Solaris 11 X86 Security Technical Implementation Guide

Checks: C-17249r372415_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17247r372416_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17252r372424_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17250r372425_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17253r372427_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17251r372428_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17254r372430_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17252r372431_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17256r372436_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17254r372437_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17257r372439_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17255r372440_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17258r372442_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17256r372443_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17259r372445_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17257r372446_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17260r372448_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the status of the audit system. It must be auditing. # pfexec auditconfig -getcond If this command does not report: audit condition = auditing this is a finding.

Fix: F-17258r372449_fix

The Audit Control profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. If auditing has been disabled, it must be enabled with the following command: # pfexec audit -s

Generate Mitigation Statement:

Checks: C-17261r372451_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active |cut -f2 -d= If "fd" audit flag is not included in output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "fd" audit flag is not included in output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17259r372452_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17262r916448_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17260r877443_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17263r916450_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17261r877446_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17264r916452_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17262r877449_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17265r916454_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "ps" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17263r877452_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17266r916456_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17264r877455_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17267r916458_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global", this check applies. Determine the OS version currently being secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -getflags | grep active | cut -f2 -d= If "as" audit flag is not included in the output, this is a finding. For Solaris 11.4 or newer: # pfexec auditconfig -t -getflags | cut -f2 -d= If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding. Determine if auditing policy is set to collect command line arguments. # pfexec auditconfig -getpolicy | grep active | grep argv If the active audit policies line does not appear, this is a finding.

Fix: F-17265r877458_fix

The Audit Configuration profile is required. All audit flags must be enabled in a single command. This action applies to the global zone only. Determine the zone currently being secured. # zonename If the command output is "global ", this action applies. For Solaris 11, 11.1, 11.2, and 11.3: # pfexec auditconfig -setflags cusa,-ps,fd,-fa,fm For Solaris 11.4 or newer: # pfexec auditconfig -setflags cusa,-fa,-ex,-ps,fd,fm Enable the audit policy to collect command line arguments. # pfexec auditconfig -setpolicy +argv These changes will not affect users that are currently logged in.

Generate Mitigation Statement:

Checks: C-17279r372505_chk

The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. # pfexec auditconfig -getpolicy | grep ahlt If the output does not include "ahlt" as an active audit policy, this is a finding. # pfexec auditconfig -getpolicy | grep active | grep cnt If the output includes "cnt" as an active audit policy, this is a finding.

Fix: F-17277r372506_fix

The Audit Configuration profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Set audit policy to halt and suspend on failure. # pfexec auditconfig -setpolicy +ahlt # pfexec auditconfig -setpolicy -cnt

Generate Mitigation Statement:

Checks: C-36490r603073_chk

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 750 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.

Fix: F-36454r603074_fix

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 750 [directory]

Generate Mitigation Statement:

Checks: C-17283r372517_chk

The Software Installation Profile is required. An up-to-date Solaris repository must be accessible to the system. Enter the command: # pkg publisher to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured. Check for Solaris software package updates: # pfexec pkg update -n If the command does not report "No updates available for this image," this is a finding.

Fix: F-17281r372518_fix

The Software Installation Profile is required. An up-to-date Solaris repository must be accessible to the system. Enter the command: # pkg publisher to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured. Update system packages to the current version. # pfexec pkg update A reboot may be required for the updates to take effect.

Generate Mitigation Statement:

Checks: C-17285r372523_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-17283r372524_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

Generate Mitigation Statement:

Checks: C-17286r372526_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-17284r372527_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

Generate Mitigation Statement:

Checks: C-17287r372529_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-17285r372530_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

Generate Mitigation Statement:

Checks: C-17288r372532_chk

The Software Installation Profile is required. Determine what the signature policy is for pkg publishers: # pkg property | grep signature-policy Check that output produces: signature-policy verify If the output does not confirm that signature-policy verify is active, this is a finding. Check that package permissions are configured and signed per vendor requirements. # pkg verify If the command produces any output unrelated to STIG changes, this is a finding. There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

Fix: F-17286r372533_fix

The Software Installation Profile is required. Configure the package system to ensure that digital signatures are verified. # pfexec pkg set-property signature-policy verify Check that package permissions are configured per vendor requirements. # pfexec pkg verify If any errors are reported unrelated to STIG changes, use: # pfexec pkg fix to bring configuration settings and permissions into factory compliance.

Generate Mitigation Statement:

Checks: C-17290r372538_chk

Determine if the legacy remote access package is installed. # pkg list service/network/legacy-remote-utilities If an installed package named service/network/legacy-remote-utilities is listed, this is a finding.

Fix: F-17288r372539_fix

The Software Installation Profile is required. # pfexec pkg uninstall service/network/legacy-remote-utilities

Generate Mitigation Statement:

Checks: C-17297r372559_chk

Check the status of the rpcbind service local_only property. # svcprop -p config/local_only network/rpc/bind If the state is not "true", this is a finding, unless it is required for system operations, then this is not a finding.

Fix: F-17295r372560_fix

The Service Management profile is required. If services such as portmap or rpcbind are required for system operations, the operator must document the services used and obtain approval from their Authorizing Official. They should also document the method(s) of blocking all other remote accesses through tools like a firewall or tcp_wrappers. Otherwise, configure the rpc/bind service for local only access. # svccfg -s network/rpc/bind setprop config/local_only=true

Generate Mitigation Statement:

Checks: C-17298r372562_chk

Determine if the VNC server package is installed. # pkg list x11/server/xvnc If an installed package named "x11/server/xvnc is listed" is listed, this is a finding.

Fix: F-17296r372563_fix

The Software Installation Profile is required. # pfexec pkg uninstall x11/server/xvnc

Generate Mitigation Statement:

Checks: C-17300r372568_chk

Identify the packages installed on the system. # pkg list Any unauthorized software packages listed in the output are a finding.

Fix: F-17298r372569_fix

The Software Installation profile is required. Identify packages installed on the system: # pkg list uninstall unauthorized packages: # pfexec pkg uninstall [ package name]

Generate Mitigation Statement:

Checks: C-17302r372574_chk

Check run control script modes. # ls -lL /etc/rc* /etc/init.d /lib/svc/method If any run control script has a mode more permissive than 0755, this is a finding.

Fix: F-17300r372575_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d and /lib/svc/method directories to ensure they are not world writable. If they are world writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod go-w <startupfile>

Generate Mitigation Statement:

Checks: C-17303r372577_chk

Verify run control scripts have no extended ACLs. # ls -lL /etc/rc* /etc/init.d If the permissions include a "+", the file has an extended ACL and this is a finding.

Fix: F-17301r372578_fix

Remove the extended ACL from the file. # chmod A- [run control script with extended ACL]

Generate Mitigation Statement:

Checks: C-17304r372580_chk

Verify run control scripts' executable search paths. Procedure: # find /etc/rc* /etc/init.d /lib/svc/method -type f -print | xargs grep -i PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.

Fix: F-17302r372581_fix

Edit the run control script and remove the relative path entries from the executable search path variable that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

Generate Mitigation Statement:

Checks: C-17305r372583_chk

Verify run control scripts' library search paths. # find /etc/rc* /etc/init.d -type f -print | xargs grep LD_LIBRARY_PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.

Fix: F-17303r372584_fix

Edit the run control script and remove the relative path entries from the library search path variables that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

Generate Mitigation Statement:

Checks: C-17306r372586_chk

Verify run control scripts' library preload list. Procedure: # find /etc/rc* /etc/init.d -type f -print | xargs grep LD_PRELOAD This variable is formatted as a colon-separated list of paths. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.

Fix: F-17304r372587_fix

Edit the run control script and remove the relative path entries from the library preload variables that have not been documented with the ISSO. Edit the run control script and remove any empty path entries from the file.

Generate Mitigation Statement:

Checks: C-17307r372589_chk

Check the permissions on the files or scripts executed from system startup scripts to see if they are world writable. Create a list of all potential run command level scripts. # ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " " Create a list of world writable files. # find / -perm -002 -type f &gt;&gt; WorldWritableFileList Determine if any of the world writeable files in "WorldWritableFileList" are called from the run command level scripts. Note: Depending upon the number of scripts vs. world writable files, it may be easier to inspect the scripts manually. # more `ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "` If any system startup script executes any file or script that is world writable, this is a finding.

Fix: F-17305r372590_fix

Remove the world writable permission from programs or scripts executed by run control scripts. Procedure: # chmod o-w <program or script executed from run control script>

Generate Mitigation Statement:

Checks: C-17308r372592_chk

Check run control scripts' ownership. # ls -lL /etc/rc* /etc/init.d If any run control script is not owned by root, this is a finding.

Fix: F-17306r372593_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

Generate Mitigation Statement:

Checks: C-17309r372595_chk

Check run control scripts' group ownership. Procedure: # ls -lL /etc/rc* /etc/init.d If any run control script is not group-owned by root, sys, or bin, this is a finding.

Fix: F-17307r372596_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

Generate Mitigation Statement:

Checks: C-17310r372598_chk

Determine the programs executed by system start-up files. Determine the ownership of the executed programs. # cat /etc/rc* /etc/init.d/* | more Check the ownership of every program executed by the system start-up files. # ls -l &lt;executed program&gt; If any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.

Fix: F-17308r372599_fix

Change the ownership of the file executed from system startup scripts to root, bin, or sys. # chown root <executed file>

Generate Mitigation Statement:

Checks: C-17311r372601_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X. Procedure: # cd ~someuser # ls -la .Xauthority If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

Fix: F-17309r372602_fix

Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.

Generate Mitigation Statement:

Checks: C-17312r372604_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the file permissions for the .Xauthority files in the home directories of users of X. Procedure: # cd ~&lt;X user&gt; # ls -lL .Xauthority If the file mode is more permissive than 0600, this is finding.

Fix: F-17310r372605_fix

Change the mode of the .Xauthority files. Procedure: # chmod 0600 .Xauthority

Generate Mitigation Statement:

Checks: C-17313r372607_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the file permissions for the .Xauthority files. # ls -lL .Xauthority If the permissions include a "+", the file has an extended ACL and this is a finding.

Fix: F-17311r372608_fix

Remove the extended ACL from the file. # chmod A- .Xauthority

Generate Mitigation Statement:

Checks: C-17315r622333_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Determine if xauth is being used. Procedure: # xauth xauth&gt; list If the above command sequence does not show any host other than the localhost, then xauth is not being used. Search the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. If no files are found, X*.hosts files are not being used. If the X*.hosts files contain any unauthorized hosts, this is a finding. If both xauth and X*.hosts files are not being used, this is a finding.

Fix: F-17313r372614_fix

Create an X*.hosts file, where * is a display number that may be used to limit X window connections. Add the list of authorized X clients to the file.

Generate Mitigation Statement:

Checks: C-17316r372616_chk

If X Display Manager (XDM) is not used on the system, this is not applicable. Determine if XDM is running. Procedure: # ps -ef | grep xdm Check the X Window system access is limited to authorized clients. Procedure: # xauth xauth&gt; list Ask the SA if the clients listed are authorized. If any are not, this is a finding.

Fix: F-17314r372617_fix

Remove unauthorized clients from the xauth configuration. Procedure: # xauth remove <display name>

Generate Mitigation Statement:

Checks: C-17317r372619_chk

Determine if the X Window system is running. Procedure: # ps -ef |grep X Ask the SA if the X Window system is an operational requirement. If it is not, this is a finding.

Fix: F-17315r372620_fix

Disable the X Windows server on the system.

Generate Mitigation Statement:

Checks: C-17318r372622_chk

Determine if the X11 server system is providing remote services on the network. # svcprop -p options/tcp_listen svc:/application/x11/x11-server If the output of the command is "true" and network access to graphical user login is not required, this is a finding.

Fix: F-17316r372623_fix

The System Administrator profile is required: Configure the X11 server for local system only graphics access. # pfexec svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen=false

Generate Mitigation Statement:

Checks: C-17321r372631_chk

Check that TCP Wrappers are enabled and the host.deny and host.allow files exist. # inetadm -p | grep tcp_wrappers If the output of this command is "tcp_wrappers=FALSE", this is a finding. # ls /etc/hosts.deny /etc/hosts.deny # ls /etc/hosts.allow /etc/hosts.allow If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.

Fix: F-17319r372632_fix

The root role is required. To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE The versions of SunSSH (0.5.11) and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. SunSSH is removed starting with Solaris 11.4.

Generate Mitigation Statement:

Checks: C-17324r646930_chk

The root role is required. Determine if user passwords are properly configured to be changed every 60 days. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox |awk -F: '( $1 != "root" &amp;&amp; $8 != "LK" &amp;&amp; $8 != "NL" &amp;&amp; ( $11 &gt; “56" || $11 &lt; “1" )) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less. # grep "^MAXWEEKS=" /etc/default/passwd If the command does not report MAXWEEKS=8 or less, this is a finding. For Solaris 11.4 or newer: # logins -ox |awk -F: '( $1 != "root" &amp;&amp; $8 != "LK" &amp;&amp; $8 != "NL" &amp;&amp; ($11 &gt; "60"|| $11 &lt; "1")) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 60 days or less. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MAXDAYS=" /etc/default/passwd If the command does not report MAXDAYS=60 or less, this is a finding. # grep "^MAXWEEKS=" /etc/default/passwd If output is returned, this is a finding.

Fix: F-17322r622336_fix

The User Security role is required. For Solaris 11, 11.1, 11.2, and 11.3: Change each username to enforce 56 day password changes. # pfexec passwd -x 56 [username] # pfedit /etc/default/passwd Search for MAXWEEKS. Change the line to read: MAXWEEKS=8 For Solaris 11.4 or newer: Change each username to enforce 60 day password changes. # pfexec passwd -x 60 [username] # pfedit /etc/default/passwd Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MAXDAYS. Change the line to read: MAXDAYS=60 Search for MAXWEEKS. Change the line to read: #MAXWEEKS=

Generate Mitigation Statement:

Checks: C-17326r622338_chk

The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox |awk -F: '( $1 != "root" &amp;&amp; $8 != "LK" &amp;&amp; $8 != "NL" &amp;&amp; $10 &lt; "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1 or more, this is a finding. For Solaris 11.4 or newer: # logins -ox |awk -F: '( $1 != "root" &amp;&amp; $8 != "LK" &amp;&amp; $8 != "NL" &amp;&amp; $10 &lt; "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 day. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MINDAYS=" /etc/default/passwd If the command does not report MINDAYS=1 or more, this is a finding. # grep "^MINWEEKS=" /etc/default/passwd If output is returned, this is a finding.

Fix: F-17324r622339_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3: # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname] For Solaris 11.4 or newer: # pfedit /etc/default/passwd file. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MINDAYS. Change the line to read: MINDAYS=1 Search for MINWEEKS. Change the line to read: #MINWEEKS= Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname]

Generate Mitigation Statement:

Checks: C-17327r372649_chk

Check the system password length setting. # grep ^PASSLENGTH /etc/default/passwd If PASSLENGTH is not set to 15 or more, this is a finding.

Fix: F-17325r372650_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: PASSLENGTH Change the line to read PASSLENGTH=15

Generate Mitigation Statement:

Checks: C-17328r372652_chk

Determine if the password history setting is configured properly. # grep ^HISTORY /etc/default/passwd If HISTORY is commented out or is not set to 5 or more, this is a finding.

Fix: F-17326r372653_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: HISTORY Change the line to read: HISTORY=5

Generate Mitigation Statement:

Checks: C-17329r372655_chk

Check /etc/default/passwd to verify the MINDIFF setting. # grep ^MINDIFF /etc/default/passwd If the setting is not present, or is less than 8, this is a finding.

Fix: F-17327r372656_fix

The root role is required. # pfedit /etc/default/passwd Search for MINDIFF. Change the line to read: MINDIFF=8

Generate Mitigation Statement:

Checks: C-17330r372658_chk

Check the MINUPPER setting. # grep ^MINUPPER /etc/default/passwd If MINUPPER is not set to 1 or more, this is a finding.

Fix: F-17328r372659_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINUPPER Change the line to read: MINUPPER=1

Generate Mitigation Statement:

Checks: C-17331r372661_chk

Check the MINLOWER setting. # grep ^MINLOWER /etc/default/passwd If MINLOWER is not set to 1 or more, this is a finding.

Fix: F-17329r372662_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINLOWER Change the line to read: MINLOWER=1

Generate Mitigation Statement:

Checks: C-17332r372664_chk

Check the MINDIGIT setting. # grep ^MINDIGIT /etc/default/passwd If the MINDIGIT setting is less than 1, this is a finding.

Fix: F-17330r372665_fix

The root role is required. # pfedit /etc/default/passwd Locate the line containing: MINDIGIT Change the line to read: MINDIGIT=1

Generate Mitigation Statement:

Checks: C-17333r372667_chk

Check the MINSPECIAL setting. # grep ^MINSPECIAL /etc/default/passwd If the MINSPECIAL setting is less than 1, this is a finding.

Fix: F-17331r372668_fix

The root role is required. # pfedit /etc/default/passwd a Locate the line containing: MINSPECIAL Change the line to read: MINSPECIAL=1

Generate Mitigation Statement:

Checks: C-17335r372673_chk

The root role is required. Determine if accounts with blank or null passwords exist. # logins -po If any account is listed, this is a finding.

Fix: F-17333r372674_fix

The root role is required. Remove, lock, or configure a password for any account with a blank password. # passwd [username] or Use the passwd -l command to lock accounts that are not permitted to execute commands. or Use the passwd -N command to set accounts to be non-login.

Generate Mitigation Statement:

Checks: C-17336r372676_chk

Determine which cryptographic algorithms are configured. # grep ^CRYPT /etc/security/policy.conf If the command output does not include the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 this is a finding.

Fix: F-17334r372677_fix

The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 exist and are not commented out.

Generate Mitigation Statement:

Checks: C-17337r372679_chk

Verify RETRIES is set in the login file. # grep ^RETRIES /etc/default/login If the output is not RETRIES=3 or fewer, this is a finding. Verify the account locks after invalid login attempts. # grep ^LOCK_AFTER_RETRIES /etc/security/policy.conf If the output is not LOCK_AFTER_RETRIES=YES, this is a finding. For each user in the system, use the command: # userattr lock_after_retries [username] to determine if the user overrides the system value. If the output of this command is "no", this is a finding.

Fix: F-17335r372680_fix

The root role is required. # pfedit /etc/default/login Change the line: #RETRIES=5 to read RETRIES=3 pfedit /etc/security/policy.conf Change the line containing #LOCK_AFTER_RETRIES to read: LOCK_AFTER_RETRIES=YES If a user has lock_after_retries set to "no", update the user's attributes using the command: # usermod -K lock_after_retries=yes [username]

Generate Mitigation Statement:

Checks: C-17338r372682_chk

Check the SLEEPTIME parameter in the /etc/default/login file. # grep ^SLEEPTIME /etc/default/login If the output is not SLEEPTIME=4 or more, this is a finding.

Fix: F-17336r372683_fix

The root role is required. # pfedit the /etc/default/login Locate the line containing: SLEEPTIME Change the line to read: SLEEPTIME=4

Generate Mitigation Statement:

Checks: C-17339r372685_chk

If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuring of their personal .xscreensaver file. # grep "^timeout:" $HOME/.xscreensaver If the output is not: timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^lock:" $HOME/.xscreensaver If the output is not: lock: True this is a finding.

Fix: F-17337r372686_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True

Generate Mitigation Statement:

Checks: C-17340r372688_chk

If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuration of their personal .xscreensaver file. # grep "^lock:" $HOME/.xscreensaver If the output is not: *lock: True this is a finding. grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: *lockTimeout: 0:00:05 this is a finding.

Fix: F-17338r372689_fix

The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout:0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 lock: True

Generate Mitigation Statement:

Checks: C-17341r372691_chk

Check /etc/default/passwd for dictionary check configuration. # grep ^DICTION /etc/default/passwd If the DICTIONLIST or DICTIONDBDIR settings are not present and are not set to: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd this is a finding. Determine if the target files exist. # ls -l /usr/share/lib/dict/words /var/passwd If the files defined by DICTIONLIST or DICTIONBDIR are not present or are empty, this is a finding.

Fix: F-17339r372692_fix

The root role is required. # pfedit /etc/default/passwd Insert the lines: DICTIONLIST=/usr/share/lib/dict/words DICTIONDBDIR=/var/passwd Generate the password dictionary by running the mkpwdict command. # mkpwdict -s /usr/share/lib/dict/words

Generate Mitigation Statement:

Checks: C-17343r372697_chk

Verify the root user is configured as a role, rather than a normal user. # userattr type root If the command does not return the word "role", this is a finding. Verify at least one local user has been assigned the root role. # grep '[:;]roles=root[^;]*' /etc/user_attr If no lines are returned, or no users are permitted to assume the root role, this is a finding.

Fix: F-17341r372698_fix

The root role is required. Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R +root [username] Remove the root role from users who should not be authorized to assume it. # usermod -R -root [username]

Generate Mitigation Statement:

Checks: C-17344r372700_chk

The root role is required. Determine if the default umask is configured properly. # grep -i "^UMASK=" /etc/default/login If "UMASK=077" is not displayed, this is a finding. Check local initialization files: # cut -d: -f1 /etc/passwd | xargs -n1 -iUSER sh -c "grep umask ~USER/.*" If this command does not output a line indicating "umask 077" for each user, this is a finding.

Fix: F-17342r372701_fix

The root role is required. Edit local and global initialization files containing "umask" and change them to use 077. # pfedit /etc/default/login Insert the line UMASK=077 # pfedit [user initialization file] Insert the line umask 077

Generate Mitigation Statement:

Checks: C-36491r603076_chk

Determine whether the 35-day inactivity lock is configured properly. # useradd -D | xargs -n 1 | grep inactive |\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] | awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.

Fix: F-36455r603077_fix

The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]

Generate Mitigation Statement:

Checks: C-17350r372718_chk

Determine if terminal login services are disabled. # svcs -Ho state svc:/system/console-login:terma # svcs -Ho state svc:/system/console-login:termb If the system/console-login services are not "disabled", this is a finding.

Fix: F-17348r372719_fix

The Service Operator profile is required. Disable serial terminal services. # pfexec svcadm disable svc:/system/console-login:terma # pfexec svcadm disable svc:/system/console-login:termb

Generate Mitigation Statement:

Checks: C-17351r462442_chk

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. Determine if "nobody" access for keyserv is enabled. # grep "^ENABLE_NOBODY_KEYS=" /etc/default/keyserv If the output of the command is not: ENABLE_NOBODY_KEYS=NO this is a finding.

Fix: F-17349r462443_fix

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO

Generate Mitigation Statement:

Checks: C-17352r372724_chk

Determine if X11 Forwarding is enabled. # grep "^X11Forwarding" /etc/ssh/sshd_config If the output of this command is not: X11Forwarding no this is a finding.

Fix: F-17350r372725_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Locate the line containing: X11Forwarding Change it to: X11Forwarding no Restart the SSH service. # svcadm restart svc:/network/ssh

Generate Mitigation Statement:

Checks: C-17354r372730_chk

Determine if rhost-based authentication is enabled. # grep "^IgnoreRhosts" /etc/ssh/sshd_config If the output is produced and it is not: IgnoreRhosts yes this is a finding. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.

Fix: F-17352r372731_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

Generate Mitigation Statement:

Checks: C-17355r372733_chk

Determine if root login is disabled for the SSH service. # grep "^PermitRootLogin" /etc/ssh/sshd_config If the output of this command is not: PermitRootLogin no this is a finding.

Fix: F-17353r372734_fix

The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: PermitRootLogin Change it to: PermitRootLogin no Restart the SSH service. # svcadm restart svc:/network/ssh

Generate Mitigation Statement:

Checks: C-17358r372742_chk

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. Determine if host-based authentication services are enabled. # grep 'pam_rhosts_auth.so.1' /etc/pam.conf /etc/pam.d/*| grep -vc '^#' If the returned result is not 0 (zero), this is a finding.

Fix: F-17356r372743_fix

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf. The root role is required. # ls -l /etc/pam.d to identify the various configuration files used by PAM. Search each file for the pam_rhosts_auth.so.1 entry. # grep pam_rhosts_auth.so.1 [filename] Identify the file with the line pam_hosts_auth.so.1 in it. # pfedit [filename] Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".

Generate Mitigation Statement:

Checks: C-17359r372745_chk

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. If the FTP server is installed, determine if FTP access is restricted. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do grep -w "${user}" /etc/ftpd/ftpusers &gt;/dev/null 2&gt;&amp;1 if [ $? != 0 ]; then echo "User '${user}' not in /etc/ftpd/ftpusers." fi done If output is returned, this is a finding.

Fix: F-17357r372746_fix

The root role is required. Determine if the FTP server package is installed: # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. # for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> /etc/ftpd/ftpusers) done # sort -u /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.temp # mv /etc/ftpd/ftpusers.temp /etc/ftpd/ftpusers

Generate Mitigation Statement:

Checks: C-17361r462445_chk

Check that "at" and "cron" users are configured correctly. # ls /etc/cron.d/cron.deny If cron.deny exists, this is a finding. # ls /etc/cron.d/at.deny If at.deny exists, this is a finding. # cat /etc/cron.d/cron.allow cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC. If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding. # wc -l /etc/cron.d/at.allow | awk '{ print $1 }' If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.

Fix: F-17359r462446_fix

The root role is required. Modify the cron configuration files. # mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp # mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp Skip the remaining steps only if using the “solaris.jobs.user” RBAC role. # echo root > /etc/cron.d/cron.allow # cp /dev/null /etc/cron.d/at.allow # chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow # chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow

Generate Mitigation Statement:

Checks: C-17362r372754_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if root login is restricted to the console. # grep "^CONSOLE=/dev/console" /etc/default/login If the output of this command is not: CONSOLE=/dev/console this is a finding.

Fix: F-17360r372755_fix

The root role is required. Modify the /etc/default/login file # pfedit /etc/default/login Locate the line containing: CONSOLE Change it to read: CONSOLE=/dev/console

Generate Mitigation Statement:

Checks: C-17364r372760_chk

Determine whether the lock screen function works correctly. For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop System &gt;&gt; Lock Screen. For Solaris 11.4 or newer: In the GNOME 3 desktop Status Menu (top right corner) &gt;&gt; Lock Icon, check that the screen locks and displays the "password" prompt. Check that "Disable Screensaver" is not selected in the GNOME Screensaver preferences. If the screen does not lock or the "Disable Screensaver" option is selected, this is a finding.

Fix: F-17362r372761_fix

User-initiated session lock is accessible from the GNOME graphical desktop menu GNOME 2: System >> Lock Screen. GNOME 3: Status Menu (top right corner) >> Lock Icon. However, the user has the option to disable screensaver lock. For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select "Screensaver" Icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Ensure that "Mode" is set to "Blank Screen only".

Generate Mitigation Statement:

Checks: C-17365r372763_chk

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop System &gt;&gt; Preferences &gt;&gt; Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities &gt;&gt; Show Applications &gt;&gt; select "Screensaver" icon. If using the GNOME Classic desktop: Applications &gt;&gt; Other &gt;&gt; Screensaver menu item the user can select other screens or disable screensaver. Check that "Disable Screensaver" is not selected in the Gnome Screensaver preferences. If "Disable Screensaver" is selected or "Blank Screen Only" is not selected, this is a finding.

Fix: F-17363r372764_fix

For Solaris 11, 11.1, 11.2, and 11.3: In the GNOME 2 desktop: System >> Preferences >> Screensaver. For Solaris 11.4 or newer: If using the default GNOME desktop: Activities >> Show Applications >> select “Screensaver” icon. If using the GNOME Classic desktop: Applications >> Other >> Screensaver. Click on Mode's pull-down. Select: "Blank Screen Only". Ensure that "Blank Screen Only" is selected.

Generate Mitigation Statement:

Checks: C-17367r372769_chk

Determine if the "RestrictOutbound" profile is configured properly: # profiles -p RestrictOutbound info If the output is not: name=RestrictOutbound desc=Restrict Outbound Connections limitpriv=zone,!net_access this is a finding. For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile. # profiles -l [username] If the output does not include: [username]: RestrictOutbound this is a finding.

Fix: F-17365r372770_fix

The root Role is required. Remove net_access privilege from users who may be accessing the systems externally. 1. Create an RBAC Profile with net_access restriction # profiles -p RestrictOutbound profiles:RestrictOutbound> set desc="Restrict Outbound Connections" profiles:RestrictOutbound> set limitpriv=zone,!net_access profiles:RestrictOutbound> exit 2. Assign the RBAC Profile to a user # usermod -P +RestrictOutbound [username] This prevents the user from initiating any outbound network connections.

Generate Mitigation Statement:

Checks: C-17373r372787_chk

Determine if ICMP echo requests response is disabled. # ipadm show-prop -p _respond_to_echo_broadcast -co current ip If the output of this command is not "0", this is a finding.

Fix: F-17371r372788_fix

The Network Management profile is required. Disable respond to echo broadcast. # pfexec ipadm set-prop -p _respond_to_echo_broadcast=0 ip

Generate Mitigation Statement:

Checks: C-17376r372796_chk

Determine if strict multihoming is configured. # ipadm show-prop -p _strict_dst_multihoming -co current ipv4 # ipadm show-prop -p _strict_dst_multihoming -co current ipv6 If the output of all commands is not "1", this is a finding.

Fix: F-17374r372797_fix

The Network Management profile is required. Disable strict multihoming for IPv4 and IPv6. # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv4 # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv6

Generate Mitigation Statement:

Checks: C-17379r372805_chk

Determine if the number of half open TCP connections is set to 4096. # ipadm show-prop -p _conn_req_max_q0 -co current tcp If the value of "4096" is not returned, this is a finding.

Fix: F-17377r372806_fix

The Network Management profile is required Configure maximum TCP connections for IPv4 and IPv6. # pfexec ipadm set-prop -p _conn_req_max_q0=4096 tcp

Generate Mitigation Statement:

Checks: C-17381r372811_chk

Determine if routing is disabled. # routeadm -p | egrep "routing |forwarding" | grep enabled If the command output includes "persistent=enabled" or "current=enabled", this is a finding.

Fix: F-17379r372812_fix

The Network Management profile is required. Disable routing for IPv4 and IPv6. # pfexec routeadm -d ipv4-forwarding -d ipv4-routing # pfexec routeadm -d ipv6-forwarding -d ipv6-routing To apply these changes to the running system, use the command: # pfexec routeadm -u

Generate Mitigation Statement:

Checks: C-17388r744133_chk

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, the IP Filter Management profile is required. Check that the IP Filter firewall is enabled and configured so that only authorized sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer, that use Packet Filter, the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only authorized sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include this line: block drop log (to pflog0) all This is a finding. Check that the Packet Filter firewall logging daemon is enabled. svcs firewall/pflog:default If pflog is not listed with a state of "online", this is a finding.

Fix: F-17386r744134_fix

The root role is required. For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer, that use Packet Filter, configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Enable Packet Filter logging daemon. # svcadm enable firewall/pflog:default Note: Because the default firewall rules block all network access to the system, ensure that there is still a method to access the system such as SSH or console access prior to activating the firewall rules. Operational requirements may dictate the addition of protocols such as SSH, DNS, NTP, HTTP, and HTTPS to be allowed.

Generate Mitigation Statement:

Checks: C-17400r372868_chk

Determine if SSH is configured to disconnect sessions after 10 minutes of inactivity. # grep ClientAlive /etc/ssh/sshd_config If the output of this command is not: ClientAliveInterval 600 ClientAliveCountMax 0 this is a finding.

Fix: F-17398r372869_fix

The root role is required. Configure the system to disconnect SSH sessions after 10 minutes of inactivity. # pfedit /etc/ssh/sshd_config Insert the two lines: ClientAliveInterval 600 ClientAliveCountMax 0 Restart the SSH service with the new configuration. # svcadm restart svc:/network/ssh

Generate Mitigation Statement:

Checks: C-17401r372871_chk

Determine the zone that you are currently securing. # zonename If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require inspection. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require inspection. Identify if this system has physical interfaces. # dladm show-link -Z | grep -v vnic LINK ZONE CLASS MTU STATE OVER net0 global phys 1500 unknown -- e1000g0 global phys 1500 up -- e1000g1 global phys 1500 up -- zoneD/net2 zoneD iptun 65515 up -- If "phys" appears in the third column, then the interface is physical. For each physical interface, determine if the network interface is Ethernet or InfiniBand: # dladm show-phys [interface name] LINK MEDIA STATE SPEED DUPLEX DEVICE [name] Ethernet unknown 0 half dnet0 The second column indicates either "Ethernet" or "Infiniband". For each physical interface, determine if the host is using ip-forwarding: # ipadm show-ifprop [interface name] | grep forwarding [name] forwarding ipv4 rw off -- off on,off [name] forwarding ipv6 rw off -- off on,off If "on" appears in the fifth column, then the interface is using ip-forwarding. For each interface, determine if the host is using SR-IOV’s Virtual Function (VF) driver: # dladm show-phys [interface name] | grep vf If the sixth column includes 'vf' in its name, it is using SR-IOV (ex: ixgbevf0). For each physical and SR-IOV interface, determine if network link protection capabilities are enabled. # dladm show-linkprop -p protection LINK PROPERTY PERM VALUE DEFAULT POSSIBLE net0 protection rw mac-nospoof, -- mac-nospoof, restricted, restricted, ip-nospoof, ip-nospoof, dhcp-nospoof dhcp-nospoof If the interface uses Infiniband and if restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses ip-forwarding and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses SR-IOV and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding. If the interface uses Ethernet without IP forwarding and if mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

Fix: F-17399r372872_fix

Determine the name of the zone that you are currently securing. # zonename If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require configuration. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require configuration. The Network Link Security profile is required. Determine which network interfaces are available and what protection modes are enabled and required. Enable link protection based on each configured network interface type. For InfiniBand: # pfexec dladm set-linkprop -p protection=restricted,ip-nospoof,dhcp-nospoof [interface name] For IP forwarding: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] For SR-IOV: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] For Ethernet without IP forwarding: # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name]

Generate Mitigation Statement:

Checks: C-17402r372874_chk

This is N/A for systems that do not have wireless network adapters. Verify that there are no wireless interfaces configured on the system: # ifconfig -a eth0 Link encap:Ethernet HWaddr b8:ac:6f:65:31:e5 inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0 TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2159382827 (2.0 GiB) TX bytes:1389552776 (1.2 GiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2849 errors:0 dropped:0 overruns:0 frame:0 TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2778290 (2.6 MiB) TX bytes:2778290 (2.6 MiB) If a wireless interface is configured, it must be documented and approved by the local Authorizing Official. If a wireless interface is configured and has not been documented and approved, this is a finding.

Fix: F-17400r372875_fix

Configure the system to disable all wireless network interfaces.

Generate Mitigation Statement:

Checks: C-17403r372877_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Crypto Management profile is required to execute this command. Check to ensure that FIPS-140 encryption mode is enabled. # cryptoadm list fips-140| grep -c "is disabled" If the output of this command is not "0", this is a finding.

Fix: F-17401r372878_fix

The Crypto Management profile is required to execute this command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable FIPS-140 mode. # pfexec cryptoadm enable fips-140 Reboot the system as requested.

Generate Mitigation Statement:

Checks: C-17411r622341_chk

Check the SSH daemon configuration for allowed ciphers. # grep -i ciphers /etc/ssh/sshd_config | grep -v '^#’ Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.

Fix: F-17409r622342_fix

The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Change or set the ciphers line to the following: ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH service. # svcadm restart svc:/network/ssh

Generate Mitigation Statement:

Checks: C-17412r372904_chk

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the logical node of all attached removable media: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Determine which zpool is mapped to the device: # zpool status Determine the file system names of the portable digital media: # zfs list | grep [poolname] Using the file system name, determine if the removal media is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.

Fix: F-17410r372905_fix

The root role is required. Format a removable device as a ZFS encrypted file system. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The ZFS File System Management and ZFS Storage management profiles are required. Insert the removable device: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Create an encrypted zpool on this device using a poolname of your choice: # pfexec zpool create -O encryption=on [poolname] c8t0d0p0 Enter a passphrase and confirm the passphrase. Keep the passphrase secure. Export the zpool before removing the media: # pfexec export [poolname] It will be necessary to enter the passphrase when inserting and importing the removable media zpool: Insert the removable media # pfexec import [poolname] Only store data in the encrypted file system.

Generate Mitigation Statement:

Checks: C-17418r372922_chk

The root role is required. Identify all world-writable directories without the "sticky bit" set. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -type d \( -perm -0002 \ -a ! -perm -1000 \) -ls Output of this command identifies world-writable directories without the "sticky bit" set. If output is created, this is a finding.

Fix: F-17416r372923_fix

The root role is required. Ensure that the "sticky bit" is set on any directories identified during the check steps. # chmod +t [directory name]

Generate Mitigation Statement:

Checks: C-17419r372925_chk

The root role is required. Check that the permissions on users' home directories are 750 or less permissive. # for dir in `logins -ox |\ awk -F: '($8 == "PS") { print $6 }'`; do find ${dir} -type d -prune \( -perm -g+w -o \ -perm -o+r -o -perm -o+w -o -perm -o+x \) -ls done If output is created, this is finding.

Fix: F-17417r372926_fix

The root role is required. Change the permissions on users' directories to 750 or less permissive. # chmod 750 [directory name]

Generate Mitigation Statement:

Checks: C-17420r793047_chk

The root role is required. Ensure that the permissions on user "." files are 750 or less permissive. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.[A-Za-z0-9]* \! -type l \ \( -perm -0001 -o -perm -0002 -o -perm -0004 -o -perm -0020 \) -ls done If output is produced, this is a finding.

Fix: F-17418r372929_fix

The root role is required. Change the permissions on users' "." files to 750 or less permissive. # chmod 750 [file name]

Generate Mitigation Statement:

Checks: C-17421r372931_chk

The root role is required. Check that permissions on user .netrc files are 750 or less permissive. # for dir in \ `logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do find ${dir}/.netrc -type f \( \ -perm -g+r -o -perm -g+w -o -perm -g+x -o \ -perm -o+r -o -perm -o+w -o -perm -o+x \) \ -ls 2&gt;/dev/null done If output is produced, this is a finding.

Fix: F-17419r372932_fix

The root role is required. Change the permissions on users' .netrc files to 750 or less permissive. # chmod 750 [file name]

Generate Mitigation Statement:

Checks: C-17423r372937_chk

The root role is required. Check that groups are configured correctly. # logins -xo | awk -F: '($3 == "") { print $1 }' If output is produced, this is a finding.

Fix: F-17421r372938_fix

The root role is required. Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd but not in group, and work with those users or group owners to determine the best course of action in accordance with site policy.

Generate Mitigation Statement:

Checks: C-17426r372946_chk

The root role is required. Check that home directories are owned by the correct user. # export IFS=":"; logins -uxo | while read user uid group gid gecos home rest; do result=$(find ${home} -type d -prune \! -user $user -print 2&gt;/dev/null); if [ ! -z "${result}" ]; then echo "User: ${user}\tOwner: $(ls -ld $home | awk '{ print $3 }')"; fi; done If any output is produced, this is a finding.

Fix: F-17424r372947_fix

The root role is required. Correct the owner of any directory that does not match the password file entry for that user. # chown [user] [home directory]

Generate Mitigation Statement:

Checks: C-17427r372949_chk

The root role is required. Check that there are no duplicate UIDs. # logins -d If output is produced, this is a finding.

Fix: F-17425r372950_fix

The root role is required. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy. Change user account names and UID or delete accounts, so each account has a unique name and UID.

Generate Mitigation Statement:

Checks: C-17428r372952_chk

The root role is required. Check that there are no duplicate UIDs. # logins -d If output is produced, this is a finding.

Fix: F-17426r372953_fix

The root role is required. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy. Change user account names and UID or delete accounts, so each account has a unique name and UID.

Generate Mitigation Statement:

Checks: C-17429r372955_chk

The root role is required. Check that group IDs are unique. # getent group | cut -f3 -d":" | sort -n | uniq -c |\ while read x ; do [ -z "${x}" ] &amp;&amp; break set - $x if [ $1 -gt 1 ]; then grps=`getent group | nawk -F: '($3 == n) { print $1 }' n=$2 | xargs` echo "Duplicate GID ($2): ${grps}" fi done If output is produced, this is a finding.

Fix: F-17427r372956_fix

The root role is required. Work with each respective group owner to remediate this issue and ensure that the group ownership of their files are set to an appropriate value.

Generate Mitigation Statement:

Checks: C-17430r809490_chk