auditing system must not define a different auditing level for specific users.

CM-6 - Low - CCI-000366 - V-47831 - SV-60705r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-010360

Vuln IDs

V-47831

Rule IDs

SV-60705r1_rule

Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.

Checks: C-50285r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. For each user on the system (not including root), check to see if special auditing flag configurations are set. # userattr audit_flags [username] If any flags are returned, this is a finding.

Fix: F-51449r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For each user on the system, remove all special audit configuration flags. # usermod -K audit_flags= [username]

b

The audit system must alert the SA when the audit storage volume approaches its capacity.

AU-5 - Medium - CCI-000143 - V-47835 - SV-60709r1_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000143

Version

SOL-11.1-010370

Vuln IDs

V-47835

Rule IDs

SV-60709r1_rule

Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.

Checks: C-50289r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The root role is required. Verify the presence of an audit_warn entry in /etc/mail/aliases. # /usr/lib/sendmail -bv audit_warn If the response is: audit_warn... User unknown this is a finding. Review the output of the command and verify that the audit_warn alias notifies the appropriate users in this form: audit_warn:user1,user2 If an appropriate user is not listed, this is a finding.

Fix: F-51453r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

a

The audit system must maintain a central audit trail for all zones.

CM-6 - Low - CCI-000366 - V-47837 - SV-60711r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-100050

Vuln IDs

V-47837

Rule IDs

SV-60711r1_rule

Centralized auditing simplifies the investigative process to determine the cause of a security event.

Checks: C-50293r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Determine whether the "perzone" auditing policy is in effect. # pfexec auditconfig -getpolicy | grep active | grep perzone If output is returned, this is a finding.

Fix: F-51455r1_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Disable the "perzone" auditing policy. # pfexec auditconfig -setpolicy -perzone

a

The audit system must identify in which zone an event occurred.

CM-6 - Low - CCI-000366 - V-47839 - SV-60713r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-100040

Vuln IDs

V-47839

Rule IDs

SV-60713r1_rule

Tracking the specific Solaris zones in the audit trail reduces the time required to determine the cause of a security event.

Checks: C-50295r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Determine whether the "zonename" auditing policy is in effect. # pfexec auditconfig -getpolicy | grep active | grep zonename If no output is returned, this is a finding.

Fix: F-51457r1_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Enable the "zonename" auditing policy. # pfexec auditconfig -setpolicy +zonename

b

The systems physical devices must not be assigned to non-global zones.

CM-6 - Medium - CCI-000366 - V-47841 - SV-60715r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-100030

Vuln IDs

V-47841

Rule IDs

SV-60715r1_rule

Solaris non-global zones can be assigned physical hardware devices. This increases the risk of such a non-global zone having the capability to compromise the global zone.

Checks: C-50297r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global List the configuration for each zone. # zonecfg -z [zonename] info | grep dev Check for device lines. If such a line exists and is not approved by security, this is a finding.

Fix: F-51459r1_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Remove all device assignments from the non-global zone. # pfexec zonecfg -z [zone] delete device [device]

c

The audit system must alert the System Administrator (SA) if there is any type of audit failure.

AU-5 - High - CCI-000144 - V-47843 - SV-60717r1_rule

RMF Control

AU-5

Severity

H

CCI

CCI-000144

Version

SOL-11.1-010380

Vuln IDs

V-47843

Rule IDs

SV-60717r1_rule

Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.

Checks: C-50299r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The root role is required. Verify the presence of an audit_warn entry in /etc/mail/aliases. # /usr/lib/sendmail -bv audit_warn If the response is: audit_warn... User unknown this is a finding. Review the output of the command and verify that the audit_warn alias notifies the appropriate users in this form: audit_warn:user1,user2 If an appropriate user is not listed, this is a finding.

Fix: F-51461r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

c

The operating system must alert designated organizational officials in the event of an audit processing failure.

AU-5 - High - CCI-000139 - V-47845 - SV-60719r1_rule

RMF Control

AU-5

Severity

H

CCI

CCI-000139

Version

SOL-11.1-010390

Vuln IDs

V-47845

Rule IDs

SV-60719r1_rule

Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.

Checks: C-50301r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The root role is required. Verify the presence of an audit_warn entry in /etc/mail/aliases. # /usr/lib/sendmail -bv audit_warn If the response is: audit_warn... User unknown this is a finding. Review the output of the command and verify that the audit_warn alias notifies the appropriate users in this form: audit_warn:user1,user2 If an appropriate user is not listed, this is a finding.

Fix: F-51463r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # pfedit /etc/mail/aliases Insert a line in the form: audit_warn:user1,user2 Put the updated aliases file into service. # newaliases

b

The operating system must allocate audit record storage capacity.

AU-4 - Medium - CCI-000137 - V-47857 - SV-60731r2_rule

RMF Control

AU-4

Severity

M

CCI

CCI-000137

Version

SOL-11.1-010400

Vuln IDs

V-47857

Rule IDs

SV-60731r2_rule

Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.

Checks: C-50305r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Review the current audit file space limitations # pfexec auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) The output of the command will appear in this form. Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=2 If p_minfree is not equal to "2" of greater, this is a finding. p_dir defines the current audit file system. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Check that zfs compression is enabled for the audit file system. # zfs get compression [poolname/filesystemname] If compression is off, this is a finding. Check that a ZFS quota is enforced for the audit filesystem. # zfs get quota [poolname/filesystemname] If quota is set to "none", this is a finding. Ensure that a reservation of space is enforced on /var/share so that other users do not use up audit space. # zfs get quota,reservation [poolname/filesystemname] If reservation is set to "none", this is a finding.

Fix: F-51473r1_fix

The Audit Configuration, Audit Control and ZFS File System Management profiles are required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the audit system directory name: # pfexec auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) The output of the command will appear in this form: Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1; p_dir defines the current audit file system. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Set a minimum percentage of free space on the audit_binfile plugin to 2%. # pfexec auditconfig -setplugin audit_binfile p_minfree=2 Restart the audit system. # pfexec audit -s Enable compression for the audit filesystem. # pfexec zfs set compression=on [poolname/filesystemname] Set a ZFS quota on the default /var/share filesystem for audit records to ensure that the root pool is not filled up with audit logs. # pfexec zfs set quota=XXG [poolname/filesystemname] This commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements. Set a ZFS reservation on the default /var/share filesystem for audit records to ensure that the audit file system is guaranteed a fixed amount of storage. # pfexec zfs set reservation=XXG [poolname/filesystemname] This commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements.

b

The operating system must shut down by default upon audit failure (unless availability is an overriding concern).

AU-5 - Medium - CCI-000140 - V-47863 - SV-60737r2_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

SOL-11.1-010420

Vuln IDs

V-47863

Rule IDs

SV-60737r2_rule

Continuing to operate a system without auditing working properly can result in undocumented access or system changes.

Checks: C-50309r2_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. # pfexec auditconfig -getpolicy | grep ahlt If the output does not include "ahlt" as an active audit policy, this is a finding. # pfexec auditconfig -getpolicy | grep active | grep cnt If the output includes "cnt" as an active audit policy, this is a finding.

Fix: F-51481r3_fix

The Audit Configuration profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Set audit policy to halt and suspend on failure. # pfexec auditconfig -setpolicy +ahlt # pfexec auditconfig -setpolicy -cnt

b

The operating system must protect audit information from unauthorized read access.

AU-9 - Medium - CCI-000162 - V-47869 - SV-60741r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

SOL-11.1-010440

Vuln IDs

V-47869

Rule IDs

SV-60741r1_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access.

Checks: C-50311r1_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 640 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 640 (rw- r-- ---) or less. If the permissions are excessive, this is a finding.

Fix: F-51485r1_fix

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 640 [directory]

c

The operating system must protect audit information from unauthorized modification.

AU-9 - High - CCI-000163 - V-47875 - SV-60747r1_rule

RMF Control

AU-9

Severity

H

CCI

CCI-000163

Version

SOL-11.1-010450

Vuln IDs

V-47875

Rule IDs

SV-60747r1_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access.

Checks: C-50313r1_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 640 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 640 (rw- r-- ---) or less. If the permissions are excessive, this is a finding.

Fix: F-51489r1_fix

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 640 [directory]

c

The operating system must protect audit information from unauthorized deletion.

AU-9 - High - CCI-000164 - V-47879 - SV-60751r1_rule

RMF Control

AU-9

Severity

H

CCI

CCI-000164

Version

SOL-11.1-010460

Vuln IDs

V-47879

Rule IDs

SV-60751r1_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access.

Checks: C-50315r2_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 640 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 640 (rw- r-- ---) or less. If the permissions are excessive, this is a finding.

Fix: F-51491r2_fix

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 640 [directory]

b

The System packages must be up to date with the most recent vendor updates and security fixes.

CM-6 - Medium - CCI-000366 - V-47881 - SV-60753r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020010

Vuln IDs

V-47881

Rule IDs

SV-60753r2_rule

Failure to install security updates can provide openings for attack.

Checks: C-50317r1_chk

The Software Installation Profile is required. An up-to-date Solaris repository must be accessible to the system. Enter the command: # pkg publisher to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured. Check for Solaris software package updates: # pfexec pkg update -n If the command does not report "No updates available for this image," this is a finding.

Fix: F-51493r1_fix

The Software Installation Profile is required. An up-to-date Solaris repository must be accessible to the system. Enter the command: # pkg publisher to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured. Update system packages to the current version. # pfexec pkg update A reboot may be required for the updates to take effect.

b

The system must verify that package updates are digitally signed.

CM-5 - Medium - CCI-000352 - V-47883 - SV-60755r1_rule

RMF Control

CM-5

Severity

M

CCI

CCI-000352

Version

SOL-11.1-020020

Vuln IDs

V-47883

Rule IDs

SV-60755r1_rule

Digitally signed packages ensure that the source of the package can be identified.

Checks: C-50319r1_chk

Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding.

Fix: F-51495r1_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify

b

The operating system must protect audit tools from unauthorized access.

AU-9 - Medium - CCI-001493 - V-47885 - SV-60757r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

SOL-11.1-020030

Vuln IDs

V-47885

Rule IDs

SV-60757r1_rule

Failure to maintain system configurations may result in privilege escalation.

Checks: C-50321r1_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-51497r1_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

b

The operating system must protect audit tools from unauthorized modification.

AU-9 - Medium - CCI-001494 - V-47887 - SV-60759r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001494

Version

SOL-11.1-020040

Vuln IDs

V-47887

Rule IDs

SV-60759r1_rule

Failure to maintain system configurations may result in privilege escalation.

Checks: C-50323r1_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-51499r1_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

b

The operating system must protect audit tools from unauthorized deletion.

AU-9 - Medium - CCI-001495 - V-47889 - SV-60761r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001495

Version

SOL-11.1-020050

Vuln IDs

V-47889

Rule IDs

SV-60761r1_rule

Failure to maintain system configurations may result in privilege escalation.

Checks: C-50325r1_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-51501r1_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

b

System packages must be configured with the vendor-provided files, permissions, and ownerships.

AU-9 - Medium - CCI-001496 - V-47891 - SV-60763r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

SOL-11.1-020080

Vuln IDs

V-47891

Rule IDs

SV-60763r1_rule

Failure to maintain system configurations may result in privilege escalation.

Checks: C-50327r1_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-51503r1_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

a

The finger daemon package must not be installed.

CM-6 - Low - CCI-000366 - V-47893 - SV-60765r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-020090

Vuln IDs

V-47893

Rule IDs

SV-60765r1_rule

Finger is an insecure protocol.

Checks: C-50329r1_chk

Determine if the finger package is installed. # pkg list service/network/finger If an installed package named service/network/finger is listed, this is a finding.

Fix: F-51505r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/finger

a

The limitpriv zone option must be set to the vendor default or less permissive.

CM-6 - Low - CCI-000366 - V-47895 - SV-60767r3_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-100020

Vuln IDs

V-47895

Rule IDs

SV-60767r3_rule

Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.

Checks: C-50331r3_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global From the output list of non-global zones found, determine if any are Kernel zones. # zoneadm list -cv | grep [zonename] | grep solaris-kz Exclude any Kernel zones found from the list of local zones. List the configuration for each zone. # zonecfg -z [zonename] info |grep limitpriv If the output of this command has a setting for limitpriv and it is not: limitpriv: default this is a finding.

Fix: F-51507r1_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Change the "limitpriv" setting to default. # pfexec zonecfg -z [zone] set limitpriv=default

a

The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.

CM-6 - Low - CCI-000366 - V-47897 - SV-60769r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-100010

Vuln IDs

V-47897

Rule IDs

SV-60769r1_rule

Incorrect ownership can result in unauthorized changes or theft of data.

Checks: C-50333r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the ownership of the files and directories. # pkg verify system/zones The command should return no output. If output is produced, this is a finding.

Fix: F-51509r3_fix

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Software Installation profile is required. Change the ownership and permissions of the files and directories to the factory default. # pkg fix system/zones

b

The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

SC-5 - Medium - CCI-001095 - V-47899 - SV-60771r1_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

SOL-11.1-090280

Vuln IDs

V-47899

Rule IDs

SV-60771r1_rule

In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.

Checks: C-50335r1_chk

Ask the operator if Solaris 11 resource controls are configured limiting user memory, process table slots, network bandwidth, and threads utilization If resource controls are not implemented to limit user memory usage, process table slots, network bandwidth, and/or threads utilization, this is a finding.

Fix: F-51511r1_fix

Use Solaris 11 projects and resource controls to limit the amount of memory and CPU resources available to users and applications.

b

The legacy remote network access utilities daemons must not be installed.

CM-6 - Medium - CCI-000366 - V-47901 - SV-60773r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020100

Vuln IDs

V-47901

Rule IDs

SV-60773r1_rule

Legacy remote access utilities allow remote control of a system without proper authentication.

Checks: C-50337r1_chk

Determine if the legacy remote access package is installed. # pkg list service/network/legacy-remote-utilities If an installed package named service/network/legacy-remote-utilities is listed, this is a finding.

Fix: F-51513r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/legacy-remote-utilities

b

The operating system must identify potentially security-relevant error conditions.

SI-11 - Medium - CCI-001311 - V-47903 - SV-60775r1_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001311

Version

SOL-11.1-090270

Vuln IDs

V-47903

Rule IDs

SV-60775r1_rule

Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property. For example, successful login triggers an audit entry.

Checks: C-50339r2_chk

Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis. If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.

Fix: F-51515r1_fix

Install, configure, and run DoD-approved SCAP compliance checking software on a periodic basis. Review the output of the software and document any out-of-compliance issues.

c

The NIS package must not be installed.

CM-6 - High - CCI-000366 - V-47905 - SV-60777r1_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-020110

Vuln IDs

V-47905

Rule IDs

SV-60777r1_rule

NIS is an insecure protocol.

Checks: C-50341r1_chk

Determine if the NIS package is installed. # pkg list service/network/nis If an installed package named "service/network/nis" is listed, this is a finding.

Fix: F-51517r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/nis

b

The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).

SI-6 - Medium - CCI-001291 - V-47907 - SV-60779r1_rule

RMF Control

SI-6

Severity

M

CCI

CCI-001291

Version

SOL-11.1-090250

Vuln IDs

V-47907

Rule IDs

SV-60779r1_rule

Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property. For example, successful login triggers an audit entry.

Checks: C-50343r1_chk

Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis. If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.

Fix: F-51519r1_fix

Install, configure, and run DoD-approved SCAP compliance checking software on a periodic basis. Review the output of the software and document any out-of-compliance issues.

a

The pidgin IM client package must not be installed.

CM-6 - Low - CCI-000366 - V-47909 - SV-60781r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-020120

Vuln IDs

V-47909

Rule IDs

SV-60781r1_rule

Instant messaging is an insecure protocol.

Checks: C-50345r1_chk

Determine if the pidgin package is installed. # pkg list communication/im/pidgin If an installed package named communication/im/pidgin is listed, this is a finding.

Fix: F-51521r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall communication/im/pidgin

c

The FTP daemon must not be installed unless required.

CM-6 - High - CCI-000366 - V-47911 - SV-60783r1_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-020130

Vuln IDs

V-47911

Rule IDs

SV-60783r1_rule

FTP is an insecure protocol.

Checks: C-50347r1_chk

Determine if the FTP package is installed. # pkg list service/network/ftp If an installed package named "service/network/ftp" is listed and not required for operations, this is a finding.

Fix: F-51523r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/ftp

c

The TFTP service daemon must not be installed unless required.

CM-6 - High - CCI-000366 - V-47913 - SV-60785r2_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-020140

Vuln IDs

V-47913

Rule IDs

SV-60785r2_rule

TFTP is an insecure protocol.

Checks: C-50349r2_chk

Determine if the TFTP package is installed. # pkg list service/network/tftp If an installed package named "/service/network/tftp" is listed and not required for operations, this is a finding.

Fix: F-51525r2_fix

The Software Installation Profile is required. # pfexec pkg uninstall install/installadm # pfexec pkg uninstall service/network/tftp

c

The telnet service daemon must not be installed unless required.

CM-6 - High - CCI-000366 - V-47915 - SV-60787r2_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-020150

Vuln IDs

V-47915

Rule IDs

SV-60787r2_rule

Telnet is an insecure protocol.

Checks: C-50351r2_chk

Determine if the telnet daemon package in installed. # pkg list service/network/telnet If an installed package named "service/network/telnet" is listed and vntsd is not in use for LDoms, this is a finding.

Fix: F-51527r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/telnet

a

The UUCP service daemon must not be installed unless required.

CM-6 - Low - CCI-000366 - V-47917 - SV-60789r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-020160

Vuln IDs

V-47917

Rule IDs

SV-60789r2_rule

UUCP is an insecure protocol.

Checks: C-50353r2_chk

Determine if the UUCP package is installed. # pkg list /service/network/uucp If an installed package named "/service/network/uucp" is listed, this is a finding.

Fix: F-51529r3_fix

The Software Installation Profile is required. # pfexec pkg uninstall /service/network/uucp

b

The rpcbind service must be configured for local only services unless organizationally defined.

CM-6 - Medium - CCI-000366 - V-47919 - SV-60791r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020170

Vuln IDs

V-47919

Rule IDs

SV-60791r2_rule

The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using remote procedure calls (RPCs). The organization may define and document the limited use of services (for example NFS) that may use these services with approval from their Authorizing Official.

Checks: C-50355r2_chk

Check the status of the rpcbind service local_only property. # svcprop -p config/local_only network/rpc/bind If the state is not "true", this is a finding, unless it is required for system operations, then this is not a finding.

Fix: F-51531r2_fix

The Service Management profile is required. If services such as portmap or rpcbind are required for system operations, the operator must document the services used and obtain approval from their Authorizing Official. They should also document the method(s) of blocking all other remote accesses through tools like a firewall or tcp_wrappers. Otherwise, configure the rpc/bind service for local only access. # svccfg -s network/rpc/bind setprop config/local_only=true

b

The VNC server package must not be installed unless required.

CM-6 - Medium - CCI-000366 - V-47921 - SV-60793r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020180

Vuln IDs

V-47921

Rule IDs

SV-60793r1_rule

The VNC service uses weak authentication capabilities and provides the user complete graphical system access.

Checks: C-50357r1_chk

Determine if the VNC server package is installed. # pkg list x11/server/xvnc If an installed package named "x11/server/xvnc is listed" is listed, this is a finding.

Fix: F-51533r1_fix

The Software Installation Profile is required. # pfexec pkg uninstall x11/server/xvnc

b

The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.

CM-8 - Medium - CCI-000416 - V-47923 - SV-60795r1_rule

RMF Control

CM-8

Severity

M

CCI

CCI-000416

Version

SOL-11.1-020190

Vuln IDs

V-47923

Rule IDs

SV-60795r1_rule

Addition of unauthorized code or packages may result in data corruption or theft.

Checks: C-50359r1_chk

The Software Installation Profile is required. Display the installation history of packages on the system to ensure that no undesirable packages have been installed: # pkg history -o finish,user,operation,command |grep install If the install command is listed as "/usr/bin/packagemanager", execute the command: # pkg history -l to determine which packages were installed during package manager sessions. If undocumented or unapproved packages have been installed, this is a finding.

Fix: F-51535r1_fix

The Software Installation Profile is required. Review and report any unauthorized package installation operations. If necessary, remove unauthorized packages. # pfexec pkg uninstall [package name]

b

The operating system must be configured to provide essential capabilities.

CM-7 - Medium - CCI-000381 - V-47925 - SV-60797r1_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

SOL-11.1-020220

Vuln IDs

V-47925

Rule IDs

SV-60797r1_rule

Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.

Checks: C-50361r1_chk

Identify the packages installed on the system. # pkg list Any unauthorized software packages listed in the output are a finding.

Fix: F-51537r1_fix

The Software Installation profile is required. Identify packages installed on the system: # pkg list uninstall unauthorized packages: # pfexec pkg uninstall [ package name]

b

The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.

CM-7 - Medium - CCI-000386 - V-47927 - SV-60799r1_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000386

Version

SOL-11.1-020230

Vuln IDs

V-47927

Rule IDs

SV-60799r1_rule

Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.

Checks: C-50363r1_chk

Identify the packages installed on the system. # pkg list Any unauthorized software packages listed in the output are a finding.

Fix: F-51539r1_fix

The Software Installation profile is required. Identify packages installed on the system: # pkg list uninstall unauthorized packages: # pfexec pkg uninstall [ package name]

b

The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.

CM-6 - Medium - CCI-000366 - V-47929 - SV-60801r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-030010

Vuln IDs

V-47929

Rule IDs

SV-60801r1_rule

Externally accessible graphical desktop software may open the system to remote attacks.

Checks: C-50365r1_chk

Determine if the X11 server system is providing remote services on the network. # svcprop -p options/tcp_listen svc:/application/x11/x11-server If the output of the command is "true" and network access to graphical user login is not required, this is a finding.

Fix: F-51541r1_fix

The System Administrator profile is required: Configure the X11 server for local system only graphics access. # pfexec svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen=false

a

Generic Security Services (GSS) must be disabled.

CM-6 - Low - CCI-000366 - V-47931 - SV-60803r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-030030

Vuln IDs

V-47931

Rule IDs

SV-60803r1_rule

This service should be disabled if it is not required.

Checks: C-50367r1_chk

Determine the status of the Generic Security Services. # svcs -Ho state svc:/network/rpc/gss If the GSS service is reported as online, this is a finding.

Fix: F-51543r1_fix

The Service Management profile is required: Disable the GSS service. # pfexec svcadm disable svc:/network/rpc/gss

a

Systems services that are not required must be disabled.

CM-6 - Low - CCI-000366 - V-47933 - SV-60805r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-030040

Vuln IDs

V-47933

Rule IDs

SV-60805r1_rule

Services that are enabled but not required by the mission may provide excessive access or additional attack vectors to penetrate the system.

Checks: C-50369r1_chk

Determine all of the systems services that are enabled on the system. # svcs -a | grep online Document all enabled services and disable any that are not required.

Fix: F-51545r1_fix

The Service Management profile is required: Disable any other service not required. # pfexec svcadm disable [service name]

b

TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.

CM-6 - Medium - CCI-000366 - V-47935 - SV-60807r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-030050

Vuln IDs

V-47935

Rule IDs

SV-60807r2_rule

TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.

Checks: C-50371r1_chk

Check that TCP Wrappers are enabled and the host.deny and host.allow files exist. # inetadm -p | grep tcp_wrappers If the output of this command is "tcp_wrappers=FALSE", this is a finding. # ls /etc/hosts.deny /etc/hosts.deny # ls /etc/hosts.allow /etc/hosts.allow If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.

Fix: F-51547r3_fix

The root role is required. To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE The versions of SunSSH (0.5.11) and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. SunSSH is removed starting with Solaris 11.4.

a

All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.

CM-6 - Low - CCI-000366 - V-47937 - SV-60809r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-090240

Vuln IDs

V-47937

Rule IDs

SV-60809r1_rule

Editing a system file with common tools such as vi, emacs, or gedit does not allow the auditing of changes made by an operator. This reduces the capability of determining which operator made security-relevant changes to the system.

Checks: C-50373r1_chk

Ask the operators if they use vi, emacs, or gedit to make changes to system files. If vi, emacs, or gedit are used to make changes to system files, this is a finding.

Fix: F-51549r1_fix

Advise the operators to use pdfedit or other appropriate command line tools to make system changes instead of vi, emacs, or gedit. Oracle Solaris includes administrative configuration files which use pfedit, and the solaris.admin.edit/path_to_file authorization is not recommended. Alternate commands exist which are both domain-specific and safer. For example, for the /etc/passwd, /etc/shadow, or /etc/user_attr files, use instead passwd, useradd, userdel, or usermod. For the /etc/group file, use instead groupadd, groupdel, or groupmod. For updating /etc/security/auth_attr, /etc/security/exec_attr, or /etc/security/prof_attr, the preferred command is profiles.

b

The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.

AC-19 - Medium - CCI-000087 - V-47939 - SV-60811r1_rule

RMF Control

AC-19

Severity

M

CCI

CCI-000087

Version

SOL-11.1-030060

Vuln IDs

V-47939

Rule IDs

SV-60811r1_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Auto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.

Checks: C-50375r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if the removable media volume manager is running. # svcs -Ho state svc:/system/filesystem/rmvolmgr:default If the output reports that the service is "online", this is a finding.

Fix: F-51551r1_fix

The Service Management profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable the rmvolmgr service. # pfexec svcadm disable svc:/system/filesystem/rmvolmgr:default

b

The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.

AU-9 - Medium - CCI-001348 - V-47941 - SV-60813r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001348

Version

SOL-11.1-090220

Vuln IDs

V-47941

Rule IDs

SV-60813r1_rule

Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement can be met by the operating system continuously sending records to a centralized logging server.

Checks: C-50377r1_chk

This check applies to the global zone only. Determine the zone that you a currently securing. # zonename If the command output is "global" this check applies. The operator must back up audit records at least every 7 days. If the operator is unable to provide a documented procedure or the documented procedure is not being followed, then this is a finding.

Fix: F-51553r1_fix

This fix applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The operator shall back up audit records at least every seven days.

b

User passwords must be changed at least every 56 days.

IA-5 - Medium - CCI-000199 - V-47943 - SV-60815r2_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

SOL-11.1-040010

Vuln IDs

V-47943

Rule IDs

SV-60815r2_rule

Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.

Checks: C-50379r3_chk

The root role is required. Determine if user passwords are properly configured to be changed every 56 days. # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $11 != "56" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 56 days or less. # grep "^MAXWEEKS=" /etc/default/passwd If the command does not report MAXWEEKS=8 or less, this is a finding.

Fix: F-51555r1_fix

The User Security role is required. Change each username to enforce 56 day password changes. # pfexec passwd -x 56 [username] # pfedit /etc/default/passwd Search for MAXWEEKS. Change the line to read: MAXWEEKS=8

a

The operating system must automatically terminate temporary accounts within 72 hours.

AC-2 - Low - CCI-000016 - V-47949 - SV-60821r1_rule

RMF Control

AC-2

Severity

L

CCI

CCI-000016

Version

SOL-11.1-040020

Vuln IDs

V-47949

Rule IDs

SV-60821r1_rule

If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after 72 hours. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.

Checks: C-50385r1_chk

The root role is required. Determine if an expiration date is set for temporary accounts. # logins -aox |awk -F: '($14 == "0") {print}' This command produces a list of accounts with no expiration date set. If any of these accounts are temporary accounts, this is a finding. # logins -aox |awk -F: '($14 != "0") {print}' This command produces a list of accounts with an expiration date set as defined in the last field. If any accounts have a date that is not within 72 hours, this is a finding.

Fix: F-51561r1_fix

The User Security role is required. Apply an expiration date to temporary users. # pfexec usermod -e "[date]" [username] Enter the date in the form mm/dd/yyyy such that it is within 72 hours.

b

The operating system must enforce minimum password lifetime restrictions.

IA-5 - Medium - CCI-000198 - V-47953 - SV-60825r2_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

SOL-11.1-040030

Vuln IDs

V-47953

Rule IDs

SV-60825r2_rule

Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse.

Checks: C-50389r3_chk

The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. # awk -F: '$4 < 1 {print $1}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1, this is a finding.

Fix: F-51565r1_fix

The root role is required. # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname]

b

The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.

SI-3 - Medium - CCI-001239 - V-47955 - SV-60827r3_rule

RMF Control

SI-3

Severity

M

CCI

CCI-001239

Version

SOL-11.1-090140

Vuln IDs

V-47955

Rule IDs

SV-60827r3_rule

This requirement applies to email servers only. In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. The requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.

Checks: C-50391r3_chk

The operator will ensure that anti-virus software is installed and operating. If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

Fix: F-51567r3_fix

The operator will ensure that anti-virus software is installed and operating.

b

User passwords must be at least 15 characters in length.

IA-5 - Medium - CCI-000205 - V-47957 - SV-60829r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

SOL-11.1-040040

Vuln IDs

V-47957

Rule IDs

SV-60829r1_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-50393r1_chk

Check the system password length setting. # grep ^PASSLENGTH /etc/default/passwd If PASSLENGTH is not set to 15 or more, this is a finding.

Fix: F-51569r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: PASSLENGTH Change the line to read PASSLENGTH=15

b

The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.

SI-3 - Medium - CCI-001668 - V-47959 - SV-60831r3_rule

RMF Control

SI-3

Severity

M

CCI

CCI-001668

Version

SOL-11.1-090130

Vuln IDs

V-47959

Rule IDs

SV-60831r3_rule

In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. The requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.

Checks: C-50395r3_chk

The operator will ensure that anti-virus software is installed and operating. If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

Fix: F-51571r3_fix

The operator will ensure that anti-virus software is installed and operating.

b

Users must not reuse the last 5 passwords.

IA-5 - Medium - CCI-000200 - V-47961 - SV-60833r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

SOL-11.1-040050

Vuln IDs

V-47961

Rule IDs

SV-60833r1_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the operating system allows the user to consecutively reuse their password when the password has exceeded its defined lifetime, the end result is a password that is not changed, per policy requirements.

Checks: C-50397r1_chk

Determine if the password history setting is configured properly. # grep ^HISTORY /etc/default/passwd If HISTORY is commented out or is not set to 5 or more, this is a finding.

Fix: F-51573r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: HISTORY Change the line to read: HISTORY=5

b

The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.

SI-3 - Medium - CCI-001248 - V-47963 - SV-60835r3_rule

RMF Control

SI-3

Severity

M

CCI

CCI-001248

Version

SOL-11.1-090120

Vuln IDs

V-47963

Rule IDs

SV-60835r3_rule

In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. The requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.

Checks: C-50399r3_chk

The operator will ensure that anti-virus software is installed and operating. If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

Fix: F-51575r3_fix

The operator will ensure that anti-virus software is installed and operating.

b

The system must require at least eight characters be changed between the old and new passwords during a password change.

IA-5 - Medium - CCI-000195 - V-47967 - SV-60839r2_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000195

Version

SOL-11.1-040060

Vuln IDs

V-47967

Rule IDs

SV-60839r2_rule

To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.

Checks: C-50403r1_chk

Check /etc/default/passwd to verify the MINDIFF setting. # grep ^MINDIFF /etc/default/passwd If the setting is not present, or is less than 8, this is a finding.

Fix: F-51579r1_fix

The root role is required. # pfedit /etc/default/passwd Search for MINDIFF. Change the line to read: MINDIFF=8

b

The operating system must prevent the execution of prohibited mobile code.

SC-18 - Medium - CCI-001695 - V-47969 - SV-60841r2_rule

RMF Control

SC-18

Severity

M

CCI

CCI-001695

Version

SOL-11.1-090100

Vuln IDs

V-47969

Rule IDs

SV-60841r2_rule

Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.

Checks: C-50405r3_chk

Determine if the Firefox package is installed: # pkg list web/browser/firefox If the package is not installed, this check does not apply. If installed, ensure that it is a supported version. # pkg info firefox | grep Version Version: 52.5.2 If the version is not supported, this is a finding. Ensure that Java and JavaScript access by Firefox are disabled. Start Firefox. In the address bar type: about:config In search bar type: javascript.enabled If 'Value" is true, this is a finding In the address bar type: about:addons Click on "I accept the risk" button. Click on "Plugins". If Java is enabled, this is a finding.

Fix: F-51581r3_fix

In the address bar type: about:config Click on "I accept the risk" button. In search bar type: javascript.enabled Double click on the javascript.enabled and Value true will change to false. In the address bar type: about:addons Click on "Plugins". If Java is displayed, disable Java by clicking on the Never Activate selection

b

The system must require passwords to contain at least one uppercase alphabetic character.

IA-5 - Medium - CCI-000192 - V-47971 - SV-60843r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

SOL-11.1-040070

Vuln IDs

V-47971

Rule IDs

SV-60843r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Checks: C-50407r1_chk

Check the MINUPPER setting. # grep ^MINUPPER /etc/default/passwd If MINUPPER is not set to 1 or more, this is a finding.

Fix: F-51583r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINUPPER Change the line to read: MINUPPER=1

b

The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.

CP-9 - Medium - CCI-000539 - V-47973 - SV-60845r1_rule

RMF Control

CP-9

Severity

M

CCI

CCI-000539

Version

SOL-11.1-090070

Vuln IDs

V-47973

Rule IDs

SV-60845r1_rule

Operating system backup is a critical step in maintaining data assurance and availability. System documentation is data generated for/by the host (such as logs) and/or administrative users. Backups shall be consistent with organizational recovery time and recovery point objectives.

Checks: C-50409r1_chk

The operations staff shall ensure that proper backups are created, tested, and archived. Ask the operator for documentation on the backup procedures implemented. If the backup procedures are not documented then this is a finding.

Fix: F-51585r1_fix

The operations staff shall install, configure, test, and verify operating system backup software. Additionally, all backup procedures must be documented.

b

The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.

CP-9 - Medium - CCI-000537 - V-47975 - SV-60847r1_rule

RMF Control

CP-9

Severity

M

CCI

CCI-000537

Version

SOL-11.1-090060

Vuln IDs

V-47975

Rule IDs

SV-60847r1_rule

Operating system backup is a critical step in maintaining data assurance and availability. System-level information is data generated for/by the host (such as configuration settings) and/or administrative users. Backups shall be consistent with organizational recovery time and recovery point objectives.

Checks: C-50411r1_chk

The operations staff shall ensure that proper backups are created, tested, and archived. Ask the operator for documentation on the backup procedures implemented. If the backup procedures are not documented then this is a finding.

Fix: F-51587r1_fix

The operations staff shall install, configure, test, and verify operating system backup software. Additionally, all backup procedures must be documented.

b

The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.

CP-9 - Medium - CCI-000535 - V-47977 - SV-60849r1_rule

RMF Control

CP-9

Severity

M

CCI

CCI-000535

Version

SOL-11.1-090050

Vuln IDs

V-47977

Rule IDs

SV-60849r1_rule

Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.

Checks: C-50413r1_chk

The operations staff shall ensure that proper backups are created, tested, and archived. Ask the operator for documentation on the backup procedures implemented. If the backup procedures are not documented then this is a finding.

Fix: F-51589r1_fix

The operations staff shall install, configure, test, and verify operating system backup software. Additionally, all backup procedures must be documented.

a

The system must not have any unnecessary accounts.

CM-6 - Low - CCI-000366 - V-47979 - SV-60851r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-090040

Vuln IDs

V-47979

Rule IDs

SV-60851r1_rule

Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.

Checks: C-50415r1_chk

Check the system for unnecessary user accounts. # getent passwd Some examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.

Fix: F-51591r1_fix

The root role is required. Remove all unnecessary accounts, such as games, from the /etc/passwd file before connecting a system to the network. Other accounts, such as news and gopher, associated with a service not in use should also be removed. Identify unnecessary accounts. # getent passwd Remove unnecessary accounts. # userdel [username]

b

The operating system must enforce password complexity requiring that at least one lowercase character is used.

IA-5 - Medium - CCI-000193 - V-47981 - SV-60853r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

SOL-11.1-040080

Vuln IDs

V-47981

Rule IDs

SV-60853r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Checks: C-50417r1_chk

Check the MINLOWER setting. # grep ^MINLOWER /etc/default/passwd If MINLOWER is not set to 1 or more, this is a finding.

Fix: F-51593r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINLOWER Change the line to read: MINLOWER=1

b

Direct logins must not be permitted to shared, default, application, or utility accounts.

CM-6 - Medium - CCI-000366 - V-47983 - SV-60855r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-090030

Vuln IDs

V-47983

Rule IDs

SV-60855r2_rule

Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.

Checks: C-50419r2_chk

The Audit Review profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Use the "auditreduce" command to check for multiple accesses to an account # auditreduce -c lo -u [shared_user_name] | praudit -l If users log directly into accounts, rather than using the "su" command from their own named account to access them, this is a finding. Also, ask the SA or the IAO if shared accounts are logged into directly or if users log into an individual account and switch user to the shared account.

Fix: F-51595r2_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Use the switch user ("su") command from a named account login to access shared accounts. Maintain audit trails that identify the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user ("su") to the shared account.

b

The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

AU-8 - Medium - CCI-000160 - V-47985 - SV-60857r2_rule

RMF Control

AU-8

Severity

M

CCI

CCI-000160

Version

SOL-11.1-090020

Vuln IDs

V-47985

Rule IDs

SV-60857r2_rule

To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.

Checks: C-50421r4_chk

NTP must be used and used only in the global zone. Determine the zone that you are currently securing. # zonename If the command output is not "global", then NTP must be disabled. Check the system for a running NTP daemon. # svcs -Ho state ntp If NTP is online, this is a finding. If the output from "zonename" is "global", then NTP must be enabled. Check the system for a running NTP daemon. # svcs -Ho state ntp If NTP is not online, this is a finding. If NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative U.S. DoD source. For the NTP daemon # more /etc/inet/ntp.conf If a non-local/non-authoritative (non-U.S. DoD source, non-USNO-based, or non-GPS) time server is used, this is a finding. Determine if the time synchronization frequency is correct. # grep "maxpoll" /etc/inet/ntp.conf If the command returns "File not found" or any value for maxpoll, this is a finding. Determine if the running NTP server is configured properly. # ntpq -p | awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1" "$6 }' This will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.

Fix: F-51597r2_fix

The root role is required. Determine the zone that you are currently securing. # zonename If the command output is not "global", then NTP must be disabled. # svcadm disable ntp If the output from "zonename" is "global", then NTP must be enabled. To activate the ntpd daemon, the ntp.conf file must first be created. # cp /etc/inet/ntp.client /etc/inet/ntp.conf # pfedit /etc/inet/ntp.conf Make site-specific changes to this file as needed in the form. server [ntpserver] Locate the line containing maxpoll (if it exists). Delete the line. Start the ntpd daemon. # svcadm enable ntp Use a local authoritative time server synchronizing to an authorized DoD time source, a USNO-based time server, or a GPS. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server. Edit the NTP configuration files and make the necessary changes to add the approved time servers per Solaris documentation.

b

A file integrity baseline must be created, maintained, and reviewed on at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.

SI-7 - Medium - CCI-001297 - V-47987 - SV-60859r1_rule

RMF Control

SI-7

Severity

M

CCI

CCI-001297

Version

SOL-11.1-090010

Vuln IDs

V-47987

Rule IDs

SV-60859r1_rule

A file integrity baseline is a collection of file metadata which is to evaluate the integrity of the system. A minimal baseline must contain metadata for all device files, setuid files, setgid files, system libraries, system binaries, and system configuration files. The minimal metadata must consist of the mode, owner, group owner, and modification times. For regular files, metadata must also include file size and a cryptographic hash of the file's contents.

Checks: C-50423r2_chk

The root role is required. Solaris 11 includes the Basic Account and Reporting Tool (BART) which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system. A Baseline BART manifest may exist in: /var/adm/log/bartlogs/[control manifest filename] If a BART manifest does not exist, this is a finding. At least weekly, create a new BART baseline report. # bart create > /var/adm/log/bartlogs/[new manifest filename] Compare the new report to the previous report to identify any changes in the system baseline. # bart compare /var/adm/log/bartlogs/[baseline manifest filename> /var/adm/log/bartlogs/[new manifest filename] Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.

Fix: F-51599r2_fix

The root role is required. Solaris 11 includes the Basic Account and Reporting Tool (BART) which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system. Create a protected area to store BART manifests. # mkdir /var/adm/log/bartlogs # chmod 700 /var/adm/log/bartlogs After initial installation and configuration of the system, create a manifest report of the current baseline. # bart create > /var/adm/log/bartlogs/[baseline manifest filename]

b

The system must require passwords to contain at least one numeric character.

IA-5 - Medium - CCI-000194 - V-47989 - SV-60861r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

SOL-11.1-040090

Vuln IDs

V-47989

Rule IDs

SV-60861r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Checks: C-50425r1_chk

Check the MINDIGIT setting. # grep ^MINDIGIT /etc/default/passwd If the MINDIGIT setting is less than 1, this is a finding.

Fix: F-51601r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINDIGIT Change the line to read: MINDIGIT=1

b

The system must require passwords to contain at least one special character.

IA-5 - Medium - CCI-001619 - V-47991 - SV-60863r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

SOL-11.1-040100

Vuln IDs

V-47991

Rule IDs

SV-60863r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Checks: C-50427r1_chk

Check the MINSPECIAL setting. # grep ^MINSPECIAL /etc/default/passwd If the MINSPECIAL setting is less than 1, this is a finding.

Fix: F-51603r1_fix

The root role is required. # pfedit /etc/default/passwd a Locate the line containing: MINSPECIAL Change the line to read: MINSPECIAL=1

a

The system must require passwords to contain no more than three consecutive repeating characters.

CM-6 - Low - CCI-000366 - V-47993 - SV-60865r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-040110

Vuln IDs

V-47993

Rule IDs

SV-60865r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Checks: C-50429r1_chk

Check the MAXREPEATS setting. # grep ^MAXREPEATS /etc/default/passwd If the MAXREPEATS setting is greater than 3, this is a finding.

Fix: F-51605r1_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MAXREPEATS Change the line to read: MAXREPEATS=3

c

SNMP communities, users, and passphrases must be changed from the default.

CM-6 - High - CCI-000366 - V-47995 - SV-60867r2_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-080160

Vuln IDs

V-47995

Rule IDs

SV-60867r2_rule

Whether active or not, default SNMP passwords, users, and passphrases must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s).

Checks: C-50431r3_chk

The root role is required. Check the SNMP configuration for default passwords. Locate and examine the SNMP configuration. Procedure: Find any occurrences of the snmpd.conf file delivered with Solaris packages: # pkg search -Ho path snmpd.conf | awk '{ print "/"$1 }' # more [filename] Identify any community names or user password configurations. If any community name or password is set to a default value, such as public, private, snmp-trap, or password, this is a finding.

Fix: F-51607r1_fix

The root role is required. Change the default snmpd.conf community passwords. To change them, locate the snmpd.conf file and edit it. # pfedit [filename] Locate the line system-group-read-community which has a default password of public and make the password something more random (less guessable). Make the same changes for the lines that read system- group-write-community, read-community, write-community, trap, and trap-community. Read the information in the file carefully. The trap is defining who to send traps to, for instance, by default. It is not a password, but the name of a host.

b

The operating system must implement transaction recovery for transaction-based systems.

CP-10 - Medium - CCI-000553 - V-47997 - SV-60869r1_rule

RMF Control

CP-10

Severity

M

CCI

CCI-000553

Version

SOL-11.1-080150

Vuln IDs

V-47997

Rule IDs

SV-60869r1_rule

Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. While this is typically a database function, operating systems could be transactional in nature with respect to file processing.

Checks: C-50433r1_chk

Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. Determine if any UFS file systems are mounted with the "nologging" option. # mount|grep nologging If any file systems are listed, this is a finding.

Fix: F-51609r1_fix

The root role is required. Solaris 11 ZFS copy-on-write model allows filesystem accesses to work according to a transactional model, such that on-disk content is always consistent and cannot be configured to be out of compliance. If any UFS file systems are mounted with the "nologging" options, remove that option from the /etc/vfstab file. # pfedit /etc/vfstab Locate any file systems listed with the "nologging" option and delete the keyword "nologging".

b

The system must not have accounts configured with blank or null passwords.

CM-6 - Medium - CCI-000366 - V-47999 - SV-60871r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040120

Vuln IDs

V-47999

Rule IDs

SV-60871r1_rule

Complex passwords can reduce the likelihood of success of automated password-guessing attacks.

Checks: C-50435r1_chk

The root role is required. Determine if accounts with blank or null passwords exist. # logins -po If any account is listed, this is a finding.

Fix: F-51611r1_fix

The root role is required. Remove, lock, or configure a password for any account with a blank password. # passwd [username] or Use the passwd -l command to lock accounts that are not permitted to execute commands. or Use the passwd -N command to set accounts to be non-login.

a

The system must require passwords to change the boot device settings. (SPARC)

CM-6 - Low - CCI-000366 - V-48003 - SV-60875r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-080130

Vuln IDs

V-48003

Rule IDs

SV-60875r1_rule

Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy).

Checks: C-50439r1_chk

This check applies only to SPARC-based systems. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if the EEPROM security mode on SPARC-based systems is configured correctly. # eeprom security-mode If the output of this command is not "security-mode=command", this is a finding.

Fix: F-51615r2_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. # eeprom security-mode=command After entering the command above, the administrator will be prompted for a password. This password will be required to authorize any future command issued at boot-level on the system (the ok or > prompt) except for the normal multi-user boot command (i.e., the system will be able to reboot unattended). Write down the password and store it in a secure location.

b

The kernel core dump data directory must have mode 0700 or less permissive.

CM-6 - Medium - CCI-000366 - V-48007 - SV-60879r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080110

Vuln IDs

V-48007

Rule IDs

SV-60879r1_rule

Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the mode of the kernel core dump data directory is more permissive than 0700, unauthorized users may be able to view or to modify kernel core dump data files.

Checks: C-50443r1_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the system dump directory. # dumpadm | grep directory Check the permissions of the kernel core dump data directory. # ls -ld [savecore directory] If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.

Fix: F-51619r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the system dump directory. # dumpadm | grep directory Change the group-owner of the kernel core dump data directory. # chmod 0700 [savecore directory]

b

The kernel core dump data directory must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-48009 - SV-60881r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080100

Vuln IDs

V-48009

Rule IDs

SV-60881r1_rule

Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not group-owned by a system group, the core dumps contained in the directory may be subject to unauthorized access.

Checks: C-50445r1_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the system dump directory. # dumpadm | grep directory Check ownership of the core dump data directory. # ls -l [savecore directory] If the directory is not group-owned by root, this is a finding. In Solaris 11, /var/crash is linked to /var/share/crash.

Fix: F-51621r2_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the system dump directory. # dumpadm | grep directory Change the group-owner of the kernel core dump data directory. # chgrp root [kernel core dump data directory] In Solaris 11, /var/crash is linked to /var/share/crash.

b

The kernel core dump data directory must be owned by root.

CM-6 - Medium - CCI-000366 - V-48011 - SV-60883r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080090

Vuln IDs

V-48011

Rule IDs

SV-60883r1_rule

Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.

Checks: C-50447r1_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the system dump directory. # dumpadm | grep directory Check the ownership of the kernel core dump data directory. # ls -ld [savecore directory] If the kernel core dump data directory is not owned by root, this is a finding. In Solaris 11, /var/crash is linked to /var/share/crash.

Fix: F-51623r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the system dump directory. # dumpadm | grep directory Change the owner of the kernel core dump data directory to root. # chown root [savecore directory] In Solaris 11, /var/crash is linked to /var/share/crash.

b

Kernel core dumps must be disabled unless needed.

CM-6 - Medium - CCI-000366 - V-48013 - SV-60885r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080080

Vuln IDs

V-48013

Rule IDs

SV-60885r1_rule

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.

Checks: C-50449r1_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Verify savecore is not used. # dumpadm | grep 'Savecore enabled' If the value is yes, this is a finding.

Fix: F-51625r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Disable savecore. # dumpadm -n

b

The centralized process core dump data directory must have mode 0700 or less permissive.

CM-6 - Medium - CCI-000366 - V-48015 - SV-60887r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080070

Vuln IDs

V-48015

Rule IDs

SV-60887r1_rule

Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the process core dump data directory has a mode more permissive than 0700, unauthorized users may be able to view or to modify sensitive information contained in any process core dumps in the directory.

Checks: C-50451r1_chk

Check the defined directory for process core dumps. # coreadm | grep "global core file pattern" Check the permissions of the directory. # ls -lLd [core file directory] If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.

Fix: F-51627r1_fix

The root role is required. Change the mode of the core file directory. # chmod 0700 [core file directory]

b

The centralized process core dump data directory must be group-owned by root.

CM-6 - Medium - CCI-000366 - V-48017 - SV-60889r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080060

Vuln IDs

V-48017

Rule IDs

SV-60889r2_rule

Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centralized process core dump data directory is not group-owned by a system group, the core dumps contained in the directory may be subject to unauthorized access.

Checks: C-50453r1_chk

Check the defined directory for process core dumps. # coreadm | grep "global core file pattern" Check the group ownership of the directory. # ls -lLd [core file directory] If the directory is not group-owned by root, this is a finding.

Fix: F-51629r1_fix

The root role is required. Change the group-owner of the core file directory. # chgrp root [core file directory]

b

The centralized process core dump data directory must be owned by root.

CM-6 - Medium - CCI-000366 - V-48019 - SV-60891r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080050

Vuln IDs

V-48019

Rule IDs

SV-60891r1_rule

Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centralized process core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.

Checks: C-50455r1_chk

Check the defined directory for process core dumps. # coreadm | grep "global core file pattern" Check the ownership of the directory. # ls -lLd [core file directory] If the directory is not owned by root, this is a finding.

Fix: F-51631r1_fix

The root role is required. Change the owner of the core file directory. # chown root [core file directory]

b

Process core dumps must be disabled unless needed.

CM-6 - Medium - CCI-000366 - V-48021 - SV-60893r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080040

Vuln IDs

V-48021

Rule IDs

SV-60893r2_rule

Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which may result in denial of service. Process core dumps can be useful for software debugging.

Checks: C-50457r2_chk

Check the process core dump configuration. # coreadm | grep enabled If any lines are returned by coreadm other than "logging", this is a finding.

Fix: F-51633r2_fix

The Maintenance and Repair profile is required. Change the process core dump configuration to disable core dumps globally and on a per process basis. # coreadm -d global # coreadm -d process # coreadm -d global-setid # coreadm -d proc-setid # coreadm -e log

a

Address Space Layout Randomization (ASLR) must be enabled.

CM-6 - Low - CCI-000366 - V-48023 - SV-60895r3_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-080030

Vuln IDs

V-48023

Rule IDs

SV-60895r3_rule

Modification of memory area can result in executable code vulnerabilities. ASLR can reduce the likelihood of these attacks. ASLR activates the randomization of key areas of the process such as stack, brk-based heap, memory mappings, and so forth.

Checks: C-50459r3_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if address space layout randomization is enabled. Determine the OS version you are currently securing:. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # sxadm info -p | grep aslr | grep enabled For Solaris 11.4 or newer: # sxadm status -p -o status aslr | grep enabled If no output is produced, this is a finding.

Fix: F-51635r1_fix

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable address space layout randomization. # sxadm delcust aslr Enabling ASLR may affect the function or stability of some applications, including those that use Solaris Intimate Shared Memory features.

b

The system must implement non-executable program stacks.

CM-6 - Medium - CCI-000366 - V-48025 - SV-60897r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-080020

Vuln IDs

V-48025

Rule IDs

SV-60897r2_rule

A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.

Checks: C-50461r2_chk

Determine the OS version you are currently securing. # uname –v If the OS version is 11.3 or newer, this check applies to all zones and relies on the "sxadm" command. Determine if the system implements non-executable program stacks. # sxadm status -p nxstack | cut -d: -f2 enabled (all) If the command output is not "enabled (all)", this is a finding. For Solaris 11, 11.1, and 11.2, this check applies to the global zone only and the "/etc/system" file is inspected. Determine the zone that you are currently securing. # zonename If the command output is "global", determine if the system implements non-executable program stacks. # grep noexec_user_stack /etc/system If the noexec_user_stack is not set to 1, this is a finding.

Fix: F-51637r2_fix

The root role is required. Determine the OS version you are currently securing. # uname –v If the OS version is 11.3 or newer, enable non-executable program stacks using the "sxadm" command. # pfexec sxadm enable nxstack For Solaris 11, 11.1, and 11.2, this action applies to the global zone only and the "/etc/system" file is updated. Determine the zone that you are currently securing. # zonename If the command output is "global", modify the "/etc/system" file. # pfedit /etc/system add the line: set noexec_user_stack=1 Solaris 11, 11.1, and 11.2 systems will need to be restarted for the setting to take effect.

c

The operating system must be a supported release.

CM-6 - High - CCI-000366 - V-48027 - SV-60899r1_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-080010

Vuln IDs

V-48027

Rule IDs

SV-60899r1_rule

An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Checks: C-50463r1_chk

Determine the operating system version. # uname -a If the release is not supported by the vendor, this is a finding.

Fix: F-51639r1_fix

Upgrade to a supported version of the operating system.

b

The operator must document all file system objects that have non-standard access control list settings.

CM-6 - Medium - CCI-000366 - V-48029 - SV-60901r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070260

Vuln IDs

V-48029

Rule IDs

SV-60901r1_rule

Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files.

Checks: C-50465r1_chk

The root role is required. Identify all file system objects that have non-standard access control lists enabled. # find / $ -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc $ -prune -o -acl -ls This command should return no output. If output is created, this is a finding. If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.

Fix: F-51641r1_fix

The root role is required. Remove ACLs that are not approved in the security policy. For ZFS file systems, remove all extended ACLs with the following command: # chmod A- [filename] For UFS file systems Determine the ACLs that are set on a file: # getfacl [filename] Remove any ACL configurations that are set: # setfacl -d [ACL] [filename]

b

The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.

AU-9 - Medium - CCI-001352 - V-48031 - SV-60903r2_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001352

Version

SOL-11.1-070250

Vuln IDs

V-48031

Rule IDs

SV-60903r2_rule

Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an operating system which the user being audited has privileged access to. The privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

Checks: C-50467r2_chk

The audit configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the location of the local audit trail files. # auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;" In this example, the audit files can be found in /var/audit. Check that the permissions on the audit files are 640 (rw- r-- --) or less permissive. # ls -al /var/audit # ls -l /var/audit/* If the permissions are more permissive than 640, this is a finding. Note: The default Solaris 11 location for /var/audit is a link to /var/share/audit.

Fix: F-51643r3_fix

The root role is required. Determine the location of the local audit trail files. # pfexec auditconfig -getplugin audit_binfile Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1 In this example, the audit files can be found in /var/audit. Change the permissions on the audit trail files and the audit directory. # chmod 640 /var/share/audit/* # chmod 750 /var/share/audit Note: The default Solaris 11 location for /var/audit is a link to /var/share/audit.

a

The operating system must reveal error messages only to authorized personnel.

SI-11 - Low - CCI-001314 - V-48033 - SV-60905r2_rule

RMF Control

SI-11

Severity

L

CCI

CCI-001314

Version

SOL-11.1-070240

Vuln IDs

V-48033

Rule IDs

SV-60905r2_rule

Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.

Checks: C-50469r3_chk

Check the permissions of the /var/adm/messages file: # ls -l /var/adm/messages Check the permissions of the /var/adm directory: # ls -ld /var/adm If the owner and group of /var/adm/messages is not root and the permissions are not 640, this is a finding. If the owner of /var/adm is not root, group is not sys, and the permissions are not 750, this is a finding.

Fix: F-51645r2_fix

The root role is required. Change the permissions and owner on the /var/adm/messages file: # chmod 640 /var/adm/messages # chown root /var/adm/messages # chgrp root /var/adm/messages Change the permissions and owner on the /var/adm directory: # chmod 750 /var/adm # chown root /var/adm # chgrp sys /var/adm

b

The root account must be the only account with GID of 0.

CM-6 - Medium - CCI-000366 - V-48035 - SV-60907r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070220

Vuln IDs

V-48035

Rule IDs

SV-60907r1_rule

All accounts with a GID of 0 have root group privileges and must be limited to the group account only.

Checks: C-50471r1_chk

Identify any users with GID of 0. # awk -F: '$4 == 0' /etc/passwd # awk -F: '$3 == 0' /etc/group Confirm the only account with a group id of 0 is root. If the root account is not the only account with GID of 0, this is a finding.

Fix: F-51647r1_fix

The root role is required. Change the default GID of non-root accounts to a valid GID other than 0.

a

The operating system must have no files with extended attributes.

CM-6 - Low - CCI-000366 - V-48037 - SV-60909r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-070210

Vuln IDs

V-48037

Rule IDs

SV-60909r2_rule

Attackers or malicious users could hide information, exploits, etc. in extended attribute areas. Since extended attributes are rarely used, it is important to find files with extended attributes set and correct these attributes.

Checks: C-50473r2_chk

The root role is required. Identify all files with extended attributes. # find / $ -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc $ -prune -o -xattr -ls If output is produced, this is a finding.

Fix: F-51649r1_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine the existence of any files having extended file attributes, and determine the best course of action in accordance with site policy. Remove the files or the extended attributes.

b

The operating system must have no unowned files.

CM-6 - Medium - CCI-000366 - V-48039 - SV-60911r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070200

Vuln IDs

V-48039

Rule IDs

SV-60911r1_rule

A new user who is assigned a deleted user's user ID or group ID may then end up owning these files, and thus have more access on the system than was intended.

Checks: C-50475r1_chk

The root role is required. Identify all files that are owned by a user or group not listed in /etc/passwd or /etc/group # find / $ -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc $ -prune $ -nouser -o -nogroup $ -ls If output is produced, this is a finding.

Fix: F-51651r1_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine the existence of any files that are not attributed to current users or groups on the system, and determine the best course of action in accordance with site policy. Remove the files and directories or change their ownership.

b

The delay between login prompts following a failed login attempt must be at least 4 seconds.

CM-6 - Medium - CCI-000366 - V-48043 - SV-60915r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040160

Vuln IDs

V-48043

Rule IDs

SV-60915r1_rule

As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.

Checks: C-50479r1_chk

Check the SLEEPTIME parameter in the /etc/default/login file. # grep ^SLEEPTIME /etc/default/login If the output is not SLEEPTIME=4 or more, this is a finding.

Fix: F-51655r1_fix

The root role is required. # pfedit the /etc/default/login Locate the line containing: SLEEPTIME Change the line to read: SLEEPTIME=4

b

The system must require users to re-authenticate to unlock a graphical desktop environment.

AC-11 - Medium - CCI-000056 - V-48045 - SV-60917r4_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000056

Version

SOL-11.1-040170

Vuln IDs

V-48045

Rule IDs

SV-60917r4_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Checks: C-50481r5_chk

If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuring of their personal .xscreensaver file. # grep "^timeout:" $HOME/.xscreensaver If the output is not: timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^lock:" $HOME/.xscreensaver If the output is not: lock: True this is a finding.

Fix: F-51657r3_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True

b

Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.

AC-11 - Medium - CCI-000057 - V-48047 - SV-60919r3_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

SOL-11.1-040180

Vuln IDs

V-48047

Rule IDs

SV-60919r3_rule

Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

Checks: C-50483r3_chk

If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuration of their personal .xscreensaver file. # grep "^lock:" $HOME/.xscreensaver If the output is not: *lock: True this is a finding. grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: *lockTimeout: 0:00:05 this is a finding.

Fix: F-51659r2_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout:0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 lock: True

b

The system must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-48053 - SV-60925r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040190

Vuln IDs

V-48053

Rule IDs

SV-60925r1_rule

The use of common words in passwords simplifies password-cracking attacks.

Checks: C-50485r1_chk

Check /etc/default/passwd for dictionary check configuration. # grep ^DICTION /etc/default/passwd If the DICTIONLIST or DICTIONDBDIR settings are not present and are not set to: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd this is a finding. Determine if the target files exist. # ls -l /usr/share/lib/dict/words /var/passwd If the files defined by DICTIONLIST or DICTIONBDIR are not present or are empty, this is a finding.

Fix: F-51661r1_fix

The root role is required. # pfedit /etc/default/passwd Insert the lines: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd Generate the password dictionary by running the mkpwdict command. # mkpwdict -s /usr/share/lib/dict/words

b

The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.

CM-5 - Medium - CCI-000345 - V-48055 - SV-60927r2_rule

RMF Control

CM-5

Severity

M

CCI

CCI-000345

Version

SOL-11.1-040200

Vuln IDs

V-48055

Rule IDs

SV-60927r2_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Checks: C-50487r1_chk

Verify the root user is configured as a role, rather than a normal user. # userattr type root If the command does not return the word "role", this is a finding. Verify at least one local user has been assigned the root role. # grep '[:;]roles=root[^;]*' /etc/user_attr If no lines are returned, or no users are permitted to assume the root role, this is a finding.

Fix: F-51663r2_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

b

The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

IA-2 - Medium - CCI-000770 - V-48057 - SV-60929r2_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

SOL-11.1-040230

Vuln IDs

V-48057

Rule IDs

SV-60929r2_rule

Allowing any user to elevate their privileges can allow them excessive control of the system tools.

Checks: C-50489r1_chk

Verify the root user is configured as a role, rather than a normal user. # userattr type root If the command does not return the word "role", this is a finding. Verify at least one local user has been assigned the root role. # grep '[:;]roles=root[^;]*' /etc/user_attr If no lines are returned, or no users are permitted to assume the root role, this is a finding.

Fix: F-51665r2_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

a

All valid SUID/SGID files must be documented.

CM-6 - Low - CCI-000366 - V-48059 - SV-60931r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-070190

Vuln IDs

V-48059

Rule IDs

SV-60931r2_rule

There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate.

Checks: C-50493r2_chk

The root role is required. # find / $ -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc $ -prune -o -type f -perm -4000 -o \ -perm -2000 -print Output should only be Solaris-provided files and approved customer files. Solaris-provided SUID/SGID files can be listed using the command: # pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example: # elfsign verify -e /usr/bin/su elfsign: verification of /usr/bin/su passed. This message indicates that the binary is properly signed. If non-vendor provided or non-approved files are included in the list, this is a finding.

Fix: F-51669r1_fix

The root role is required. Determine the existence of any set-UID programs that do not belong on the system, and work with the owners (or system administrator) to determine the best course of action in accordance with site policy.

b

The default umask for system and users must be 077.

CM-6 - Medium - CCI-000366 - V-48061 - SV-60933r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040250

Vuln IDs

V-48061

Rule IDs

SV-60933r2_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Checks: C-50491r1_chk

The root role is required. Determine if the default umask is configured properly. # grep -i "^UMASK=" /etc/default/login If "UMASK=077" is not displayed, this is a finding. Check local initialization files: # cut -d: -f1 /etc/passwd | xargs -n1 -iUSER sh -c "grep umask ~USER/.*" If this command does not output a line indicating "umask 077" for each user, this is a finding.

Fix: F-51667r2_fix

The root role is required. Edit local and global initialization files containing "umask" and change them to use 077. # pfedit /etc/default/login Insert the line UMASK=077 # pfedit [user initialization file] Insert the line umask 077

b

World-writable files must not exist.

CM-6 - Medium - CCI-000366 - V-48063 - SV-60935r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070180

Vuln IDs

V-48063

Rule IDs

SV-60935r1_rule

Data in world-writable files can be read, modified, and potentially compromised by any user on the system. World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.

Checks: C-50495r1_chk

The root role is required. Check for the existence of world-writable files. # find / $ -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc $ -prune -o -type f -perm -0002 -print If output is produced, this is a finding.

Fix: F-51671r1_fix

The root role is required. Change the permissions of the files identified in the check step to remove the world-writable permission. # pfexec chmod o-w [filename]

b

The system must not allow users to configure .forward files.

CM-6 - Medium - CCI-000366 - V-48065 - SV-60937r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070170

Vuln IDs

V-48065

Rule IDs

SV-60937r1_rule

Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.

Checks: C-50497r2_chk

The root role is required. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do ls -l ${dir}/.forward 2>/dev/null done If output is produced, this is a finding.

Fix: F-51673r1_fix

The root role is required. Remove any .forward files that are found. # pfexec rm [filename]

b

User .netrc files must not exist.

CM-6 - Medium - CCI-000366 - V-48067 - SV-60939r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070160

Vuln IDs

V-48067

Rule IDs

SV-60939r2_rule

The .netrc file presents a significant security risk since it stores passwords in unencrypted form.

Checks: C-50499r2_chk

The root role is required. Check for the presence of user .netrc files. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do ls -l ${dir}/.netrc 2>/dev/null done If output is produced, this is a finding.

Fix: F-51675r1_fix

The root role is required. Determine if any .netrc files exist, and work with the owners to determine the best course of action in accordance with site policy.

b

Duplicate group names must not exist.

CM-6 - Medium - CCI-000366 - V-48069 - SV-60941r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070150

Vuln IDs

V-48069

Rule IDs

SV-60941r2_rule

If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in group. Effectively, the GID is shared, which is a security risk.

Checks: C-50501r3_chk

The root role is required. Check for duplicate group names. # getent group | cut -f1 -d":" | sort -n | uniq -c |\ while read x ; do [ -z "${x}" ] && break if [ ${x} -gt 1 ]; then gids=`getent group |\ nawk -F: '($1 == n) { print $3 }' n=${y} | xargs` echo "Duplicate Group Name (${y}): ${gids}" fi done If output is produced, this is a finding.

Fix: F-51677r1_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any duplicate group names, and work with their respective owners to determine the best course of action in accordance with site policy. Delete or change the group name of duplicate groups.

a

The default umask for FTP users must be 077.

CM-6 - Low - CCI-000366 - V-48071 - SV-60943r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-040260

Vuln IDs

V-48071

Rule IDs

SV-60943r1_rule

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Checks: C-50503r1_chk

The package service/network/ftp must be installed for this check. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Determine if the FTP umask is set to 077. # egrep -i "^UMASK" /etc/proftpd.conf | awk '{ print $2 }' If 077 is not displayed, this is a finding.

Fix: F-51679r1_fix

The root role is required. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Otherwise, edit the FTP configuration file. # pfedit /etc/proftpd.conf Locate the line containing: Umask Change the line to read: Umask 077

b

Duplicate user names must not exist.

CM-6 - Medium - CCI-000366 - V-48073 - SV-60945r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070140

Vuln IDs

V-48073

Rule IDs

SV-60945r1_rule

If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in passwd.

Checks: C-50505r1_chk

The root role is required. Identify any duplicate user names. # getent passwd | awk -F: '{print $1}' | uniq -d If output is produced, this is a finding.

Fix: F-51681r1_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any duplicate user names, and work with their respective owners to determine the best course of action in accordance with site policy. Delete or change the user name of duplicate users.

a

The value mesg n must be configured as the default setting for all users.

CM-6 - Low - CCI-000366 - V-48075 - SV-60947r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-040270

Vuln IDs

V-48075

Rule IDs

SV-60947r2_rule

The "mesg n" command blocks attempts to use the "write" or "talk" commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's TTY device.

Checks: C-50507r1_chk

Determine if "mesg n" is the default for users. # grep "^mesg" /etc/.login # grep "^mesg" /etc/profile If either of these commands produces a line: mesg y this is a finding. For each existing user on the system, enter the command: # mesg If the command output is: is y this is a finding.

Fix: F-51683r2_fix

The root role is required. Edit the default profile configuration files. # pfedit /etc/profile # pfedit /etc/.login In each file add a new line: mesg n For each user on the system, enter the command: # mesg n

b

Reserved UIDs 0-99 must only be used by system accounts.

CM-6 - Medium - CCI-000366 - V-48077 - SV-60949r7_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070130

Vuln IDs

V-48077

Rule IDs

SV-60949r7_rule

If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.

Checks: C-50509r8_chk

The root role is required. Check that reserved UIDs are not assigned to non-system users. Determine the OS version you are currently securing: # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # logins -so | awk -F: '{ print $1 }' | while read user; do found=0 for tUser in root daemon bin sys adm dladm netadm netcfg \ ftp dhcpserv sshd smmsp gdm zfssnap aiuser \ polkitd ikeuser lp openldap webservd unknown \ uucp nuucp upnp xvm mysql postgres svctag \ pkg5srv nobody noaccess nobody4; do if [ ${user} = ${tUser} ]; then found=1 fi done if [ $found -eq 0 ]; then echo "Invalid User with Reserved UID: ${user}" fi done If output is produced without justification and documentation in accordance with site policy, this is a finding. For Solaris 11.4 or newer: # logins -so | awk -F: '{ print $1 }' | while read user; do found=0 for tUser in root daemon bin sys adm dladm netadm \ netcfg dhcpserv sshd smmsp gdm zfssnap aiuser _polkitd \ ikeuser lp openldap webservd unknown \ uucp nuucp upnp xvm mysql postgres svctag \ pkg5srv nobody noaccess nobody4; do if [ ${user} = ${tUser} ]; then found=1 fi done if [ $found -eq 0 ]; then echo "Invalid User with Reserved UID: ${user}" fi done If output is produced without justification and documentation in accordance with site policy, this is a finding.

Fix: F-51685r1_fix

The root role is required. Correct or justify any items discovered in the Check step. Determine if there are any accounts using these reserved UIDs, and work with their owners to determine the best course of action in accordance with site policy. This may require deleting users or changing UIDs for users.

b

User accounts must be locked after 35 days of inactivity.

AC-2 - Medium - CCI-000017 - V-48079 - SV-60951r1_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000017

Version

SOL-11.1-040280

Vuln IDs

V-48079

Rule IDs

SV-60951r1_rule

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Checks: C-50511r1_chk

Determine whether the 35-day inactivity lock is configured properly. # useradd -D | xargs -n 1 | grep inactive |\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] | awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.

Fix: F-51687r1_fix

The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]

b

Duplicate Group IDs (GIDs) must not exist for multiple groups.

CM-6 - Medium - CCI-000366 - V-48081 - SV-60953r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070120

Vuln IDs

V-48081

Rule IDs

SV-60953r1_rule

User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections.

Checks: C-50513r4_chk

The root role is required. Check that group IDs are unique. # getent group | cut -f3 -d":" | sort -n | uniq -c |\ while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then grps=`getent group | nawk -F: '($3 == n) { print $1 }' n=$2 | xargs` echo "Duplicate GID ($2): ${grps}" fi done If output is produced, this is a finding.

Fix: F-51689r1_fix

The root role is required. Work with each respective group owner to remediate this issue and ensure that the group ownership of their files are set to an appropriate value.

b

The operating system must manage information system identifiers for users and devices by disabling the user identifier after 35 days of inactivity.

IA-4 - Medium - CCI-000795 - V-48083 - SV-60955r1_rule

RMF Control

IA-4

Severity

M

CCI

CCI-000795

Version

SOL-11.1-040290

Vuln IDs

V-48083

Rule IDs

SV-60955r1_rule

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Checks: C-50515r1_chk

Determine whether the 35-day inactivity lock is configured properly. # useradd -D | xargs -n 1 | grep inactive |\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] | awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.

Fix: F-51691r1_fix

The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]

b

Emergency accounts must be locked after 35 days of inactivity.

AC-2 - Medium - CCI-001682 - V-48085 - SV-60957r1_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001682

Version

SOL-11.1-040300

Vuln IDs

V-48085

Rule IDs

SV-60957r1_rule

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Checks: C-50517r1_chk

Determine whether the 35-day inactivity lock is configured properly. # useradd -D | xargs -n 1 | grep inactive |\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] | awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.

Fix: F-51693r1_fix

The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]

b

Login services for serial ports must be disabled.

CM-6 - Medium - CCI-000366 - V-48087 - SV-60959r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040310

Vuln IDs

V-48087

Rule IDs

SV-60959r1_rule

Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.

Checks: C-50519r1_chk

Determine if terminal login services are disabled. # svcs -Ho state svc:/system/console-login:terma # svcs -Ho state svc:/system/console-login:termb If the system/console-login services are not "disabled", this is a finding.

Fix: F-51695r1_fix

The Service Operator profile is required. Disable serial terminal services. # pfexec svcadm disable svc:/system/console-login:terma # pfexec svcadm disable svc:/system/console-login:termb

b

The nobody access for RPC encryption key storage service must be disabled.

CM-6 - Medium - CCI-000366 - V-48089 - SV-60961r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040320

Vuln IDs

V-48089

Rule IDs

SV-60961r2_rule

If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.

Checks: C-50521r2_chk

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. Determine if "nobody" access for keyserv is enabled. # grep "^ENABLE_NOBODY_KEYS=" /etc/default/keyserv If the output of the command is not: ENABLE_NOBODY_KEYS=NO this is a finding.

Fix: F-51697r2_fix

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO

b

Duplicate UIDs must not exist for multiple non-organizational users.

IA-8 - Medium - CCI-000804 - V-48091 - SV-60963r1_rule

RMF Control

IA-8

Severity

M

CCI

CCI-000804

Version

SOL-11.1-070110

Vuln IDs

V-48091

Rule IDs

SV-60963r1_rule

Non-organizational users must be assigned unique UIDs for accountability and to ensure appropriate access protections.

Checks: C-50523r1_chk

The root role is required. Check that there are no duplicate UIDs. # logins -d If output is produced, this is a finding.

Fix: F-51699r1_fix

The root role is required. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy. Change user account names and UID or delete accounts, so each account has a unique name and UID.

b

X11 forwarding for SSH must be disabled.

CM-6 - Medium - CCI-000366 - V-48093 - SV-60965r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040330

Vuln IDs

V-48093

Rule IDs

SV-60965r1_rule

As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.

Checks: C-50525r1_chk

Determine if X11 Forwarding is enabled. # grep "^X11Forwarding" /etc/ssh/sshd_config If the output of this command is not: X11Forwarding no this is a finding.

Fix: F-51701r1_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: X11Forwarding Change it to: X11Forwarding no Restart the SSH service. # svcadm restart svc:/network/ssh

b

Duplicate User IDs (UIDs) must not exist for users within the organization.

IA-2 - Medium - CCI-000764 - V-48095 - SV-60967r1_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

SOL-11.1-070100

Vuln IDs

V-48095

Rule IDs

SV-60967r1_rule

Users within the organization must be assigned unique UIDs for accountability and to ensure appropriate access protections.

Checks: C-50527r1_chk

The root role is required. Check that there are no duplicate UIDs. # logins -d If output is produced, this is a finding.

Fix: F-51703r1_fix

The root role is required. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy. Change user account names and UID or delete accounts, so each account has a unique name and UID.

b

All home directories must be owned by the respective user assigned to it in /etc/passwd.

CM-6 - Medium - CCI-000366 - V-48097 - SV-60969r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070090

Vuln IDs

V-48097

Rule IDs

SV-60969r2_rule

Since the user is accountable for files stored in the user's home directory, the user must be the owner of the directory.

Checks: C-50529r5_chk

The root role is required. Check that home directories are owned by the correct user. # export IFS=":"; logins -uxo | while read user uid group gid gecos home rest; do result=$(find ${home} -type d -prune \! -user $user -print 2>/dev/null); if [ ! -z "${result}" ]; then echo "User: ${user}\tOwner: $(ls -ld $home | awk '{ print $3 }')"; fi; done If any output is produced, this is a finding.

Fix: F-51705r1_fix

The root role is required. Correct the owner of any directory that does not match the password file entry for that user. # chown [user] [home directory]

a

Consecutive login attempts for SSH must be limited to 3.

CM-6 - Low - CCI-000366 - V-48099 - SV-60971r4_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-040340

Vuln IDs

V-48099

Rule IDs

SV-60971r4_rule

Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.

Checks: C-50531r5_chk

Determine if consecutive login attempts are limited to 3. # grep "^MaxAuthTries" /etc/ssh/sshd_config | grep -v Log If the output of this command is not: MaxAuthTries 6 this is a finding. Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.

Fix: F-51707r1_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: MaxAuthTries Change it to: MaxAuthTries 6 Restart the SSH service. # svcadm restart svc:/network/ssh Note: Solaris SSH MaxAuthTries of 6 maps to 3 actual failed attempts.

b

The rhost-based authentication for SSH must be disabled.

CM-6 - Medium - CCI-000366 - V-48101 - SV-60973r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040350

Vuln IDs

V-48101

Rule IDs

SV-60973r1_rule

Setting this parameter forces users to enter a password when authenticating with SSH.

Checks: C-50533r1_chk

Determine if rhost-based authentication is enabled. # grep "^IgnoreRhosts" /etc/ssh/sshd_config If the output is produced and it is not: IgnoreRhosts yes this is a finding. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.

Fix: F-51709r1_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

b

Direct root account login must not be permitted for SSH access.

CM-6 - Medium - CCI-000366 - V-48103 - SV-60975r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040360

Vuln IDs

V-48103

Rule IDs

SV-60975r1_rule

The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.

Checks: C-50537r1_chk

Determine if root login is disabled for the SSH service. # grep "^PermitRootLogin" /etc/ssh/sshd_config If the output of this command is not: PermitRootLogin no this is a finding.

Fix: F-51713r1_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitRootLogin Change it to: PermitRootLogin no Restart the SSH service. # svcadm restart svc:/network/ssh

a

All user accounts must be configured to use a home directory that exists.

CM-6 - Low - CCI-000366 - V-48105 - SV-60977r3_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-070080

Vuln IDs

V-48105

Rule IDs

SV-60977r3_rule

If the user's home directory does not exist, the user will be placed in "/" and will not be able to write any files or have local environment variables set.

Checks: C-50535r6_chk

The root role is required. Check if a GUI is installed. Determine the OS version you are currently securing:. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pkg info gdm # pkg info coherence-26 # pkg info coherence-27 If none of these packages are installed on the system, then no GUI is present. For Solaris 11.4 or newer: # pkg info gdm If gdm is not installed on the system, then no GUI is present. # pkg info uucp uucp is no longer installed by default starting in 11.4 and is deprecated. For all versions, check that all users' home directories exist. # pwck Accounts with no home directory will output "Login directory not found". If no GUI is present, then "gdm" and "upnp" accounts should generate errors. On all systems, with uucp package installed, the "uucp" and "nuucp" accounts should generate errors. If users' home directories do not exist, this is a finding.

Fix: F-51711r1_fix

The root role is required. Work with users identified in the check step to determine the best course of action in accordance with site policy. This generally means deleting the user account or creating a valid home directory.

c

Login must not be permitted with empty/null passwords for SSH.

CM-6 - High - CCI-000366 - V-48107 - SV-60979r2_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-040370

Vuln IDs

V-48107

Rule IDs

SV-60979r2_rule

Permitting login without a password is inherently risky.

Checks: C-50539r1_chk

Determine if empty/null passwords are allowed for the SSH service. # grep "^PermitEmptyPasswords" /etc/ssh/sshd_config If the output of this command is not: PermitEmptyPasswords no this is a finding.

Fix: F-51715r2_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitEmptyPasswords Change it to: PermitEmptyPasswords no Restart the SSH service. # svcadm restart svc:/network/ssh

a

Users must have a valid home directory assignment.

CM-6 - Low - CCI-000366 - V-48109 - SV-60981r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-070070

Vuln IDs

V-48109

Rule IDs

SV-60981r1_rule

All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.

Checks: C-50541r1_chk

The root role is required. Determine if each user has a valid home directory. # logins -xo | while read line; do user=`echo ${line} | awk -F: '{ print $1 }'` home=`echo ${line} | awk -F: '{ print $6 }'` if [ -z "${home}" ]; then echo ${user} fi done If output is produced, this is a finding.

Fix: F-51717r1_fix

The root role is required. Correct or justify any items discovered in the check step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy. This generally means deleting the user or creating a valid home directory.

a

The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.

SC-10 - Low - CCI-001133 - V-48111 - SV-60983r2_rule

RMF Control

SC-10

Severity

L

CCI

CCI-001133

Version

SOL-11.1-040380

Vuln IDs

V-48111

Rule IDs

SV-60983r2_rule

This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

Checks: C-50543r1_chk

Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity. # grep ClientAlive /etc/ssh/sshd_config If the output of this command is not: ClientAliveInterval 600 ClientAliveCountMax 0 this is a finding.

Fix: F-51719r2_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Modify or add the lines containing: ClientAliveInterval ClientAliveCountMax Change them to: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service: # svcadm restart svc:/network/ssh

b

Host-based authentication for login-based services must be disabled.

CM-6 - Medium - CCI-000366 - V-48113 - SV-60985r4_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040390

Vuln IDs

V-48113

Rule IDs

SV-60985r4_rule

The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.

Checks: C-50545r4_chk

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. Determine if host-based authentication services are enabled. # grep 'pam_rhosts_auth.so.1' /etc/pam.conf /etc/pam.d/*| grep -vc '^#' If the returned result is not 0 (zero), this is a finding.

Fix: F-51721r3_fix

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. The root role is required. # ls -l /etc/pam.d to identify the various configuration files used by PAM. Search each file for the pam_rhosts_auth.so.1 entry. # grep pam_rhosts_auth.so.1 [filename] Identify the file with the line pam_hosts_auth.so.1 in it. # pfedit [filename] Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".

b

Groups assigned to users must exist in the /etc/group file.

CM-6 - Medium - CCI-000366 - V-48115 - SV-60987r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070060

Vuln IDs

V-48115

Rule IDs

SV-60987r1_rule

Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.

Checks: C-50547r1_chk

The root role is required. Check that groups are configured correctly. # logins -xo | awk -F: '($3 == "") { print $1 }' If output is produced, this is a finding.

Fix: F-51723r1_fix

The root role is required. Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.

b

The use of FTP must be restricted.

CM-6 - Medium - CCI-000366 - V-48117 - SV-60989r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040400

Vuln IDs

V-48117

Rule IDs

SV-60989r1_rule

FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default "system" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user "oracle" and the account which the web server process runs under.

Checks: C-50549r3_chk

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. If the FTP server is installed, determine if FTP access is restricted. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do grep -w "${user}" /etc/ftpd/ftpusers >/dev/null 2>&1 if [ $? != 0 ]; then echo "User '${user}' not in /etc/ftpd/ftpusers." fi done If output is returned, this is a finding.

Fix: F-51725r2_fix

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> /etc/ftpd/ftpusers) done # sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp # mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers

c

There must be no user .rhosts files.

CM-6 - High - CCI-000366 - V-48119 - SV-60991r1_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-070050

Vuln IDs

V-48119

Rule IDs

SV-60991r1_rule

Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Checks: C-50551r2_chk

The root role is required. Check for the presence of .rhosts files. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.rhosts -type f -ls 2>/dev/null done If output is produced, this is a finding.

Fix: F-51727r1_fix

The root role is required. Remove any .rhosts files found. # rm [file name]

c

The system must not allow autologin capabilities from the GNOME desktop.

CM-6 - High - CCI-000366 - V-48121 - SV-60993r1_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-040410

Vuln IDs

V-48121

Rule IDs

SV-60993r1_rule

As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.

Checks: C-50553r1_chk

Determine if autologin is enabled for the GNOME desktop. # egrep "auth|account" /etc/pam.d/gdm-autologin | grep -vc ^# If the command returns other than "0", this is a finding.

Fix: F-51729r1_fix

The root role is required. Modify the /etc/pam.d/gdm-autologin file. # pfedit /etc/pam.d/gdm-autologin Locate the lines: auth required pam_unix_cred.so.1 auth sufficient pam_allow.so.1 account sufficient pam_allow.so.1 Change the lines to read: #auth required pam_unix_cred.so.1 #auth sufficient pam_allow.so.1 #account sufficient pam_allow.so.1

b

Permissions on user .netrc files must be 750 or less permissive.

CM-6 - Medium - CCI-000366 - V-48123 - SV-60995r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070040

Vuln IDs

V-48123

Rule IDs

SV-60995r1_rule

.netrc files may contain unencrypted passwords that can be used to attack other systems.

Checks: C-50555r2_chk

The root role is required. Check that permissions on user .netrc files are 750 or less permissive. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.netrc -type f $ \ -perm -g+r -o -perm -g+w -o -perm -g+x -o \ -perm -o+r -o -perm -o+w -o -perm -o+x $ \ -ls 2>/dev/null done If output is produced, this is a finding.

Fix: F-51731r1_fix

The root role is required. Change the permissions on users' .netrc files to 750 or less permissive. # chmod 750 [file name]

b

Unauthorized use of the at or cron capabilities must not be permitted.

CM-6 - Medium - CCI-000366 - V-48125 - SV-60997r4_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040420

Vuln IDs

V-48125

Rule IDs

SV-60997r4_rule

On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in the "cron.allow" file, cron jobs can still be run as that user. The "cron.allow" file only controls administrative access to the "crontab" command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).

Checks: C-50557r4_chk

Check that "at" and "cron" users are configured correctly. # ls /etc/cron.d/cron.deny If cron.deny exists, this is a finding. # ls /etc/cron.d/at.deny If at.deny exists, this is a finding. # cat /etc/cron.d/cron.allow cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC. If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding. # wc -l /etc/cron.d/at.allow | awk '{ print $1 }' If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.

Fix: F-51733r3_fix

The root role is required. Modify the cron configuration files. # mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp # mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp Skip the remaining steps only if using the “solaris.jobs.user” RBAC role. # echo root > /etc/cron.d/cron.allow # cp /dev/null /etc/cron.d/at.allow # chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow # chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow

b

Logins to the root account must be restricted to the system console only.

CM-6 - Medium - CCI-000366 - V-48127 - SV-60999r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040430

Vuln IDs

V-48127

Rule IDs

SV-60999r1_rule

Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.

Checks: C-50559r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if root login is restricted to the console. # grep "^CONSOLE=/dev/console" /etc/default/login If the output of this command is not: CONSOLE=/dev/console this is a finding.

Fix: F-51735r1_fix

The root role is required. Modify the /etc/default/login file # pfedit /etc/default/login Locate the line containing: CONSOLE Change it to read: CONSOLE=/dev/console

b

Permissions on user . (hidden) files must be 750 or less permissive.

CM-6 - Medium - CCI-000366 - V-48129 - SV-61001r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070030

Vuln IDs

V-48129

Rule IDs

SV-61001r1_rule

Group-writable or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Checks: C-50561r1_chk

The root role is required. Ensure that the permissions on user "." files are 750 or less permissive.. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.[A-Za-z0-9]* \! -type l \ $ -perm -20 -o -perm -02 $ -ls done If output is produced, this is a finding.

Fix: F-51737r1_fix

The root role is required. Change the permissions on users' "." files to 750 or less permissive. # chmod 750 [file name]

a

The operating system, upon successful logon, must display to the user the date and time of the last logon (access).

AC-9 - Low - CCI-000052 - V-48131 - SV-61003r1_rule

RMF Control

AC-9

Severity

L

CCI

CCI-000052

Version

SOL-11.1-040450

Vuln IDs

V-48131

Rule IDs

SV-61003r1_rule

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Checks: C-50563r1_chk

Determine if last login will be printed for SSH users. # grep PrintLastLog /etc/ssh/sshd_config If PrintLastLog is found, not preceded with a "#" sign, and is set to "no", this is a finding. PrintLastLog should either not exist (defaulting to yes) or exist and be set to yes.

Fix: F-51739r1_fix

The root role is required for this action. # pfedit /etc/ssh/sshd_config Locate the line containing: PrintLastLog no and place a comment sign ("# ")at the beginning of the line or delete the line # PrintLastLog no Restart the ssh service # pfexec svcadm restart svc:/network/ssh

b

Permissions on user home directories must be 750 or less permissive.

CM-6 - Medium - CCI-000366 - V-48133 - SV-61005r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070020

Vuln IDs

V-48133

Rule IDs

SV-61005r1_rule

Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Checks: C-50565r1_chk

The root role is required. Check that the permissions on users' home directories are 750 or less permissive. # for dir in `logins -ox |\ awk -F: '($8 == "PS") { print $6 }'`; do find ${dir} -type d -prune $ -perm -g+w -o \ -perm -o+r -o -perm -o+w -o -perm -o+x $ -ls done If output is created, this is finding.

Fix: F-51741r1_fix

The root role is required. Change the permissions on users' directories to 750 or less permissive. # chmod 750 [directory name]

b

The operating system must provide the capability for users to directly initiate session lock mechanisms.

AC-11 - Medium - CCI-000058 - V-48135 - SV-61007r2_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000058

Version

SOL-11.1-040460

Vuln IDs

V-48135

Rule IDs

SV-61007r2_rule

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. Rather than be forced to wait for a period of time to expire before the user session can be locked, the operating system needs to provide users with the ability to manually invoke a session lock so users may secure their account should the need arise for them to temporarily vacate the immediate physical vicinity.

Checks: C-50567r3_chk

Determine whether the lock screen function works correctly. For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop System >> Lock Screen. For Solaris 11.4 or newer: In the GNOME 3 desktop Status Menu (top right corner) >> Lock Icon, check that the screen locks and displays the "password" prompt. Check that "Disable Screensaver" is not selected in the GNOME Screensaver preferences. If the screen does not lock or the "Disable Screensaver" option is selected, this is a finding.

Fix: F-51743r3_fix

User-initiated session lock is accessible from the GNOME graphical desktop menu GNOME 2: System >> Lock Screen. GNOME 3: Status Menu (top right corner) >> Lock Icon. However, the user has the option to disable screensaver lock. For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select "Screensaver" Icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Ensure that "Mode" is set to "Blank Screen only".

b

The sticky bit must be set on all world writable directories.

CM-6 - Medium - CCI-000366 - V-48137 - SV-61009r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-070010

Vuln IDs

V-48137

Rule IDs

SV-61009r1_rule

Files in directories that have had the "sticky bit" enabled can only be deleted by users that have both write permissions for the directory in which the file resides, as well as ownership of the file or directory, or have sufficient privileges. As this prevents users from overwriting each others' files, whether it be accidental or malicious, it is generally appropriate for most world-writable directories (e.g., /tmp).

Checks: C-50569r1_chk

The root role is required. Identify all world-writable directories without the "sticky bit" set. # find / $ -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc $ -prune -o -type d $ -perm -0002 \ -a ! -perm -1000 $ -ls Output of this command identifies world-writable directories without the "sticky bit" set. If output is created, this is a finding.

Fix: F-51745r1_fix

The root role is required. Ensure that the "sticky bit" is set on any directories identified during the check steps. # chmod +t [directory name]

b

The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

AC-11 - Medium - CCI-000060 - V-48139 - SV-61011r2_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000060

Version

SOL-11.1-040470

Vuln IDs

V-48139

Rule IDs

SV-61011r2_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.

Checks: C-50571r3_chk

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select "Screensaver" icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver menu item the user can select other screens or disable screensaver. Check that "Disable Screensaver" is not selected in the Gnome Screensaver preferences. If "Disable Screensaver" is selected or "Blank Screen Only" is not selected, this is a finding.

Fix: F-51747r3_fix

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select “Screensaver” icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Click on Mode's pull-down. Select: "Blank Screen Only". Ensure that "Blank Screen Only" is selected.

b

The operating system must protect the integrity of transmitted information.

SC-8 - Medium - CCI-001127 - V-48141 - SV-61013r1_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001127

Version

SOL-11.1-060190

Vuln IDs

V-48141

Rule IDs

SV-61013r1_rule

Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50573r1_chk

The operator shall determine if IPsec is being used to encrypt data for activities such as cluster interconnects or other non-SSH, SFTP data connections. On both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation. Check that the IPsec policy service is online: # svcs svc:/network/ipsec/policy:default If the IPsec service is not online, this is a finding. If encrypted protocols are not used between systems, this is a finding.

Fix: F-51749r1_fix

The Service Management profile is required. Configure IPsec encrypted tunneling between two systems. On both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation. Ensure that the IPsec policy service is online: Enable the IPsec service: # svcadm enable svc:/network/ipsec/policy:default

c

The operating system must not allow logins for users with blank passwords.

CM-6 - High - CCI-000366 - V-48143 - SV-61015r1_rule

RMF Control

CM-6

Severity

H

CCI

Version

SOL-11.1-040480

Vuln IDs

V-48143

Rule IDs

SV-61015r1_rule

If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.

Checks: C-50575r1_chk

Determine if the system is enforcing a policy that passwords are required. # grep ^PASSREQ /etc/default/login If the command does not return: PASSREQ=YES this is a finding.

Fix: F-51751r1_fix

The root role is required. Modify the /etc/default/login file. # pfedit /etc/default/login Insert the line: PASSREQ=YES

a

The operating system must use cryptographic mechanisms to protect the integrity of audit information.

AU-9 - Low - CCI-001350 - V-48145 - SV-61017r1_rule

RMF Control

AU-9

Severity

L

CCI

CCI-001350

Version

SOL-11.1-060180

Vuln IDs

V-48145

Rule IDs

SV-61017r1_rule

Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data.

Checks: C-50577r1_chk

The Audit Configuration and the Audit Control profiles are required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if audit log encryption is required by your organization. If not required, this check does not apply. Determine where the audit logs are stored and whether the file system is encrypted. # pfexec auditconfig -getplugin audit_binfile The p_dir attribute lists the location of the audit log filesystem. The default location for Solaris 11.1 is /var/audit. /var/audit is a link to /var/share/audit which, by default, is mounted on rpool/VARSHARE. Determine if this is encrypted: # zfs get encryption rpool/VARSHARE If the file system where audit logs are stored reports "encryption off", this is a finding.

Fix: F-51753r1_fix

The ZFS File System Management and ZFS Storage Management profiles are required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The Audit Configuration and the Audit Control profiles are required. If necessary, create a new ZFS pool to store the encrypted audit logs. # pfexec zpool create auditp mirror [device] [device] Create an encryption key: # pktool genkey keystore=file outkey=/[filename] keytype=aes keylen=256 Create a new file system to store the audit logs with encryption enabled. Use the file name created in the previous step as the keystore. # pfexec zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///[filename] -o compression=on -o mountpoint=/audit auditp/auditf Configure auditing to use this encrypted directory. # pfexec auditconfig -setplugin audit_binfile p_dir=/audit/ Refresh the audit service for the setting to be applied: # pfexec audit -s

b

The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.

SC-7 - Medium - CCI-001111 - V-48147 - SV-61019r1_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001111

Version

SOL-11.1-040490

Vuln IDs

V-48147

Rule IDs

SV-61019r1_rule

This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of the system and to communicate with local resources, such as a printer or file server. The remote device, when connected by a non-remote connection, becomes an extension of the information system allowing dual communications paths, such as split-tunneling, in effect allowing unauthorized external connections into the system. This is a split-tunneling requirement that can be controlled via the operating system by disabling interfaces.

Checks: C-50579r1_chk

Determine if the "RestrictOutbound" profile is configured properly: # profiles -p RestrictOutbound info If the output is not: name=RestrictOutbound desc=Restrict Outbound Connections limitpriv=zone,!net_access this is a finding. For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile. # profiles -l [username] If the output does not include: [username]: RestrictOutbound this is a finding.

Fix: F-51755r2_fix

The root Role is required. Remove net_access privilege from users who may be accessing the systems externally. 1. Create an RBAC Profile with net_access restriction # profiles -p RestrictOutbound profiles:RestrictOutbound> set desc="Restrict Outbound Connections" profiles:RestrictOutbound> set limitpriv=zone,!net_access profiles:RestrictOutbound> exit 2. Assign the RBAC Profile to a user # usermod -P +RestrictOutbound [username] This prevents the user from initiating any outbound network connections.

a

The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.

SC-28 - Low - CCI-001200 - V-48149 - SV-61021r1_rule

RMF Control

SC-28

Severity

L

CCI

CCI-001200

Version

SOL-11.1-060170

Vuln IDs

V-48149

Rule IDs

SV-61021r1_rule

When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.

Checks: C-50581r1_chk

Determine if file system encryption is required by your organization. If not required, this item does not apply. Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets. # zfs list Using the file system name, determine if the file system is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.

Fix: F-51757r1_fix

The ZFS file system management profile is required. ZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created. First, stop running applications using the file systems, archive the data, unmount, and then remove the file system. # umount [file system name] # zfs destroy [file system name] When creating ZFS file systems, ensure that they are created as encrypted file systems. # pfexec zfs create -o encryption=on [file system name] Enter passphrase for '[file system name]': xxxxxxx Enter again: xxxxxxx Store the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.

a

The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.

AC-10 - Low - CCI-000054 - V-48151 - SV-61023r2_rule

RMF Control

AC-10

Severity

L

CCI

CCI-000054

Version

SOL-11.1-040500

Vuln IDs

V-48151

Rule IDs

SV-61023r2_rule

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. The organization may define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or by a combination thereof. This requirement addresses concurrent sessions for a single information system account and does not address concurrent sessions by a single user via multiple accounts.

Checks: C-50583r1_chk

Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply. For each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username. # projects [username] | grep user If the output does not include the project user.[username], this is a finding. Determine the project membership for the user. # projects [username] If the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding. Determine whether the max-tasks resource control is enabled properly. # projects -l user.[username] | grep attribs If the output does not include the text: attribs: project.max-tasks=(privileged,[MAX],deny) where [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.

Fix: F-51759r2_fix

Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply. The Project Management profile is required. For each user requiring concurrent session restrictions, add the user to the special user.[username] project where [username] is the user's account username where [MAX] is equal to the organizational requirement. # pfexec projadd -K 'project.max-tasks=(privileged,[MAX],deny)' user.[username] Determine the project membership for the user. # projects [username] If the user is a member of any projects other than default, group.[groupname], or user.[username], remove that project from the user's account. The root role is required. # pfedit /etc/user_attr Locate the line containing the user's username. Remove any project=[projectname] entries from the fifth field. # pfedit /etc/project Locate the line containing the user's username in a project other than default, group.[groupname], or user.[username], and remove the user from the project's entry or entries from the fourth field.

a

The operating system must protect the confidentiality and integrity of information at rest.

SC-28 - Low - CCI-001199 - V-48153 - SV-61025r1_rule

RMF Control

SC-28

Severity

L

CCI

CCI-001199

Version

SOL-11.1-060160

Vuln IDs

V-48153

Rule IDs

SV-61025r1_rule

When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.

Checks: C-50585r1_chk

Determine if file system encryption is required by your organization. If not required, this item does not apply. Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets. # zfs list Using the file system name, determine if the file system is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.

Fix: F-51761r1_fix

The ZFS file system management profile is required. ZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created. First, stop running applications using the file systems, archive the data, unmount, and then remove the file system. # umount [file system name] # zfs destroy [file system name] When creating ZFS file systems, ensure that they are created as encrypted file systems. # pfexec zfs create -o encryption=on [file system name] Enter passphrase for '[file system name]': xxxxxxx Enter again: xxxxxxx Store the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.

a

The operating system must employ cryptographic mechanisms to protect information in storage.

MP-4 - Low - CCI-001019 - V-48155 - SV-61027r1_rule

RMF Control

MP-4

Severity

L

CCI

CCI-001019

Version

SOL-11.1-060150

Vuln IDs

V-48155

Rule IDs

SV-61027r1_rule

When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.

Checks: C-50587r1_chk

Determine if file system encryption is required by your organization. If not required, this item does not apply. Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets. # zfs list Using the file system name, determine if the file system is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.

Fix: F-51763r1_fix

The ZFS file system management profile is required. ZFS file system encryption may only be enabled on creation of the file system. If a file system must be encrypted and is not, its data should be archived, it must be removed and re-created. First, stop running applications using the file systems, archive the data, unmount, and then remove the file system. # umount [file system name] # zfs destroy [file system name] When creating ZFS file systems, ensure that they are created as encrypted file systems. # pfexec zfs create -o encryption=on [file system name] Enter passphrase for '[file system name]': xxxxxxx Enter again: xxxxxxx Store the passphrase in a safe location. The passphrase will be required to mount the file systems upon system reboot. If automated mounting is required, the passphrase must be stored in a file.

b

The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.

MP-2 - Medium - CCI-001009 - V-48157 - SV-61029r1_rule

RMF Control

MP-2

Severity

M

CCI

CCI-001009

Version

SOL-11.1-060140

Vuln IDs

V-48157

Rule IDs

SV-61029r1_rule

When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. The employment of cryptography is at the discretion of the information owner/steward. When the organization has determined the risk warrants it, data written to portable digital media must be encrypted.

Checks: C-50589r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the logical node of all attached removable media: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Determine which zpool is mapped to the device: # zpool status Determine the file system names of the portable digital media: # zfs list | grep [poolname] Using the file system name, determine if the removal media is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.

Fix: F-51765r1_fix

The root role is required. Format a removable device as a ZFS encrypted file system. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The ZFS File System Management and ZFS Storage management profiles are required. Insert the removable device: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Create an encrypted zpool on this device using a poolname of your choice: # pfexec zpool create -O encryption=on [poolname] c8t0d0p0 Enter a passphrase and confirm the passphrase. Keep the passphrase secure. Export the zpool before removing the media: # pfexec export [poolname] It will be necessary to enter the passphrase when inserting and importing the removable media zpool: Insert the removable media # pfexec import [poolname] Only store data in the encrypted file system.

b

The operating system must use cryptography to protect the confidentiality of remote access sessions.

AC-17 - Medium - CCI-000068 - V-48159 - SV-61031r1_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

SOL-11.1-060130

Vuln IDs

V-48159

Rule IDs

SV-61031r1_rule

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections.

Checks: C-50591r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51767r2_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

b

The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.

SC-9 - Medium - CCI-001132 - V-48161 - SV-61033r1_rule

RMF Control

SC-9

Severity

M

CCI

CCI-001132

Version

SOL-11.1-060120

Vuln IDs

V-48161

Rule IDs

SV-61033r1_rule

Ensuring that transmitted information remains confidential during aggregation, packaging, and transformation requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50593r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51769r2_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

b

The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.

SC-9 - Medium - CCI-001131 - V-48163 - SV-61035r1_rule

RMF Control

SC-9

Severity

M

CCI

CCI-001131

Version

SOL-11.1-060110

Vuln IDs

V-48163

Rule IDs

SV-61035r1_rule

Ensuring that transmitted information does not become disclosed to unauthorized entities requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50597r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51771r2_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

a

The system must disable directed broadcast packet forwarding.

CM-6 - Low - CCI-000366 - V-48165 - SV-61037r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050010

Vuln IDs

V-48165

Rule IDs

SV-61037r1_rule

This parameter must be disabled to reduce the risk of denial of service attacks.

Checks: C-50595r1_chk

Determine if directed broadcast packet forwarding is disabled. # ipadm show-prop -p _forward_directed_broadcasts -co current ip If the output of this command is not "0", this is a finding.

Fix: F-51773r1_fix

The Network Management profile is required. Disable directed broadcast packet forwarding. # pfexec ipadm set-prop -p _forward_directed_broadcasts=0 ip

b

The operating system must protect the confidentiality of transmitted information.

SC-9 - Medium - CCI-001130 - V-48167 - SV-61039r1_rule

RMF Control

SC-9

Severity

M

CCI

CCI-001130

Version

SOL-11.1-060100

Vuln IDs

V-48167

Rule IDs

SV-61039r1_rule

Ensuring the confidentiality of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50599r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51775r2_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

a

The system must not respond to ICMP timestamp requests.

CM-6 - Low - CCI-000366 - V-48169 - SV-61041r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050020

Vuln IDs

V-48169

Rule IDs

SV-61041r1_rule

By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.

Checks: C-50601r1_chk

Determine if ICMP time stamp responses are disabled. # ipadm show-prop -p _respond_to_timestamp -co current ip If the output of both commands is not "0", this is a finding.

Fix: F-51777r1_fix

The Network Management profile is required. Disable source respond to timestamp. # pfexec ipadm set-prop -p _respond_to_timestamp=0 ip

b

The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.

SC-8 - Medium - CCI-001129 - V-48171 - SV-61043r1_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001129

Version

SOL-11.1-060090

Vuln IDs

V-48171

Rule IDs

SV-61043r1_rule

Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50603r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51779r3_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

a

The system must not respond to ICMP broadcast timestamp requests.

CM-6 - Low - CCI-000366 - V-48173 - SV-61045r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050030

Vuln IDs

V-48173

Rule IDs

SV-61045r1_rule

By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.

Checks: C-50605r2_chk

Determine if response to ICMP broadcast timestamp requests is disabled. # ipadm show-prop -p _respond_to_timestamp_broadcast -co current ip If the output of this command is not "0", this is a finding.

Fix: F-51781r1_fix

The Network Management profile is required. Disable respond to timestamp broadcasts. # pfexec ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip

b

The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.

SC-8 - Medium - CCI-001128 - V-48175 - SV-61047r1_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001128

Version

SOL-11.1-060080

Vuln IDs

V-48175

Rule IDs

SV-61047r1_rule

Ensuring that transmitted information is not altered during transmission requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50607r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51783r3_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

a

The system must not respond to ICMP broadcast netmask requests.

CM-6 - Low - CCI-000366 - V-48177 - SV-61049r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050040

Vuln IDs

V-48177

Rule IDs

SV-61049r1_rule

By determining the netmasks of various computers in your network, an attacker can better map your subnet structure and infer trust relationships.

Checks: C-50609r1_chk

Determine if the response to address mask broadcast is disabled. # ipadm show-prop -p _respond_to_address_mask_broadcast -co current ip If the output of this command is not "0", this is a finding.

Fix: F-51785r1_fix

The Network Management profile is required. Disable responses to address mask broadcast. # pfexec ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip

b

The operating system must protect the integrity of transmitted information.

SC-8 - Medium - CCI-001127 - V-48179 - SV-61051r1_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001127

Version

SOL-11.1-060070

Vuln IDs

V-48179

Rule IDs

SV-61051r1_rule

Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.

Checks: C-50611r1_chk

All remote sessions must be conducted via encrypted services and ports. Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

Fix: F-51787r1_fix

All remote sessions must be conducted via SSH and IPsec. Ensure that SSH and IPsec are the only protocols used.

b

The system must not respond to broadcast ICMP echo requests.

CM-6 - Medium - CCI-000366 - V-48181 - SV-61053r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-050050

Vuln IDs

V-48181

Rule IDs

SV-61053r1_rule

ICMP echo requests can be useful for reconnaissance of systems and for denial of service attacks.

Checks: C-50613r1_chk

Determine if ICMP echo requests response is disabled. # ipadm show-prop -p _respond_to_echo_broadcast -co current ip If the output of this command is not "0", this is a finding.

Fix: F-51789r1_fix

The Network Management profile is required. Disable respond to echo broadcast. # pfexec ipadm set-prop -p _respond_to_echo_broadcast=0 ip

b

The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.

SC-13 - Medium - CCI-001148 - V-48183 - SV-61055r1_rule

RMF Control

SC-13

Severity

M

CCI

CCI-001148

Version

SOL-11.1-060060

Vuln IDs

V-48183

Rule IDs

SV-61055r1_rule

FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.

Checks: C-50615r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Crypto Management profile is required to execute this command. Check to ensure that FIPS-140 encryption mode is enabled. # cryptoadm list fips-140| grep -c "is disabled" If the output of this command is not "0", this is a finding.

Fix: F-51791r1_fix

The Crypto Management profile is required to execute this command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable FIPS-140 mode. # pfexec cryptoadm enable fips-140 Reboot the system as requested.

a

The system must not respond to multicast echo requests.

CM-6 - Low - CCI-000366 - V-48185 - SV-61057r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050060

Vuln IDs

V-48185

Rule IDs

SV-61057r1_rule

Multicast echo requests can be useful for reconnaissance of systems and for denial of service attacks.

Checks: C-50617r1_chk

Determine if response to multicast echo requests is disabled. # ipadm show-prop -p _respond_to_echo_multicast -co current ipv4 # ipadm show-prop -p _respond_to_echo_multicast -co current ipv6 If the output of all commands is not "0", this is a finding.

Fix: F-51793r1_fix

The Network Management profile is required. Disable respond to echo multi-cast for IPv4 and IPv6. # pfexec ipadm set-prop -p _respond_to_echo_multicast=0 ipv4 # pfexec ipadm set-prop -p _respond_to_echo_multicast=0 ipv6

b

The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-7 - Medium - CCI-000803 - V-48187 - SV-61059r3_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

SOL-11.1-060010

Vuln IDs

V-48187

Rule IDs

SV-61059r3_rule

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. Applications utilizing encryption are required to use approved encryption modules meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules. Satisfies: SRG-OS-000120, SRG-OS-000169

Checks: C-50619r1_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Crypto Management profile is required to execute this command. Check to ensure that FIPS-140 encryption mode is enabled. # cryptoadm list fips-140| grep -c "is disabled" If the output of this command is not "0", this is a finding.

Fix: F-51795r1_fix

The Crypto Management profile is required to execute this command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable FIPS-140 mode. # pfexec cryptoadm enable fips-140 Reboot the system as requested.

a

The system must ignore ICMP redirect messages.

CM-6 - Low - CCI-000366 - V-48189 - SV-61061r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050070

Vuln IDs

V-48189

Rule IDs

SV-61061r1_rule

Ignoring ICMP redirect messages reduces the likelihood of denial of service attacks.

Checks: C-50621r1_chk

Determine if ICMP redirect messages are ignored. # ipadm show-prop -p _ignore_redirect -co current ipv4 # ipadm show-prop -p _ignore_redirect -co current ipv6 If the output of all commands is not "1", this is a finding.

Fix: F-51797r1_fix

The Network Management profile is required. Disable ignore redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p _ignore_redirect=1 ipv4 # pfexec ipadm set-prop -p _ignore_redirect=1 ipv6

b

The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.

CM-6 - Medium - CCI-000366 - V-48191 - SV-61063r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-050470

Vuln IDs

V-48191

Rule IDs

SV-61063r2_rule

Manipulation of IP addresses can allow untrusted systems to appear as trusted hosts, bypassing firewall and other security mechanism and resulting in system penetration.

Checks: C-50623r4_chk

Determine the zone that you are currently securing. # zonename If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require inspection. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require inspection. Identify if this system has physical interfaces. # dladm show-link -Z | grep -v vnic LINK ZONE CLASS MTU STATE OVER net0 global phys 1500 unknown -- e1000g0 global phys 1500 up -- e1000g1 global phys 1500 up -- zoneD/net2 zoneD iptun 65515 up -- If "phys" appears in the third column, then the interface is physical. For each physical interface, determine if the network interface is Ethernet or InfiniBand: # dladm show-phys [interface name] LINK MEDIA STATE SPEED DUPLEX DEVICE [name] Ethernet unknown 0 half dnet0 The second column indicates either "Ethernet" or "Infiniband". For each physical interface, determine if the host is using ip-forwarding: # ipadm show-ifprop [interface name] | grep forwarding [name] forwarding ipv4 rw off -- off on,off [name] forwarding ipv6 rw off -- off on,off If "on" appears in the fifth column, then the interface is using ip-forwarding. For each interface, determine if the host is using SR-IOV’s Virtual Function (VF) driver: # dladm show-phys [interface name] | grep vf If the sixth column includes 'vf' in its name, it is using SR-IOV (ex: ixgbevf0). For each physical and SR-IOV interface, determine if network link protection capabilities are enabled. # dladm show-linkprop -p protection LINK PROPERTY PERM VALUE DEFAULT POSSIBLE net0 protection rw mac-nospoof, -- mac-nospoof, restricted, restricted, ip-nospoof, ip-nospoof, dhcp-nospoof dhcp-nospoof If the interface uses Infiniband and if restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses ip-forwarding and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses SR-IOV and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses Ethernet without IP forwarding and if mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

Fix: F-51799r2_fix

Determine the name of the zone that you are currently securing. # zonename If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require configuration. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require configuration. The Network Link Security profile is required. Determine which network interfaces are available and what protection modes are enabled and required. Enable link protection based on each configured network interface type. For InfiniBand: # pfexec dladm set-linkprop -p protection=restricted,ip-nospoof,dhcp-nospoof [interface name] For IP forwarding: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] For SR-IOV: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] For Ethernet without IP forwarding: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name]

b

The system must set strict multihoming.

CM-6 - Medium - CCI-000366 - V-48193 - SV-61065r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-050080

Vuln IDs

V-48193

Rule IDs

SV-61065r1_rule

These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. This rule is NA for documented systems that have interfaces that cross strict networking domains (for example, a firewall, a router, or a VPN node).

Checks: C-50625r1_chk

Determine if strict multihoming is configured. # ipadm show-prop -p _strict_dst_multihoming -co current ipv4 # ipadm show-prop -p _strict_dst_multihoming -co current ipv6 If the output of all commands is not "1", this is a finding.

Fix: F-51801r1_fix

The Network Management profile is required. Disable strict multihoming for IPv4 and IPv6. # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv4 # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv6

b

The operating system must terminate all sessions and network connections when non-local maintenance is completed.

MA-4 - Medium - CCI-000879 - V-48195 - SV-61067r1_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000879

Version

SOL-11.1-050460

Vuln IDs

V-48195

Rule IDs

SV-61067r1_rule

Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The operating system needs to ensure all sessions and network connections are terminated when non-local maintenance is completed.

Checks: C-50627r2_chk

Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity. # grep ClientAlive /etc/ssh/sshd_config If the output of this command is not: ClientAliveInterval 600 ClientAliveCountMax 0 this is a finding.

Fix: F-51803r2_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. # pfedit /etc/ssh/sshd_config Insert the two lines: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service with the new configuration. # svcadm restart svc:/network/ssh

a

The system must disable ICMP redirect messages.

CM-6 - Low - CCI-000366 - V-48197 - SV-75425r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050090

Vuln IDs

V-48197

Rule IDs

SV-75425r2_rule

A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system.

Checks: C-61949r2_chk

Determine the version of Solaris 11 in use. # cat /etc/release If the version of Solaris is earlier than Solaris 11.2, determine if ICMP redirect messages are disabled. # ipadm show-prop -p _send_redirects -co current ipv4 # ipadm show-prop -p _send_redirects -co current ipv6 If the output of all commands is not "0", this is a finding. If the version of Solaris is Solaris 11.2 or later, determine if ICMP redirect messages are disabled. # ipadm show-prop -p send_redirects -co current ipv4 # ipadm show-prop -p send_redirects -co current ipv6 If the output of all commands is not "off", this is a finding.

Fix: F-66765r2_fix

The Network Management profile is required. If the version of Solaris is earlier than Solaris 11.2, disable send redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p _send_redirects=0 ipv4 # pfexec ipadm set-prop -p _send_redirects=0 ipv6 If the version of Solaris is Solaris 11.2 or later, disable send redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p send_redirects=off ipv4 # pfexec ipadm set-prop -p send_redirects=off ipv6

a

The FTP service must display the DoD approved system use notification message or banner before granting access to the system.

AC-8 - Low - CCI-000048 - V-48199 - SV-61071r1_rule

RMF Control

AC-8

Severity

L

CCI

Version

SOL-11.1-050430

Vuln IDs

V-48199

Rule IDs

SV-61071r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Checks: C-50631r1_chk

Determine if the FTP server package is installed: # pkg list service/network/ftp If the package is not installed, this check does not apply. # grep DisplayConnect /etc/proftpd.conf If: DisplayConnect /etc/issue does not appear, this is a finding. If /etc/issue does not contain the approved DoD text, this is a finding.

Fix: F-51807r2_fix

The root role is required. The package: pkg:/service/network/ftp must be installed. # pfedit /etc/issue Insert the proper DoD banner message text. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." # echo "DisplayConnect /etc/issue" >> /etc/proftpd.conf # svcadm restart ftp

a

The system must disable TCP reverse IP source routing.

CM-6 - Low - CCI-000366 - V-48201 - SV-61073r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050100

Vuln IDs

V-48201

Rule IDs

SV-61073r1_rule

If enabled, reverse IP source routing would allow an attacker to more easily complete a three-way TCP handshake and spoof new connections.

Checks: C-50635r1_chk

Determine if TCP reverse IP source routing is disabled. # ipadm show-prop -p _rev_src_routes -co current tcp If the output of this command is not "0", this is a finding.

Fix: F-51811r1_fix

The Network Management profile is required. Disable reverse source routing. # pfexec ipadm set-prop -p _rev_src_routes=0 tcp

a

The GNOME service must display the DoD approved system use notification message or banner before granting access to the system.

AC-8 - Low - CCI-000048 - V-48203 - SV-61075r1_rule

RMF Control

AC-8

Severity

L

CCI

Version

SOL-11.1-050410

Vuln IDs

V-48203

Rule IDs

SV-61075r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Checks: C-50633r1_chk

This item does not apply if a graphic login is not configured. Log in to the Gnome Graphical interface. If the approved banner message does not appear, this is a finding. # cat /etc/issue # grep /etc/gdm/Init/Default zenity If /etc/issue does not contain that DoD-approved banner message or /etc/gdm/Init/Default does not contain the line: /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" --filename=/etc/issue this is a finding.

Fix: F-51809r1_fix

The root role is required. If the system does not use XWindows, this is not applicable. # pfedit /etc/issue Insert the proper DoD banner message text. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." # pfedit /etc/gdm/Init/Default Add the following content before the "exit 0" line of the file. /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" --filename=/etc/issue

a

The operating system must display the DoD approved system use notification message or banner for SSH connections.

AC-8 - Low - CCI-000048 - V-48205 - SV-61077r1_rule

RMF Control

AC-8

Severity

L

CCI

Version

SOL-11.1-050390

Vuln IDs

V-48205

Rule IDs

SV-61077r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Checks: C-50639r1_chk

Check SSH configuration for banner message: # grep "^Banner" /etc/ssh/sshd_config If the output is not: Banner /etc/issue and /etc/issue does not contain the approved banner text, this is a finding.

Fix: F-51815r1_fix

The root role is required. Edit the SSH configuration file. # pfedit /etc/ssh/sshd_config Locate the file containing: Banner Change the line to read: Banner /etc/issue Edit the /etc/issue file # pfedit /etc/issue The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Restart the SSH service # svcadm restart svc:/network/ssh

b

The system must set maximum number of half-open TCP connections to 4096.

CM-6 - Medium - CCI-000366 - V-48207 - SV-61079r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-050110

Vuln IDs

V-48207

Rule IDs

SV-61079r1_rule

This setting controls how many half-open connections can exist for a TCP port. It is necessary to control the number of completed connections to the system to provide some protection against denial of service attacks.

Checks: C-50637r1_chk

Determine if the number of half open TCP connections is set to 4096. # ipadm show-prop -p _conn_req_max_q0 -co current tcp If the value of "4096" is not returned, this is a finding.

Fix: F-51813r1_fix

The Network Management profile is required Configure maximum TCP connections for IPv4 and IPv6. # pfexec ipadm set-prop -p _conn_req_max_q0=4096 tcp

a

The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.

AC-8 - Low - CCI-000048 - V-48209 - SV-61081r1_rule

RMF Control

AC-8

Severity

L

CCI

Version

SOL-11.1-050380

Vuln IDs

V-48209

Rule IDs

SV-61081r1_rule

Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.

Checks: C-50641r1_chk

Review the contents of these two files and check that the proper DoD banner message is configured. # cat /etc/motd # cat /etc/issue If the DoD-approved banner text is not in the files, this is a finding.

Fix: F-51817r1_fix

The root role is required. Edit the contents of these two files and ensure that the proper DoD banner message is viewable. # pfedit /etc/motd # pfedit /etc/issue The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

a

The system must set maximum number of incoming connections to 1024.

CM-6 - Low - CCI-000366 - V-48211 - SV-61083r1_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050120

Vuln IDs

V-48211

Rule IDs

SV-61083r1_rule

This setting controls the maximum number of incoming connections that can be accepted on a TCP port limiting exposure to denial of service attacks.

Checks: C-50643r1_chk

Determine if the maximum number of incoming connections is set to 1024. # ipadm show-prop -p _conn_req_max_q -co current tcp If the value returned is smaller than "1024", this is a finding. In environments where connection numbers are high, such as a busy web server, this value may need to be increased.

Fix: F-51819r1_fix

The Network Management profile is required. Configure maximum number of incoming connections. # pfexec ipadm set-prop -p _conn_req_max_q=1024 tcp

a

The system must prevent local applications from generating source-routed packets.

CM-6 - Low - CCI-000366 - V-48213 - SV-61085r4_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050370

Vuln IDs

V-48213

Rule IDs

SV-61085r4_rule

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Checks: C-50645r4_chk

Determine the OS version you are currently securing. # uname –v Solaris 11, 11.1, 11.2, and 11.3 use IP Filter. To continue checking IP Filter, the IP Filter Management profile is required. Check the system for an IPF rule blocking outgoing source-routed packets. # ipfstat -o Examine the list for rules such as: block out log quick from any to any with opt lsrr block out log quick from any to any with opt ssrr If the listed rules do not block both lsrr and ssrr options, this is a finding. For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required. Ensure that IP Options are not in use: # pfctl -s rules | grep allow-opts If any output is returned, this is a finding.

Fix: F-51821r4_fix

The root role is required. # pfedit /etc/ipf/ipf.conf For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter dd rules to block outgoing source-routed packets, such as: block out log quick all with opt lsrr block out log quick all with opt ssrr Reload the IPF rules. # ipf -Fa -A -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter remove or modify any rules that include "allow-opts". Reload the Packet Filter rules: # svcadm refresh firewall:default

b

The operating system must enforce requirements for remote connections to the information system.

AC-17 - Medium - CCI-000066 - V-48215 - SV-61087r2_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000066

Version

SOL-11.1-050360

Vuln IDs

V-48215

Rule IDs

SV-61087r2_rule

Remote access to the system can be limited through the use of the host-based firewall.

Checks: C-50649r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter he IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51823r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The system must disable network routing unless required.

CM-6 - Medium - CCI-000366 - V-48217 - SV-61089r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-050130

Vuln IDs

V-48217

Rule IDs

SV-61089r1_rule

The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts. Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses, including a lack of authentication, zoning, pruning, etc.

Checks: C-50647r1_chk

Determine if routing is disabled. # routeadm -p | egrep "routing |forwarding" | grep enabled If the command output includes "persistent=enabled" or "current=enabled", this is a finding.

Fix: F-51825r1_fix

The Network Management profile is required. Disable routing for IPv4 and IPv6. # pfexec routeadm -d ipv4-forwarding -d ipv4-routing # pfexec routeadm -d ipv6-forwarding -d ipv6-routing To apply these changes to the running system, use the command: # pfexec routeadm -u

b

The operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers.

SC-15 - Medium - CCI-001154 - V-48219 - SV-61091r2_rule

RMF Control

SC-15

Severity

M

CCI

CCI-001154

Version

SOL-11.1-050350

Vuln IDs

V-48219

Rule IDs

SV-61091r2_rule

Proper configuration of the firewall will deny instant messaging clients which will reduce a user's ability to relay sensitive information.

Checks: C-50651r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter the IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51827r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

a

The system must implement TCP Wrappers.

CM-6 - Low - CCI-000366 - V-48221 - SV-61093r2_rule

RMF Control

CM-6

Severity

L

CCI

Version

SOL-11.1-050140

Vuln IDs

V-48221

Rule IDs

SV-61093r2_rule

TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provides logging information via syslog about both successful and unsuccessful connections. TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts.

Checks: C-50653r2_chk

Determine if TCP Wrappers is configured. # inetadm -p | grep tcp_wrappers If the output of this command is "FALSE", this is a finding. The above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. SunSSH is removed starting with Solaris 11.4. Individual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to "FALSE". To check the status of individual inetd services, use the command: # for svc in `inetadm | awk '/svc:\// { print $NF }'`; do val=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE` if [ ${val} -eq 1 ]; then echo "TCP Wrappers enabled for ${svc}" fi done If the required services are not configured to use TCP Wrappers, this is finding. # ls /etc/hosts.deny # ls /etc/hosts.allow If these files are not found, this is a finding.

Fix: F-51829r2_fix

The root role is required. Configure allowed and denied hosts per organizational policy. 1. Create and customize the policy in /etc/hosts.allow: # echo "ALL: [net]/[mask] , [net]/[mask], ..." > /etc/hosts.allow where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by the organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE

b

The operating system must use cryptography to protect the integrity of remote access sessions.

AC-17 - Medium - CCI-001453 - V-48223 - SV-61095r2_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

SOL-11.1-050330

Vuln IDs

V-48223

Rule IDs

SV-61095r2_rule

Proper configuration of the firewall will only allow encrypted, authenticated protocols such as SSHv2 to ensure the integrity of remote access sessions.

Checks: C-50655r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter he IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51831r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

CM-7 - Medium - CCI-000382 - V-48225 - SV-61097r2_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

SOL-11.1-050150

Vuln IDs

V-48225

Rule IDs

SV-61097r2_rule

Proper configuration of the firewall will only allow encrypted, authenticated protocols such as SSHv2. Stateful packet filtering and logging shall be enabled.

Checks: C-50657r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter the IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 this is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51833r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.

AC-17 - Medium - CCI-001436 - V-48227 - SV-61099r2_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001436

Version

SOL-11.1-050320

Vuln IDs

V-48227

Rule IDs

SV-61099r2_rule

Organization-defined networking protocols can be limited through the use of the host-based firewall.

Checks: C-50659r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter. The IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51835r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.

SC-7 - Medium - CCI-001118 - V-48229 - SV-61101r2_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001118

Version

SOL-11.1-050290

Vuln IDs

V-48229

Rule IDs

SV-61101r2_rule

A host-based boundary protection mechanism is a host-based firewall.

Checks: C-50661r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter. The IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51837r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 - Medium - CCI-000774 - V-48231 - SV-61103r2_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000774

Version

SOL-11.1-050160

Vuln IDs

V-48231

Rule IDs

SV-61103r2_rule

Non-local maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending non-local maintenance and diagnostic communications through encrypted channels enforced via firewall configurations.

Checks: C-50663r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter. The IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 this is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51839r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The boundary protection system (firewall) must be configured to only allow encrypted protocols to ensure that passwords are transmitted via encryption.

IA-5 - Medium - CCI-000197 - V-48233 - SV-61105r2_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000197

Version

SOL-11.1-050270

Vuln IDs

V-48233

Rule IDs

SV-61105r2_rule

Proper configuration of the firewall will only allow encrypted, authenticated protocols such as SSHv2. Stateful packet filtering and logging must also be enabled.

Checks: C-50665r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter. The IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51841r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

SC-7 - Medium - CCI-001109 - V-48235 - SV-61107r2_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001109

Version

SOL-11.1-050240

Vuln IDs

V-48235

Rule IDs

SV-61107r2_rule

A firewall that relies on a deny all, permit by exception strategy requires all traffic to have explicit permission before traversing an interface on the host.

Checks: C-50667r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter the IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51843r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

IA-2 - Medium - CCI-000776 - V-48237 - SV-61109r2_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000776

Version

SOL-11.1-050170

Vuln IDs

V-48237

Rule IDs

SV-61109r2_rule

Non-local maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending non-local maintenance and diagnostic communications through encrypted channels enforced via firewall configurations.

Checks: C-50669r2_chk

The IP Filter Management profile is required. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 this is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51845r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.

MA-4 - Medium - CCI-000877 - V-48239 - SV-61111r2_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000877

Version

SOL-11.1-050180

Vuln IDs

V-48239

Rule IDs

SV-61111r2_rule

Non-local maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending non-local maintenance and diagnostic communications through encrypted channels enforced via firewall configurations.

Checks: C-50671r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter. The IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51847r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.

MA-4 - Medium - CCI-000888 - V-48241 - SV-61113r2_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000888

Version

SOL-11.1-050190

Vuln IDs

V-48241

Rule IDs

SV-61113r2_rule

Non-local maintenance and diagnostic communications often contain sensitive information and must be protected. This data's integrity and confidentiality can be ensured by sending non-local maintenance and diagnostic communications through encrypted channels enforced via firewall configurations.

Checks: C-50673r2_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter the IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Fix: F-51849r2_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

b

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.

IA-5 - Medium - CCI-000196 - V-48243 - SV-61115r4_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000196

Version

SOL-11.1-040130

Vuln IDs

V-48243

Rule IDs

SV-61115r4_rule

Cryptographic hashes provide quick password authentication while not actually storing the password.

Checks: C-50675r3_chk

Determine which cryptographic algorithms are configured. # grep ^CRYPT /etc/security/policy.conf If the command output does not include the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 this is a finding.

Fix: F-51851r3_fix

The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 exist and are not commented out.

b

The system must disable accounts after three consecutive unsuccessful login attempts.

AC-7 - Medium - CCI-000044 - V-48245 - SV-61117r1_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

SOL-11.1-040140

Vuln IDs

V-48245

Rule IDs

SV-61117r1_rule

Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.

Checks: C-50677r1_chk

Verify RETRIES is set in the login file. # grep ^RETRIES /etc/default/login If the output is not RETRIES=3 or fewer, this is a finding. Verify the account locks after invalid login attempts. # grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf If the output is not LOCK_AFTER_RETRIES=YES, this is a finding. For each user in the system, use the command: # userattr lock_after_retries [username] to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Fix: F-51853r1_fix

The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]

c

The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.

AU-4 - High - CCI-000138 - V-49621 - SV-62545r1_rule

RMF Control

AU-4

Severity

H

CCI

CCI-000138

Version

SOL-11.1-010410

Vuln IDs

V-49621

Rule IDs

SV-62545r1_rule

Overflowing the audit storage area can result in a denial of service or system outage.

Checks: C-51543r1_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getplugin If the output of this command does not contain: p_fsize=4M this is a finding.

Fix: F-53123r1_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Set the size of a binary audit file to a specific size. The size is specified in megabytes. # pfexec auditconfig -setplugin audit_binfile p_fsize=4M Restart the audit system. # pfexec audit -s

b

The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.

CM-6 - Medium - CCI-000366 - V-49625 - SV-62549r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-090115

Vuln IDs

V-49625

Rule IDs

SV-62549r1_rule

Without the use of PKI systems to manage digital certificates, the operating system or other system components may be unable to securely communicate on a network or reliably verify the identity of a user via digital signatures.

Checks: C-51545r1_chk

The operator will ensure that a DoD approved PKI system is installed, configured, and properly operating. Ask the operator to document the PKI software installation and configuration. If the operator is not able to provide a documented configuration for an installed PKI system or if the PKI system is not properly configured, maintained, or used, this is a finding.

Fix: F-53127r1_fix

The operator will ensure that a DoD approved PKI software is installed and operating continuously.

b

The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.

AC-19 - Medium - CCI-000085 - V-49635 - SV-62559r2_rule

RMF Control

AC-19

Severity

M

CCI

CCI-000085

Version

SOL-11.1-120410

Vuln IDs

V-49635

Rule IDs

SV-62559r2_rule

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.

Checks: C-51547r2_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Determine if USB mass storage devices are locked out by the kernel. # grep -h "exclude: scsa2usb" /etc/system /etc/system.d/* If the output of this command is not: exclude: scsa2usb this is a finding.

Fix: F-53137r2_fix

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global" this check applies. Modify the /etc/system file. Determine the OS version you are currently securing. # uname –v For Solaris 11GA and 11.1 # pfedit /etc/system Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect. For Solaris 11.2 or newer Modify an /etc/system.d file. # pfedit /etc/system.d/USB:MassStorage Add a line containing: exclude: scsa2usb Note that the global zone will need to be rebooted for this change to take effect.

b

All run control scripts must have mode 0755 or less permissive.

CM-6 - Medium - CCI-000366 - V-59827 - SV-74257r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020300

Vuln IDs

V-59827

Rule IDs

SV-74257r1_rule

If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.

Checks: C-60583r1_chk

Check run control script modes. # ls -lL /etc/rc* /etc/init.d /lib/svc/method If any run control script has a mode more permissive than 0755, this is a finding.

Fix: F-65237r1_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod go-w <startupfile>

b

All run control scripts must have no extended ACLs.

CM-6 - Medium - CCI-000366 - V-59829 - SV-74259r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020310

Vuln IDs

V-59829

Rule IDs

SV-74259r1_rule

If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.

Checks: C-60585r1_chk

Verify run control scripts have no extended ACLs. # ls -lL /etc/rc* /etc/init.d If the permissions include a "+", the file has an extended ACL and this is a finding.

Fix: F-65239r1_fix

Remove the extended ACL from the file. # chmod A- [run control script with extended ACL]

b

Run control scripts executable search paths must contain only authorized paths.

CM-6 - Medium - CCI-000366 - V-59831 - SV-74261r3_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020320

Vuln IDs

V-59831

Rule IDs

SV-74261r3_rule

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.

Checks: C-60587r3_chk

Verify run control scripts' executable search paths. Procedure: # find /etc/rc* /etc/init.d /lib/svc/method -type f -print | xargs grep -i PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.

Fix: F-65241r2_fix

Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

b

Run control scripts library search paths must contain only authorized paths.

CM-6 - Medium - CCI-000366 - V-59833 - SV-74263r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020330

Vuln IDs

V-59833

Rule IDs

SV-74263r2_rule

The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.

Checks: C-60589r2_chk

Verify run control scripts' library search paths. # find /etc/rc* /etc/init.d -type f -print | xargs grep LD_LIBRARY_PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.

Fix: F-65243r2_fix

Edit the run control script and remove the relative path entries from the library search path variables that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

b

Run control scripts lists of preloaded libraries must contain only authorized paths.

CM-6 - Medium - CCI-000366 - V-59835 - SV-74265r2_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020340

Vuln IDs

V-59835

Rule IDs

SV-74265r2_rule

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries to the current working directory that have not been authorized, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with a slash (/) are absolute paths.

Checks: C-60591r2_chk

Verify run control scripts' library preload list. Procedure: # find /etc/rc* /etc/init.d -type f -print | xargs grep LD_PRELOAD This variable is formatted as a colon-separated list of paths. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.

Fix: F-65245r2_fix

Edit the run control script and remove the relative path entries from the library preload variables that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

b

Run control scripts must not execute world writable programs or scripts.

CM-6 - Medium - CCI-000366 - V-59837 - SV-74267r3_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020350

Vuln IDs

V-59837

Rule IDs

SV-74267r3_rule

World writable files could be modified accidentally or maliciously to compromise system integrity.

Checks: C-60593r3_chk

Check the permissions on the files or scripts executed from system startup scripts to see if they are world writable. Create a list of all potential run command level scripts. # ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " " Create a list of world writable files. # find / -perm -002 -type f >> WorldWritableFileList Determine if any of the world writeable files in "WorldWritableFileList" are called from the run command level scripts. Note: Depending upon the number of scripts vs. world writable files, it may be easier to inspect the scripts manually. # more `ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "` If any system startup script executes any file or script that is world writable, this is a finding.

Fix: F-65247r1_fix

Remove the world writable permission from programs or scripts executed by run control scripts. Procedure: # chmod o-w <program or script executed from run control script>

b

All system start-up files must be owned by root.

CM-6 - Medium - CCI-000366 - V-59839 - SV-74269r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020360

Vuln IDs

V-59839

Rule IDs

SV-74269r1_rule

System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.

Checks: C-60595r1_chk

Check run control scripts' ownership. # ls -lL /etc/rc* /etc/init.d If any run control script is not owned by root, this is a finding.

Fix: F-65249r1_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

b

All system start-up files must be group-owned by root, sys, or bin.

CM-6 - Medium - CCI-000366 - V-59841 - SV-74271r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020370

Vuln IDs

V-59841

Rule IDs

SV-74271r1_rule

If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.

Checks: C-60597r1_chk

Check run control scripts' group ownership. Procedure: # ls -lL /etc/rc* /etc/init.d If any run control script is not group-owned by root, sys, or bin, this is a finding.

Fix: F-65251r1_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

b

System start-up files must only execute programs owned by a privileged UID or an application.

CM-6 - Medium - CCI-000366 - V-59843 - SV-74273r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-020380

Vuln IDs

V-59843

Rule IDs

SV-74273r1_rule

System start-up files executing programs owned by other than root (or another privileged user) or an application indicates the system may have been compromised.

Checks: C-60599r1_chk

Determine the programs executed by system start-up files. Determine the ownership of the executed programs. # cat /etc/rc* /etc/init.d/* | more Check the ownership of every program executed by the system start-up files. # ls -l <executed program> If any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.

Fix: F-65253r1_fix

Change the ownership of the file executed from system startup scripts to root, bin, or sys. # chown root <executed file>

b

Any X Windows host must write .Xauthority files.

CM-2 - Medium - CCI-000297 - V-61003 - SV-75471r2_rule

RMF Control

CM-2

Severity

M

CCI

CCI-000297

Version

SOL-11.1-020500

Vuln IDs

V-61003

Rule IDs

SV-75471r2_rule

.Xauthority files ensure the user is authorized to access the specific X Windows host. If .Xauthority files are not used, it may be possible to obtain unauthorized access to the X Windows host.

Checks: C-61915r3_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X. Procedure: # cd ~someuser # ls -la .Xauthority If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

Fix: F-66735r3_fix

Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.

b

All .Xauthority files must have mode 0600 or less permissive.

AC-6 - Medium - CCI-000225 - V-61005 - SV-75473r2_rule

RMF Control

AC-6

Severity

M

CCI

Version

SOL-11.1-020510

Vuln IDs

V-61005

Rule IDs

SV-75473r2_rule

.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.

Checks: C-61917r2_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the file permissions for the .Xauthority files in the home directories of users of X. Procedure: # cd ~<X user> # ls -lL .Xauthority If the file mode is more permissive than 0600, this is finding.

Fix: F-66737r1_fix

Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority

b

The .Xauthority files must not have extended ACLs.

AC-6 - Medium - CCI-000225 - V-61023 - SV-75491r2_rule

RMF Control

AC-6

Severity

M

CCI

Version

SOL-11.1-020520

Vuln IDs

V-61023

Rule IDs

SV-75491r2_rule

.Xauthority files ensure the user is authorized to access the specific X Windows host. Extended ACLs may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.

Checks: C-61935r2_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the file permissions for the .Xauthority files. # ls -lL .Xauthority If the permissions include a "+", the file has an extended ACL and this is a finding.

Fix: F-66755r2_fix

Remove the extended ACL from the file. # chmod A- .Xauthority

c

X displays must not be exported to the world.

AC-6 - High - CCI-000225 - V-61025 - SV-75493r1_rule

RMF Control

AC-6

Severity

H

CCI

Version

SOL-11.1-020530

Vuln IDs

V-61025

Rule IDs

SV-75493r1_rule

Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.

Checks: C-61937r1_chk

If X Windows is not used on the system, this is not applicable. Check the output of the xhost command from an X terminal. Procedure: $ xhost If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding. NOTE: It may be necessary to define the display if the command reports it cannot open the display. Procedure: $ DISPLAY=MachineName:0.0; export DISPLAY MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

Fix: F-66757r1_fix

If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.

b

.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.

CM-2 - Medium - CCI-000297 - V-61027 - SV-75495r2_rule

RMF Control

CM-2

Severity

M

CCI

CCI-000297

Version

SOL-11.1-020540

Vuln IDs

V-61027

Rule IDs

SV-75495r2_rule

If access to the X server is not restricted, a user's X session may be compromised.

Checks: C-61939r2_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if the X server is running. Procedure: # ps -ef | grep X Determine if XDM is running. Procedure: # ps -ef | grep xdm Determine if xauth is being used. Procedure: # xauth xauth> list If the above command sequence does not show any host other than the localhost, then xauth is not being used. Search the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. If no files are found, X*.hosts files are not being used. If the X*.hosts files contain any unauthorized hosts, this is a finding. If both xauth and X*.hosts files are not being used, this is a finding.

Fix: F-66759r2_fix

Create an X*.hosts file, where * is a display number that may be used to limit X window connections. Add the list of authorized X clients to the file.

b

The .Xauthority utility must only permit access to authorized hosts.

AC-6 - Medium - CCI-000225 - V-61029 - SV-75497r2_rule

RMF Control

AC-6

Severity

M

CCI

Version

SOL-11.1-020550

Vuln IDs

V-61029

Rule IDs

SV-75497r2_rule

If unauthorized clients are permitted access to the X server, a user's X session may be compromised.

Checks: C-61943r2_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the X Window system access is limited to authorized clients. Procedure: # xauth xauth> list Ask the SA if the clients listed are authorized. If any are not, this is a finding.

Fix: F-66761r2_fix

Remove unauthorized clients from the xauth configuration. Procedure: # xauth remove <display name>

b

X Window System connections that are not required must be disabled.

AC-17 - Medium - CCI-001436 - V-61031 - SV-75499r1_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001436

Version

SOL-11.1-020560

Vuln IDs

V-61031

Rule IDs

SV-75499r1_rule

If unauthorized clients are permitted access to the X server, a user's X session may be compromised.

Checks: C-61947r1_chk

Determine if the X Window system is running. Procedure: # ps -ef |grep X Ask the SA if the X Window system is an operational requirement. If it is not, this is a finding.

Fix: F-66763r1_fix

Disable the X Windows server on the system.

b

Access to a domain console via telnet must be restricted to the local host.

CM-6 - Medium - CCI-000366 - V-71495 - SV-86119r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040315

Vuln IDs

V-71495

Rule IDs

SV-86119r1_rule

Telnet is an insecure protocol.

Checks: C-71885r1_chk

This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this check does not apply. Determine if vnsd is in use. # svcs vntsd STATE STIME FMRI online Oct_08 svc:/ldoms/vntsd:default If the state is not "online", this is not applicable. Determine if a role has been created for domain console access. # cat /etc/user_attr | grep solaris.vntsd.consoles rolename::::type=role;auths=solaris.vntsd.consoles;profiles=All;roleauth=role If a role for "vntsd.consoles" is not established, this is a finding.

Fix: F-77815r1_fix

The root role is required. This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this action does not apply. Create a password-controlled role that has the solaris.vntsd.consoles authorization, which permits access to all domain consoles. # roleadd -A solaris.vntsd.consoles [role-name] # passwd [role-name] Assign the new role to a user. # usermod -R [role-name] [username]

b

Access to a logical domain console must be restricted to authorized users.

CM-6 - Medium - CCI-000366 - V-71497 - SV-86121r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-040316

Vuln IDs

V-71497

Rule IDs

SV-86121r1_rule

A logical domain is a discrete, logical grouping with its own operating system, resources, and identity within a single computer system. Access to the logical domain console provides system-level access to the OBP of the domain.

Checks: C-71955r1_chk

The root role is required. This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this check does not apply. Determine if the vntsd service is online. # pfexec svcs vntsd If the service is not "online", this is not applicable. Check the status of the vntsd authorization property. # svcprop -p vntsd/authorization vntsd If the state is not true, this is a finding.

Fix: F-77901r1_fix

The root role is required. This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this action does not apply. Configure the vntsd service to require authorization. # svccfg -s vntsd setprop vntsd/authorization = true The vntsd service must be restarted for the changes to take effect. # svcadm restart vntsd

b

Wireless network adapters must be disabled.

AC-18 - Medium - CCI-001443 - V-72827 - SV-87479r2_rule

RMF Control

AC-18

Severity

M

CCI

CCI-001443

Version

SOL-11.1-050480

Vuln IDs

V-72827

Rule IDs

SV-87479r2_rule

The use of wireless networking can introduce many different attack vectors into the organization’s network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial-of-service to valid network resources.

Checks: C-72959r1_chk

This is N/A for systems that do not have wireless network adapters. Verify that there are no wireless interfaces configured on the system: # ifconfig -a eth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5 inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0 TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2849 errors:0 dropped:0 overruns:0 frame:0 TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB) If a wireless interface is configured, it must be documented and approved by the local Authorizing Official. If a wireless interface is configured and has not been documented and approved, this is a finding.

Fix: F-79265r1_fix

Configure the system to disable all wireless network interfaces.

b

Systems using OpenSSH must be configured per site policy to only allow access by approved networks or hosts.

CM-6 - Medium - CCI-000366 - V-91209 - SV-101309r1_rule

RMF Control

CM-6

Severity

M

CCI

Version

SOL-11.1-030055

Vuln IDs

V-91209

Rule IDs

SV-101309r1_rule

If ssh’s configuration file does not contain the appropriate rules for allowing and denying access to the system’s network resources, the system may be accessible to unauthorized hosts.

Checks: C-90363r1_chk

Determine if OpenSSH is installed: For Solaris 11.3 use: # pkg list network/openssh For Solaris 11.4 and higher use: # pkg list network/ssh If the command output shows version 7 or higher, this check applies. Determine if /etc/ssh/sshd_config is configured to control ssh access. # grep "^Match Address" /etc/ssh/sshd_config If no output is produced, this is a finding. If there is output, review the address list. Ensure it conforms to organizational and mission requirements. If the address list is not configured to organizational standards, this is a finding. For example: Match Address *,!192.0.2.0/16. This blocks everything but the 192.0 network. # tail /etc/ssh/sshd_config At the end of the file, determine if the line following the "Match Address" is "MaxAuthTries 0". If the line is not following "Match Address" is not "MaxAuthTries" or does not have the value of 0 (zero), then this is a finding.

Fix: F-97407r1_fix

The root role is required. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Locate the bottom of the file. Insert or modify the lines: Match Address [blocked and permitted network address list here] MaxAuthTries 0 Restart the SSH service: # svcadm restart svc:/network/ssh Note: OpenSSH MaxAuthTries of 0 maps to immediate failure and this must follow the "Match Address" line with no lines below it.

b

The system must be configured to store any process core dumps in a specific, centralized directory.

CM-6 - Medium - CCI-000366 - V-95717 - SV-104855r1_rule

RMF Control

CM-6

Severity

M

CCI