| contains 191 rules |
Verify the OS configurationgroupThe Oracle Solaris OS is installed with packages from a repository. The packages must
arrive on the target system unmodified, and a set of protections for default services and
executables be put in place. For more information, see:
Installation Guide (http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=IOSUI)Security Guidelines (http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SYSADV7)
In this section, you verify package integrity, ensure that the booted system is protected,
and verify that default OS protections are in place.
|
| contains 9 rules |
The OS version is currentruleSystems should be kept up to date to ensure that the latest security and operational
updates are installed. You can run 'pkg update -n' to check the current state of the
system against the configured repositories.
Remediation script:
# pkg update
|
Package integrity is verifiedruleRun 'pkg verify' to check that all installed Oracle Solaris software matches
the packaging database and that ownership, permissions and content are correct.
Remediation script:
# pkg verify
followed by
# pkg fix <package-fmri>
|
Package signature checking is globally activatedrulePackage signature checking should be globally activated.
Remediation script:
# pkg set-property signature-policy verify
|
Booting the system should require a passwordruleThe GRUB menu, the BIOS, and the eeprom should be password-protected
to prevent configuration by unauthorized users.
The BIOS protections prevent booting from an external device, such as a USB flash drive.
Remediation script:
1. x86 BIOS Fix:
Consult the hardware vendor's documentation to determine how to start
the system and access the BIOS controls.
Access the system's BIOS or system controller. Set an administrator
password if one has not been set. Disable a user-level password
if one has been set.
2. x86 GRUB Fix:
2a.
# /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
Enter password: xxxxxxxx
Reenter password: xxxxxxxx
PBKDF2 hash of your password is <grub.xxxxxxxx.sha512.hash>
2b. Create the GRUB password file:
/usr/lib/grub2/bios/etc/grub.d/01_password
The contents of that file is:
#!/bin/sh
/usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF
#
# GRUB password
#
set superusers="root"
password_pbkdf2 root <grub.xxxxxxxx.sha512.hash>
EOF
/usr/bin/chmod 600 /rpool/boot/grub/password.cfg
/usr/bin/echo 'source /@/boot/grub/password.cfg'
When GRUB2 runs its "rc" files, it executes grub.d/01_password
which creates /rpool/boot/grub/passwd.cfg mode 600
2c. Protect the file:
# /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password
2d. Move the contents to the password.cfg file:
# /usr/bin/cat > /usr/lib/grub2/bios/etc/grub.d/01_password <<BAT
#!/bin/sh
/usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF
#
# GRUB password
#
set superusers="root"
password_pbkdf2 root <grub.pbkdf2.sha512 hash>
EOF
/usr/bin/chmod 600 /rpool/boot/grub/password.cfg
/usr/bin/echo 'source /@/boot/grub/password.cfg'
BAT
2e. Set a timeout for the menu:
# /usr/sbin/bootadm set-menu timeout=30
If the site has changed the timeout, use the value
returned by /usr/sbin/bootadm list-menu.
2f. Verify the result:
# /usr/bin/grep "password.cfg" /rpool/boot/grub/grub.cfg
source /@/boot/grub/password.cfg
3. SPARC eeprom fix: The security mode should be command or full:
# eeprom security-mode=command
Changing PROM password:
New password: xxxxxxxx
Retype new password: xxxxxxxx
|
Address Space Layout Randomization (ASLR) is enabledruleOracle Solaris tags many of its userland binaries to enable Address Space Layout
Randomization (ASLR). ASLR randomizes the starting address of key parts of an address
space. This security defense mechanism can cause Return Oriented Programming (ROP)
attacks to fail when they try to exploit software vulnerabilities.
See the sxadm(1M) man page.
Zones inherit this randomized layout for their processes. Because the use of ASLR might
not be optimal for all binaries, the use of ASLR is configurable at the zone level and
at the binary level.
Remediation script:
# sxadm delcust aslr
|
Stacks are non-executablerulePrograms read and write data on the stack. Typically, they execute from read-only portions
of memory that are specifically designated for code. Some attacks that cause buffers on the
stack to overflow try to insert new code on the stack and cause the program to execute it.
Removing execute permission from the stack memory prevents these attacks from succeeding.
Properly written programs function correctly without using executable stacks.
Remediation script:
# pfedit /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=1
# reboot
|
The umask(1) for SMF services is 022ruleFiles that the Service Management Facility (SMF) creates should be created with 644 file permissions.
Remediation script:
# svccfg -s svc:/system/environment:init setprop umask/umask = astring: "022"
|
Service svc:/network/ipfilter is enabledruleIP Filter is a host-based firewall that provides stateful packet filtering and network address
translation (NAT). Packet filtering provides basic protection against network-based attacks.
IP Filter also includes stateless packet filtering and can create and manage address pools.
See the ipf(1M) and ipfilter(5) man pages.
Remediation script:
# svcadm svc:/network/ipfilter:default
|
The tcp_wrappers feature is enabledruleTCP wrappers provides a way of implementing access controls by checking the address of a host that
is requesting a particular network service against an ACL. Requests are granted or denied accordingly.
TCP wrappers also logs host requests for network services, which is a useful monitoring function.
The ssh(1) and sendmail(1M) services are configured to use TCP wrappers. Network services that might be placed
under access control include proftpd(8) and rpcbind(1M). See the tcpd(1M) man page.
Remediation script:
1) Create an /etc/hosts.deny file containing the one line:
ALL:ALL
2) Create an /etc/hosts.allow file containing those connections which you
want to allow. For detailed instructions, see the hosts_access(4),
and tcpd(1M) man pages.
|
Verify file system informationgroupOracle Solaris uses the ZFS file system by default. ZFS is robust, scalable, and easy to administer. ZFS
can lay out filesystems over multiple devices, keeps the file system state consistent on disk, and verifies the
data and metadata by using a user-selectable checksum algorithm. ZFS filesystems can hold zettabytes of data,
and this data can be encrypted, compressed, mirrored, and backed up easily.
For more information, see the ZFS Administration Guide
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=ZFSADMIN).
In this section, you ensure that no UFS filesystems are on the system, and that permissions on
sensitive files are set correctly. You also protect the system from rogue files.
|
| contains 10 rules |
All local filesystems are ZFSruleZFS is the default filesystem for Oracle Solaris. On most systems
other filesystem types should not be mounted. See the zfs(7FS) man page.
Remediation script:
# umount <UFS-filesystem>
# umount <HSFS-filesystem>>
|
Non-root ZFS filesystems are encryptedruleAll ZFS file systems that are not the root file system should be encrypted.
Encryption must be applied at filesystem creation. You must remember the encryption passphrase.
Store it in a safe place. See the zfs(1M) and zfs_encrypt(1M) man pages.
Remediation script:
# zfs unmount <ZFS-non-root-filesystem>>
# zfs create -o encryption=on <ZFS-non-root-filesystem>
Enter passphrase for <ZFS-non-root-filesystem>: xxxxxxxx
Enter again: xxxxxxxx
|
swap(1M) is encryptedruleSwap space, either a ZFS volume or raw device, should be encrypted. Encryption
ensures that any sensitive data, such as user passwords, are protected if the system
needs to swap those pages out to disk. See the swap(1M) man page.
Remediation script:
# pfedit /etc/vfstab
...
/dev/zvol/dsk/rpool/swap - - swap - no encrypted
|
A size limit is set on tmpfs(7FS)ruleThe size of the tmpfs file system is not limited by default. To avoid a
performance impact, you can limit the size of each tmpfs mount.
See the mount_tmpfs(1M) and vfstab(4) man pages.
Remediation script:
Determine the limit of the tmpfs file system according to the size
of your disks.
# pfedit /etc/vfstab
...
swap - /tmp tmpfs - yes size=sz
# reboot
|
World-writable directories have sticky bit setruleThe sticky bit on a directory prevents files in a world-writable directory from
being deleted or moved by anyone except the owner of the file, or root. This is useful
in directories that are common to many users, such as the /tmp directory.
Remediation script:
# chmod 1777 <world-writable-directory>
|
coreadm(1M) configuration is correctruleCore dumps can contain sensitive data. Protections can include file permissions and
logging core dump events. See the coreadm(1m) and chmod(1M) man pages.
Remediation script:
Use the coreadm command to view and set the current configuration.
Configure the core files and protect the core dump directory.
$ coreadm
global core file pattern: /var/share/cores/core.%f.%p
global core file content: default
init core file pattern: core
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: enabled
To set the correct coreadm(1M) configuration:
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \
-e log -e global -e global-setid \
-d process -d proc-setid
To check the permissions:
# ls -ld /var/share/cores
drwx------ 2 root root 2 Nov 2 2014 cores/
#
To set the permissions correctly on the directory:
# chmod 700 /var/share/cores
|
Find and list world writable filesruleWorld-writable files are unprotected files. Modification and removal of a
file should be limited to the owner of the file.
Remediation script:
# chmod 644 <world-writable-file>
|
Find and list suid and sgid files other than those in standard Oracle Solaris packagesrulePrograms that set the UID and GID offer entry points for malicious code.
Remediation script:
# rm <setid-file>
or
# chmod -s <setid-file>
|
Find and list files with no known ownerruleFiles with no owner should be removed. Accounts that are closed should
be archived and removed from the system.
Remediation script:
# rm <unowned-files>
|
Find and list files with extended attributesruleOracle Solaris implements extended attributes as files in an
"extended attribute" name space visible only by using extended attribute aware commands.
It is possible for attackers or malicious users to hide information in the extended
attribute name space. Oracle Solaris currently does not ship any files with extended
attributes.
See the runat(1) and fsattr(5) man pages.
Remediation script:
# rm </path/to/filename>
or
# runat </path/to/filename> rm *
|
Tune kernel and network parametersgroupOracle Solaris is a multithreaded, scalable UNIX operating system that runs on SPARC and x86
processors. It is self-adjusting to system load and requires minimal tuning. Kernel and network
variables are tuned to secure values by default. In some cases, however, tuning is necessary.
For more information, see:
Tunables Parameters (http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SOLTUNEPARAMREF)Network Security Guide (http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=NWSEC)
In this section, you verify that a TCP/IP kernel variable is still set to its default value,
and that you modify network tunables for security reasons.
|
| contains 14 rules |
Directed broadcasts are not forwardedruleBy default, Oracle Solaris forwards broadcast packets. To reduce the possibility
of broadcast flooding, change the default. Note that you are also disabling broadcast pings.
Remediation script:
To fix
# ipadm set-prop -p _forward_directed_broadcasts=0 ip
or
# ipadm reset-prop -p _forward_directed_broadcasts ip
|
Source-routed packets are not forwardedruleTo prevent DOS attacks from spoofed packets, ensure that source-routed packets
are not forwarded. The default is not to forward them.
Remediation script:
To fix, use
# ipadm set-prop -p _forward_src_routed=0 ipv4
and
# ipadm set-prop -p _forward_src_routed=0 ipv6
|
TCP reverse source routing is disabledruleThe default value prevents packets from bypassing network security measures. Source-routed
packets allow the source of the packet to suggest a path different from the path configured on the router.
Note - This parameter might be set to 1 for diagnostic purposes. After diagnosis is complete,
return the value to 0.
Remediation script:
To fix
# ipadm set-prop -p _rev_src_routes=0 tcp
or
# ipadm reset-prop -p _rev_src_routes tcp
|
ICMP redirects are disabledruleRouters use ICMP redirect messages to inform hosts of more direct routes to a destination.
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Remediation script:
To fix
# ipadm set-prop -p _ignore_redirect=1 ipv4
and
# ipadm set-prop -p _ignore_redirect=1 ipv6
|
Responses to echo requests on multicast addresses are disabledruleTo prevent the dissemination of information about the network topology, disable these responses.
Remediation script:
To fix
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
and
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6
|
Responses to ICMP broadcast timestamp requests are disabledruleTo prevent the dissemination of information about the network topology, disable
these responses if they are currently enabled.
Remediation script:
To fix, use
# ipadm set-prop -p _respond_to_timestamp_broadcast=o ip
or
# ipadm reset-prop -p _respond_to_timestamp_broadcast ip
|
Responses to ICMP echo requests on broadcast addresses are disabledruleTo prevent the dissemination of information about the network topology,
disable these responses if they are currently enabled.
Remediation script:
To fix
# ipadm set-prop -p _respond_to_echo_broadcast=0 ip
|
Responses to ICMP netmask requests are disabledruleTo prevent the dissemination of information about the network topology,
disable these responses if they are currently enabled.
Remediation script:
To fix, use
# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip
or
# ipadm set-prop -p _respond_to_address_mask_broadcast ip
|
Responses to ICMP timestamp requests are disabledruleThe default value removes additional CPU demands on systems and prevents the
dissemination of information about the network.
Remediation script:
To fix
# ipadm set-prop -p _respond_to_timestamp=0 ip
or
# ipadm reset-prop -p _respond_to_timestamp ip
|
Routing is disabledruleSystems in a secure datacenter should not need automatic routing reconfiguration.
After configuring routing manually using route(1M), disable the network routing daemon.
Remediation script:
# svcadm disable svc:/network/routing/route:default
|
Strict multihoming is enabledruleFor systems that are gateways to other domains, such as a firewall or a VPN node,
strict multihoming must be enabled. The hostmodel property controls the send and
receive behavior for IP packets on a multihomed system.
Remediation script:
To fix
# ipadm set-prop -p _strict_dst_multihoming=1 ipv4
and
# ipadm set-prop -p _strict_dst_multihoming=1 ipv6
|
Strong TCP packet sequence numberingruleEnsure that the TCP initial sequence number generation parameter complies
with RFC 6528 (http://www.ietf.org/rfc/rfc6528.txt).
Remediation script:
# pfedit /etc/default/inetinit
...
TCP_STRONG_ISS=2
...
|
The maximum number of half-open TCP connections is at least 4096ruleSetting the maximum half-open TCP connections to 4096 per IP address per port helps to defend
against SYN flood denial of service attacks.
Remediation script:
To fix
# ipadm set-prop -p _conn_req_max_q0=4096 tcp
|
The maximum number of waiting TCP connections is set to at least 1024ruleSetting the maximun number of queued incoming connections TCP to at least 1024
can help prevent certain Distributed Denial of Service (DDoS) attacks.
Remediation script:
To fix
# ipadm set-prop -p _conn_req_max_q=1024 tcp
|
Enable required servicesgroupThe Service Management Facility (SMF) provides an infrastructure to ease application and
system service management. SMF augments the traditional UNIX startup scripts, init run levels,
and configuration files. Management information for each service is stored in a configuration
repository, which provides a simplified way to manage each service.
For more information, see the Service Management Facility Guide
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SVSVF).
Services that a system requires to function as a standalone system are enabled by default.
In this section, you ensure that these services are still enabled.
|
| contains 28 rules |
Service svc:/system/coreadm is enabledruleThe coreadm service manages the core files that are produced by
processes that terminate abnormally. See the core(4) and coreadm(1M) man pages.
Remediation script:
# svcadm enable coreadm
|
Service svc:/system/cron is enabledruleThe cron service manages the cron(1M) command, which runs processes that
execute commands at specified dates and times. See the at(1), crontab(1), and
cron(1M) man pages.
Remediation script:
# svcadm enable cron
|
Service svc:/system/cryptosvc is enabledruleThe cryptosvc service manages the use of cryptographic mechanisms from
the Cryptographic Framework feature of Oracle Solaris.
See the cryptoadm(1M) man page.
Remediation script:
# svcadm enable cryptosvc
|
Service svc:/system/dbus is enabledruleThe dbus service manages the D-Bus message bus daemon. Programs use the
message bus daemon to exchange messages with one another. For example, the
Hardware Abstraction Layer (HAL) uses dbus. See the dbus-daemon(1) and
hal(5) man pages.
Remediation script:
# svcadm enable dbus
|
Service svc:/system/filesystem/autofs is enabledruleThe autofs service manages the mount points for the automount(1M) daemon.
Remediation script:
# svcadm enable autofs
|
Service svc:/system/hal is enabledruleThe Hardware Abstraction Layer (HAL) service manages dynamic hardware
configuration changes. See the hal(5) man page.
Remediation script:
# svcadm enable hal
|
Service svc:/system/identity:domain is enabledruleThe identity:domain service instance manages system identity.
See the domainname(1M) man page.
Remediation script:
# svcadm enable identity:domain
|
Service svc:/system/intrd is enabledruleThe interrupt balancer (intrd) service monitors the assignments between interrupts
and CPUs to ensure optimal performance. See the intrd(1M) man page.
Remediation script:
# svcadm enable intrd
|
Service svc:/system/keymap is enabledruleThe keymap service manages the default configuration of the keyboard.
See the kbd(1) man page.
Remediation script:
# svcadm enable keymap
|
Service svc:/system/name-service/cache is enabledruleThe name-service/cache service manages the caching of name service information.
See the nscd(1M) man page.
Remediation script:
# svcadm enable name-service/cache
|
Service svc:/system/name-service/switch is enabledruleThe name-service/switch service manages the databases that contain information about
hosts, users, and groups. See the nsswitch.conf(4) man page.
Remediation script:
# svcadm enable name-service/switch
|
Service svc:/system/ocm is enabledruleThe Oracle Configuration Manager (ocm) service collects configuration information and
uploads it to the Oracle repository. See the configCCR(1M) man page.
Remediation script:
# svcadm enable ocm
|
Service svc:/system/picl is enabledruleThe platform information and control (picl) service manages the publishing of platform
configuration information that can respond to client requests for information about the
configuration. See the picld(1M) and prtcpicl(1M) man pages.
Remediation script:
# svcadm enable picl
|
Service svc:/system/power management is enabledruleThe system/power service manages the power management configuration of an Oracle Solaris system.
See the poweradm(1M) man page.
Remediation script:
# svcadm enable system/power
|
Service svc:/system/scheduler is enabledruleThe system/scheduler service manages the process scheduler.
See the dispadmin(1M) man page.
Remediation script:
# svcadm enable system/scheduler
|
Service svc:/system/system-log is enabledruleThe system-log service reads and forwards system messages to the appropriate
log files or users. See the syslogd(1M) and rsyslogd(1M) man pages.
Remediation script:
# svcadm enable system/system-log:default
or
# svcadm enable system/system-log:rsyslog
|
Service svc:/system/utmp is enabledruleThe utmp service manages a table of processes, detects when a process has
terminated, and updates the table. See the utmpd(1M) man page.
Remediation script:
# svcadm enable system/utmp
|
Service svc:/system/zones is enabledruleThe zones service manages the autoboot and graceful shutdown of zones.
See the zones(5) and zonecfg(1M) man pages.
Remediation script:
# svcadm enable system/zones
|
Service svc:/system/zones-install is enabledruleThe zones-install service manages the auto-installation of zones.
Remediation script:
# svcadm enable system/zones-install
|
Service svc:/network/inetd is enabledruleThe inetd service manages the restarting of inet services. See the inetd(1M) man page.
Remediation script:
# svcadm enable inetd
|
Service svc:/network/ntp is enabled and properly configured as a clientruleThe Network Time Protocol daemon should be enabled and properly configured as a client.
The /etc/inet/ntp.conf file must include at least one server definition. The file should also
contain the line "restrict default ignore" to prevent the client from also acting as a server.
Remediation script:
If needed
# pkg install service/network/ntp
then
# vi /etc/inet/ntp.conf
...
server <server IP address> iburst
restrict default ignore
...
# svcadm enable ntp
|
Service svc:/network/rpc/bind is enabledruleThe rpc/bind service manages the conversion of RPC program numbers to
universal addresses. See the rpcbind(1M) man page.
Remediation script:
# svcadm enable rpc/bind
|
Service svc:/network/rpc/gss is enabled if and only if Kerberos is configuredruleThe generic security service (gss) service manages the generation and validation
of Generic Security Service Application Program Interface (GSS-API) security tokens.
The gssd(1M) daemon operates between the kernel rpc and the GSS-API. Kerberos uses this service.
Remediation script:
# svcadm enable rpc/gss
|
Service svc:/network/sendmail-client is enabledruleThe sendmail-client service manages email on a client. The sendmail-client
service needs to be running to ensure delivery of mail to local accounts such
as root. See the sendmail(1M) man page.
Remediation script:
# svcadm enable sendmail-client
|
Service svc:/network/smtp:sendmail is enabledruleThe sendmail service should be running. Otherwise, important system
mail to root will not be delivered. See the sendmail(1M) man page.
Remediation script:
# svcadm enable smtp:sendmail
|
Service svc:/network/smtp:sendmail only listens on loopbackruleCheck that sendmail listens in local_only mode. This is also called
listens on loopback. See the sendmail(1M) and svccfg(1M) man pages
Remediation script:
# svccfg -s svc:/network/smtp:sendmail setprop \
config/local_only = astring: "true"
|
Service svc:/network/ssh is enabledruleThe ssh service manages the Secure Shell (ssh) daemon, which provides secure
encrypted communications between two untrusted hosts over an insecure network.
By default, ssh is the only network service that can send and receive network
packets on a newly-installed Oracle Solaris system.
See the sshd(1M) man page.
Remediation script:
# svcadm enable ssh
|
Service svc:/application/stosreg is enabledruleThe service tag OS registry inserter (stosreg) service manages the service tag
registry. See the stclient(1M) man page.
Remediation script:
# svcadm enable stosreg
|
Disable services that are not requiredgroupThe Service Management Facility (SMF) provides an infrastructure to ease application
and system service management. SMF augments the traditional UNIX startup scripts, init run
levels, and configuration files. Management information for each service is stored in a
configuration repository, which provides a simplified way to manage each service.
For more information, see the Service Management Facility Guide
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SVSVF).
Services that are particular to the purpose of a system must be enabled for that system only.
Therefore, a number of services can and should be disabled. Also, legacy services, such as
talk(1), are not installed by default. In this section, you ensure that services that the
system does not require are disabled.
|
| contains 64 rules |
The NIS client service is disabled or not installedruleBy default, NIS client software is not installed. NIS is an RPC-based naming
service that does not conform to current security requirements, so can be less
secure than the LDAP naming service.
See the nis(5) and ypbind(1M) man pages.
Remediation script:
# svcadm disable svc:/network/nis/client
|
The NIS server service is disabled or not installedruleBy default, NIS server software is not installed. NIS is an RPC-based
naming service that does not conform to current security requirements,
that can be less secure than the LDAP naming service.
See the nis(5) and ypserv(1M) man pages.
Remediation script:
# svcadm disable svc:/network/nis/server
|
The r-protocols services are disabled in PAMruleBy default, legacy services such as the r-protocols, rlogin(1) and rsh(1),
are not installed. Their services, however, are defined in /etc/pam.d.
See the pam.d(4) man page.
Remediation script:
# cd /etc/pam.d
# cp rlogin rlogin.orig
# pfedit rlogin
auth definitive pam_deny.so.1
auth sufficient pam_deny.so.1
auth required pam_deny.so.1
# cp rsh rsh.orig
# pfedit rsh
auth definitive pam_deny.so.1
auth sufficient pam_deny.so.1
auth required pam_deny.so.1
|
mesg(1) prevents talk(1) and write(1) access to remote terminalsruleThis program controls whether users can send messages by using write(1), talk(1)
or other utilities to a terminal device. See the mesg(1) man page.
Remediation script:
# mesg -n
|
ssh(1) is the only service binding a listener to non-loopback addressesruleBy default, ssh(1) is the only network service that can send and receive network
packets on a newly-installed Oracle Solaris system. See the sshd(1M) man page.
Remediation script:
# svcadm disable <FMRI for unneeded service>
|
Service svc:/network/dhcp-server is disabled or not installedruleBy default, the dhcp-server service is not installed. If you are not using this system
as a DHCP server, you should not install or enable the service.
Remediation script:
# svcadm disable svc:/network/dhcp-server
|
Service svc:/network/dns/multicast is disabled or not installedruleMulticast DNS (mDNS) implements DNS in a small network where no conventional DNS
server has been installed. DNS Service Discovery (DNS-SD) extends multicast DNS to
also provide simple service discovery (network browsing). This service is disabled by
default, because while it can ease finding hosts and servers, it can also provide information
about the network to malicious users.
See the named(1M) and mdnsd(1M) man pages.
Remediation script:
# svcadm disable svc:/network/dns/multicast
|
Service svc:/network/finger is disabled or not installedruleThis legacy service enables users to display information about local and remote users.
By default, this service is not installed as part of solaris-small-server.
It is however installed as part of solaris-large-server. This service is almost never
needed and either should be removed or at least, disabled.
See the fingerd(1M) and finger(1) man pages.
Remediation script:
# svcadm disable finger
or
# pkg uninstall pkg:/service/network/finger
# pkg uninstall pkg:/network/finger
|
Service svc:/network/ftp is disabled or not installedruleThe FTP service provides unencrypted file transfer service and uses plain
text authentication. The secure copy program (scp(1)) program should be used instead
of FTP as it provides encrypted authentication and file transfer. Remediation script:
# svcadm disable svc:/network/ftp:default
|
Service svc:/network/http:apache22 is disabled or not installedruleThis program provides Apache web server services by using the Apache hypertext
transfer protocol (http). See the httpd(8) man page.
Remediation script:
# svcadm disable network/http:apache22
|
Service svc:/network/login:rlogin is disabled or not installedruleThis legacy service enables users to log in remotely. By default, this service
is not installed as part of solaris-small-server. See the rlogind(1M) and rlogin(1) man pages.
Remediation script:
# svcadm disable network/login:rlogin
or
# pkg uninstall pkg:/service/network/legacy-remote-utilities
|
Service svc:/network/login:klogin is disabled or not installedruleThis service enables users to log in remotely with Kerberos authentication. By
default, this service is not installed. See the rlogind(1M) and rlogin(1) man pages.
Remediation script:
# svcadm disable network/login:klogin
|
Service svc:/network/login:eklogin is disabled or not installedruleThis service enables users to log in remotely with Kerberos authentication over
an encrypted line. By default, this service is not installed. See the rlogind(1M) and rlogin(1) man pages.
Remediation script:
# svcadm disable network/login:eklogin
|
Service svc:/network/nfs/cbd is disabled or not installedruleThis service manages communication endpoints for the NFS Version 4 protocol.
The nfs4cbd(1M) daemon runs on the NFS Version 4 client and creates a listener
port for callbacks.
Remediation script:
# svcadm disable svc:/network/nfs/cbd
|
Service svc:/network/nfs/client is disabled or not installedruleThe NFS client service is needed only if the system is mounting files from an
NFS server. If the system is not mounting files, the service can be disabled or
its package unistalled. See the mount_nfs(1M) man page.
Remediation script:
# svcadm disable svc:/network/nfs/client
|
Service svc:/network/nfs/fedfs-client is disabled or not installedruleThe Federated Filesystem (FedFS) client service manages defaults and
connection information for LDAP servers that store FedFS information.
See the nsdbparams(1M) and fedfs(5) man pages.
Remediation script:
# svcadm disable svc:/network/nfs/fedfs-client
|
Service svc:/network/nfs/mapid is disabled or not installedruleThe NFS user and group ID mapping daemon service maps to and from NFS version 4
owner and owner_group identification attributes and local UID and GID numbers used
by both the NFS version 4 client and server. See the nfsmapid(1M) man page.
Remediation script:
# svcadm disable svc:/network/nfs/mapid
|
Service svc:/network/nfs/nlockmgr is disabled or not installedruleThe NFS lock manager supports record locking operations on NFS files in
NFSv2 and NFSv3. See the lockd(1M) and sharectl(1M) man pages.
Remediation script:
# svcadm disable svc:/network/nfs/nlockmgr
|
Service svc:/network/nfs/rquota is disabled or not installedruleThe remote quota server returns quotas for a user of a local file system
which is mounted over NFS. The results are used by quota(1M) to display user
quotas for remote file systems. The rquotad(1M) daemon is normally invoked by inetd(1M).
Remediation script:
# svcadm disable svc:/network/nfs/rquota
|
Service svc:/network/nfs/server is disabled or not installedruleThe NFS server service handles client file system requests over NFS
versions 2, 3, and 4. If this system is not an NFS server, this service should be
disabled. See the nfsd(1M) man page.
Remediation script:
# svcadm disable svc:/network/nfs/server
|
Service svc:/network/nfs/status is disabled or not installedruleThe NFS status monitor service interacts with lockd(1M) to provide the crash
and recovery functions for the locking services on NFS.
Remediation script:
# svcadm disable svc:/network/nfs/status
|
Service svc:/network/comsat is disabled or not installedruleThis legacy service process listens for reports of incoming mail and notifies
interested users. By default, this service is not installed as part of
solaris-small-server. See the comsat(1M) man page.
Remediation script:
# pkg uninstall network/comsat
or
# svcadm disable comsat
|
Service svc:/network/rarp is disabled or not installedruleThis legacy service responds to DARPA reverse address resolution protocol (RARP)
requests. Historically, RARP was used by machines at boot time to discover their
Internet Protocol (IP) address. By default, this service is not installed.
See the rarpd(1M) and rarp(7P) man pages.
Remediation script:
# pkg uninstall system/boot/network
or
# svcadm disable network/rarp
|
Service svc:/network/rexec is disabled or not installedruleThis legacy service provides remote execution facilities with authentication based
on user names and passwords. See the in.rexecd(1M) and rexec(3C)
man pages.
Remediation script:
# pkg uninstall service/network/legacy-remote-utilities
or
# svcadm disable network/rexec:default
|
Service svc:/network/slp is disabled or not installedruleThis legacy service provides common server functionality for the Service Location
Protocol (SLP) versions 1 and 2, as defined by IETF in RFC 2165 and RFC 2608. SLP
discovers and selects network services. By default, this service is not enabled.
See the slpd(1M), slp.conf(4), and slp(7P) man pages.
Remediation script:
# pkg uninstall pkg:/service/network/slp
or
# svcadm disable network/slp
|
Service svc:/network/stdiscover is disabled or not installedruleThis legacy program is used to locate the service tag listener. For more
information, see the in.stdiscover(1M) man page.
Remediation script:
# svcadm disable stdiscover:default
|
Service svc:/network/stlisten is disabled or not installedruleThis legacy program is used to listen for discovery probes. See the in.stlisten(1M) man page.
Remediation script:
# svcadm disable stlisten:default
|
Service svc:/network/talk is disabled or not installedruleThis legacy program enables two-way, screen-oriented communication. For more
information, see the talk(1) and mesg(1) man pages.
Remediation script:
# mesg -n
|
Service svc:/network/telnet is disabled or not installedruleThis legacy service supports the DARPA standard TELNET virtual terminal protocol to
connect to a remote system over the TELNET port. By default, this service is not
installed. See the telnetd(1M) and telnet(1) man pages.
Remediation script:
# pkg uninstall pkg:/network/telnet
# pkg uninstall pkg:/service/network/telnet
or
# svcadm disable telnet
|
Service svc:/network/uucp is disabled or not installedruleThis legacy service, UNIX to UNIX copy, provides a user interface for requesting file copy
operations, typically used when constant connectivity is not possible. By default, this service
is not installed. See the uucpd(1M) and uucp(1C) man pages.
Remediation script:
# pkg uninstall pkg:/service/network/uucp
or
# svcadm disable network/uucp
|
Service svc:/network/security/kadmin is disabled or not installedruleThe Kerberos administration daemon service runs on the master key
distribution center (KDC), which stores the principal and policy
databases. This service should not be run on a system that is not a KDC.
See the kadmind(1M) man page.
Remediation script:
# pkg uninstall pkg:/system/security/kerberos-5
# pkg uninstall pkg:/service/security/kerberos-5
or
# svcadm disable svc:/network/security/kadmin
|
Service svc:/network/security/krb5_prop is disabled or not installedruleThe Kerberos propagation daemon runs on slave KDC servers to update the
database from the master KDC. See the kpropd(1M) man page.
Remediation script:
# pkg uninstall pkg:/system/security/kerberos-5
# pkg uninstall pkg:/service/security/kerberos-5
or
# svcadm disable svc:/network/security/krb5_prop
|
Service svc:/network/security/krb5kdc is disabled or not installedruleThe Kerberos key distribution center service manages Kerberos tickets
on the master and slave KDCs. See the krb5kdc(1M) man page.
Remediation script:
# pkg uninstall pkg:/system/security/kerberos-5
# pkg uninstall pkg:/service/security/kerberos-5
or
# svcadm disable svc:/network/security/krb5kdc
|
Service svc:/network/security/ktkt_warn is disabled or not installedruleThe Kerberos V5 warning messages daemon on Kerberos clients can warn users
when their Kerberos tickets are about to expire and can renew the tickets before
they expire. By default, this service is disabled. If the system is Kerberos client,
then this service should be enabled. See the ktkt_warnd(1M) man page.
Remediation script:
# pkg uninstall pkg:/system/security/kerberos-5
# pkg uninstall pkg:/service/security/kerberos-5
or
# svcadm disable svc:/network/security/ktkt_warn
|
Service svc:/network/shell:default is disabled or not installedruleThe remote shell daemon provides remote execution facilities with
authentication based on Kerberos V5 or privileged port numbers.
The Secure Shell service, svc:/network/ssh, is the best choice for
remote execution. See the rshd(1M) and sshd(1M) man pages.
Remediation script:
# pkg uninstall legacy-remote-utilities
or
# svcadm disable svc:/network/shell:default
|
Service svc:/network/shell:kshell is disabled or not installedruleThe remote shell daemon provides remote execution facilities with
authentication based on Kerberos V5 or privileged port numbers.
The Secure Shell service, svc:/network/ssh, is the best choice for
remote execution. See the rshd(1M) and sshd(1M) man pages.
Remediation script:
# pkg uninstall legacy-remote-utilities
or
# svcadm disable svc:/network/shell:kshell
|
Service svc:/network/chargen:stream is disabled or not installedruleThis legacy service provides the server side of the Character Generator Protocol
(RFC 864) for TCP. See the in.chargend(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/chargen:dgram is disabled or not installedruleThis legacy service provides the server side of the Character Generator Protocol
(RFC 864) for UDP. See the in.chargend(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/daytime:stream is disabled or not installedruleThis legacy service provides the server side of the Daytime Protocol (RFC 867)
for TCP. See the in.daytimed(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/daytime:dgram is disabled or not installedruleThis legacy service provides the server side of the Daytime Protocol (RFC 867)
for UDP. See the in.daytimed(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/discard:stream is disabled or not installedruleThis legacy service provides the server side of the Discard Protocol (RFC 863)
for TCP. See the in.discardd(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/discard:dgram is disabled or not installedruleThis legacy service provides the server side of the Discard Protocol (RFC 863)
for UDP. See the in.discardd(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/echo:stream is disabled or not installedruleThis legacy service provides the server side of the Echo Protocol (RFC 862)
for TCP. See the in.echod(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/echo:dgram is disabled or not installedruleThis legacy service provides the server side of the Echo Protocol (RFC 862)
for UDP. See the in.echod(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/time:stream is disabled or not installedruleThis legacy service provides the server side of the Time Protocol (RFC 868)
for TCP. See the in.timed(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/time:dgram is disabled or not installedruleThis legacy service provides the server side of the Time Protocol (RFC 868)
for UDP. See the in.timed(1M) man page.
Remediation script:
# pkg uninstall legacy-network-services
|
Service svc:/network/rpc/keyserv is disabled or not installedrulekeyserv is a daemon that is used for storing the private encryption keys
of each user logged into the system. These encryption keys are used for accessing
secure network services such as secure NFS. For more information, see the keyserv(1M) man page.
Remediation script:
# svcadm disable network/rpc/keyserv:default
|
Service svc:/network/rpc/keyserv cannot use the nobody user keyruleThe value of ENABLE_NOBODY_KEYS is YES by default. See the
keyserv(1M) man page.
Remediation script:
# pfedit /etc/default/keyserv
...
ENABLE_NOBODY_KEYS=NO
|
Service svc:/network/rpc/meta is disabled or not installedruleThis legacy service uses an rpc(4) daemon to manage local copies of metadevice
diskset information. By default, this service is not installed.
See the rpc.metad(1M) man page.
Remediation script:
# pkg uninstall storage/svm
or
# svcadm disable rpc/meta
|
Service svc:/network/rpc/metamed is disabled or not installedruleThis legacy service manages mediator information for 2-string high availability
configurations. See the rpc.metamedd(1M) man page.
Remediation script:
# pkg uninstall storage/svm
or
# svcadm disable rpc/metamed
|
Service svc:/network/rpc/metamh is disabled or not installedruleThis legacy service uses an rpc(4) daemon to manage multi-hosted disks. By default,
this service is not installed. See the rpc.metamhd(1M) man page.
Remediation script:
# pkg uninstall storage/svm
or
# svcadm disable rpc/metamh
|
Service svc:/network/rpc/rex is disabled or not installedruleThis program is the Oracle Solaris RPC server for remote program execution.
If this service is enabled, the daemon is started by inetd(1M) whenever a
remote execution request is made.
See the rpc.rexd(1M) man page.
Remediation script:
# svcadm disable rpc/rex:default
|
Service svc:/network/rpc/rstat is disabled or not installedruleThis legacy service displays performance data from a remote system. By default,
this service is not installed. See the rstatd(1M) and rstat(3RPC) man pages.
Remediation script:
# pkg uninstall legacy-remote-utilities
or
# svcadm disable rpc/rstat
|
Service svc:/network/rpc/rusers is disabled or not installedruleThis legacy service displays information about users on a remote system. By default,
this service is not installed. See the rusersd(1M) and rusers(1) man pages.
Remediation script:
# pkg uninstall legacy-remote-utilities
or
# svcadm disable rpc/rusers
|
Service svc:/network/rpc/smserver is disabled or not installedruleThis program is used to access removable media devices. See the rpc.smserverd(1M) man page.
Remediation script:
# svcadm disable rpc/smserver:default
|
Service svc:/network/rpc/spray is disabled or not installedruleThis program is a server that records the packets sent by spray(1M).
See the rpc.sprayd(1M) man page.
Remediation script:
# pkg uninstall service/diagnostic/spray
or
# svcadm disable rpc/spray:default
|
Service svc:/network/rpc/wall is disabled or not installedruleThis program broadcasts messages to all logged-in users. See the rpc.rwalld(1M) and wall(1M) man pages.
Remediation script:
# pkg uninstall legacy-remote-utilities
or
# svcadm disable rpc/wall:default
|
Service svc:/network/smb/client is disabled or not installedruleThe SMB/CIFS client allows an Oracle Solaris system to natively mount file
systems by means of SMB shares from SMB enabled servers such as a Windows system.
See the mount_smbfs(1M) man page.
Remediation script:
# pkg uninstall file-system/smb
or
# svcadm disable smb/client
|
Service svc:/system/avahi-bridge-dsd is disabled or not installedruleThis program provides an object-oriented interface to DBUS-enabled applications.
See the avahi-daemon-bridge-dsd(1) man page.
Remediation script:
# svcadm disable system/avahi-bridge-dsd:default
|
Service svc:/system/filesystem/rmvolmgr is disabled or not installedruleThe removable volume manager is a HAL-aware volume manager that can
automatically mount and unmount removable media and hot-pluggable storage.
Users might import malicious programs, or transfer sensitive data off the
system. See the rmvolmgr(1M) man page.
Remediation script:
# svcadm disable svc:/system/filesystem/rmvolmgr
|
Service svc:/application/cups/in-lpd is disabled or not installedruleThis service supports the CUPS Line Printer Daemon (LPD) for legacy client
systems that use the LPD protocol. By default, this service is not installed.
See the cups-lpd(8) man page.
Remediation script:
# svcadm disable cups/in-lpd
|
Service svc:/application/graphical-login/gdm is disabled or not installedruleThe GNOME Display Manager manages the displays on a system, including the
console display, attached displays, XDMCP displays, and virtual terminals.
If a windowing display is not needed, this service should be disabled.
See the gdm(1M) man page.
Remediation script:
# svcadm disable svc:/application/graphical-login/gdm
|
Service svc:/application/management/net-snmp is disabled or not installedruleThe Simple Network Management Protocol (SNMP) is a widely used protocol for
monitoring the health and welfare of network equipment. The net-snmp SNMP daemon
processes requests from SNMP management software.
See the snmpd(8) and snmp_config(5) man pages.
Remediation script:
# svcadm disable svc:/application/management/net-snmp
|
Service svc:/application/x11/xfs is disabled or not installedruleThis program provides fonts to X Window System display servers.
The server is usually run by inetd(1M). See the xfs(1) and fsadmin(1) man pages.
Remediation script:
# svcadm disable svc:/application/x11/xfs:default
|
Configure access and warning bannersgroupSystem access should be protected and users should be notified that access is being monitored.
Warning messages inform users of monitoring, thereby deterring attacks. Two files,
/etc/issue and /etc/motd, can be modified with security information. /etc/issue displays before
login, and /etc/motd displays after login. Also, by changing the default text of warning messages,
you can hide system information from attackers who could use that information to exploit known
vulnerabilities.
Your organization's legal counsel should review the content of all messages before the system is
put in production.
For more information, see the Security Guidelines (http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SYSADV7).
In this section, you protect the system from unwanted access and warn users that the system is being monitored.
|
| contains 19 rules |
/etc/motd and /etc/issue contain appropriate policy textruleThe /etc/issue and /etc/motd (message of the day) files are designed to hold system
and security information. The contents of the /etc/issue file are displayed prior to the
login prompt on the console, or in a window if the file is called from the GNOME Display
Manager (gdm). Several applications call this file, such as Secure Shell and FTP. The
/etc/motd contents are displayed after login. By default, the /etc/motd file exists while
the /etc/issue file does not. See the issue(4), gdm(1M), and sshd_config(4) man pages.
Remediation script:
# pfedit /etc/issue
<legally-approved-text>
# chown root:root /etc/issue
# chmod 644 /etc/issue
# pfedit /etc/motd
<legally-approved-text>
|
The ftp(1) banner shows a suitable security messageruleThe banner informs users who are attempting to access the system that
the system is monitored. Note that the pkg:/service/network/ftp package
must be installed for ftp to work.
Remediation script:
# echo "DisplayConnect /etc/issue" >> /etc/proftpd.conf
# svcadm restart ftp
|
The gdm(1M) banner shows a suitable security messageruleThe banner informs users who are attempting to access the system that the system
is monitored. The banner uses the /etc/issue file. See the issue(4) and gdm(1M) man pages.
Remediation script:
# pfedit /etc/gdm/Init/Default
/usr/bin/zenity --text-info --width=800 --height=300 \
--title="Security Message" --filename=/etc/issue
|
The ssh(1) banner shows a suitable security messageruleBy default, the ssh(1) banner displays the contents of the /etc/issue file.
See the issue(4) and sshd_config(4) man pages.
Remediation script:
$ grep Banner /etc/ssh/sshd_config
# Banner to be printed before authentication starts.
Banner /etc/issue
|
The telnet(1) banner shows a suitable security messageruleThe telnetd(1M) DARPA TELNET protocol server is a legacy service that does not
conform to current security requirements. By default, this service is not installed,
and systems use the ssh(1M) protocol to communicate.
Remediation script:
# grep BANNER /etc/default/telnetd
BANNER=""
or
# pkg uninstall pkg://solaris/service/network/telnet
|
Use of the cron(1M) and at(1) daemons is restrictedruleThe cron(1M) and at(1) daemons execute commands at specified dates and times.
Only qualified accounts should be allowed to run commands at arbitrary times on the system.
Remediation script:
# pfedit /etc/cron.d/cron.allow
root
|
Name services are set to all local (files) onlyruleThe operating system uses a number of databases of information about hosts,
ipnodes, users (passwd(4), shadow(4), and user_attr(4)), and groups. Data for
these can come from a variety of sources: hostnames and host addresses, for example,
can be found in /etc/hosts, NIS, LDAP, DNS, or Multicast DNS. Systems in restricted
environments may be more secure if only local files entries are used for these entries.
See the nsswitch.conf(4) man page for more information
Remediation script:
For example:
# svccfg -s name-service/switch setprop config/default = astring: "files"
# svccfg -s name-service/switch setprop config/host = astring: "files"
# svccfg -s name-service/switch setprop config/password = astring: "files"
# svccfg -s name-service/switch setprop config/group = astring: "files"
# svccfg -s name-service/switch:default refresh
|
Find and list remote consolesruleRemote consoles can be a source of unauthorized access. A system console should be
kept physically secure and no unauthorized consoles should be defined. The "consadm -p"
command displays alternate consoles across reboots. If none are defined, the command
displays no output. See the consadm(1M) man page.
Remediation script:
# svcs console-login
STATE STIME FMRI
disabled 12:52:29 svc:/system/console-login:terma
online 12:53:50 svc:/system/console-login:termb
online 12:53:10 svc:/system/console-login:default
online 12:53:11 svc:/system/console-login:vt2
# svcadm disable svc:/system/console-login:termb
|
Remote serial logins are disabledruleSerial logins can be a source of unauthorized access. Login services should not be
enabled for serial ports that are not required to support the purpose of the system.
Remediation script:
# svcs console-login
STATE STIME FMRI
disabled 12:52:29 svc:/system/console-login:terma
online 12:53:50 svc:/system/console-login:termb
online 12:53:10 svc:/system/console-login:default
online 12:53:11 svc:/system/console-login:vt2
# svcadm disable svc:/system/console-login:termb
|
root access is console-onlyruleThe root account should not be able to log in remotely, and its actions
should be monitored. See the login(1) man page.
Remediation script:
# If CONSOLE is set, root can only log in on that device.
# grep CONSOLE /etc/default/login
CONSOLE=/dev/console
|
ftp(1) is restricted to a specific set of usersruleFTP file transfers should not be available to all users, and must
require qualified users to supply their names and password. In general,
system users should not be allowed to use FTP. This check verifies that
system accounts are included in the /etc/ftpd/ftpusers file so that they
are not allowed to use FTP. See the ftp(1) man page.
Remediation script:
# pfedit /etc/ftpd/ftpusers
....
root
daemon
bin
...
|
Files written in ftp(1) sessions have a suitable umaskruleThe FTP server does not necessarily use the user's system file creation mask.
Setting the FTP umask ensures that files transmitted over FTP use a strong file
creation umask. See the umask(1) and proftpd(8) man pages.
Remediation script:
# pfedit /etc/proftpd.conf
Umask 027
|
The GNOME desktop has suitable screensaver settingsruleThe timeout parameter for the xscreensaver application specifies the amount
of time that the keyboard and mouse can be inactive before a password-protected
screensaver appears. See the xscreensaver(1) man page.
Remediation script:
# cd /usr/share/X11/app-defaults
# cp XScreenSaver XScreenSaver.orig
# pfedit XScreenSaver
*timeout: 0:10:00
*lockTimeout: 0:00:00
*lock: True
|
gdm(1M) does not accept logins without passwordsruleAutomatic logins are a known security risk for other than public kiosks.
By default, GNOME automatic login is disallowed, so users must supply a password.
In the default PAM configuration, gdm uses the authentication stack in the
/etc/pam.d/other file. See the gdm(1M) and pam.conf(4) man pages.
Remediation script:
# cd /etc/pam.d
# grep gdm-autologin *
|
ssh(1) requires passwordsruleLogins without a password put the system at risk. In the default remote login
service, Secure Shell, the PermitEmptyPasswords parameter in the /etc/ssh/sshd_config
file should remain set to no. See the sshd_config(4) man page.
Remediation script:
# cd /etc/ssh
# grep PermitEmpty sshd_config
...
PermitEmptyPasswords no
# svcadm restart svc:/network/ssh
|
ssh(1) does not forward X11ruleThe X11Forwarding parameter in the /etc/ssh/sshd_config file specifies
whether users can forward an X Window session through an encrypted tunnel.
This parameter allows the remote user to display windows remotely over
Secure Shell. See the sshd_config(1M) and X(5) man pages.
Remediation script:
# pfedit /etc/ssh/sshd_config
...
X11Forwarding no
# svcadm restart svc:/network/ssh
|
Consecutive login attempts for ssh(1) are limitedruleBy default, the MaxAuthTries parameter in the /etc/ssh/sshd_config file
is set to 6. This parameter specifies the maximum number of authentication
attempts that the server permits before ending the connection. By restricting
the number of failed authentication attempts, Secure Shell lessens the
effectiveness of brute-force login attempts. It is important to note that
setting MaxAuthTries to 6 actually provides only 3 failed login attempts
because of the way SSH counts failures. See the sshd_config(4) man page.
Remediation script:
# pfedit /etc/ssh/sshd_config
MaxAuthTries 6
# svcadm restart svc:/network/ssh
|
rhost-based authentication in ssh(1) is disabledrulerhost-based authentication in Secure Shell allows users to remotely log in
without supplying a password. The IgnoreRhosts parameter specifies whether
.rhosts and .shosts files can be used rather than a password. See the
sshd_config(4) and hosts.equiv(4) man pages.
Remediation script:
# pfedit /etc/ssh/sshd_config
IgnoreRhosts yes
# svcadm restart svc:/network/ssh
|
root login by using ssh(1) is disabledruleBy default, remote root logins are not permitted because root is a role
and roles cannot log in. If root has been changed to a user, the default value
of the PermitRootLogin parameter in the /etc/ssh/sshd_config file prevents
root from remotely logging in. See the sshd_config(4) man page.
Remediation script:
# pfedit /etc/ssh/sshd_config
PermitRootLogin no
# svcadm restart svc:/network/ssh
|
Verify audit configurationgroupAuditing is the collecting of data about the use of system resources. The audit
data provides a record of security-related system events. This data can then be used
to assign responsibility for actions that take place on a host.
Auditing helps to detect potential security breaches by revealing suspicious or
abnormal patterns of system usage. Auditing also provides a means to trace suspect
actions back to a particular user, thus serving as a deterrent. Users who know that
their activities are being audited are less likely to attempt malicious activities.
For more information, see the Auditing Guide
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=OSMAA).
In this section, you ensure that the system is collecting the information that is
required by your site security policy.
|
| contains 3 rules |
The auditd(1M) daemon is enabledruleAuditing is a service, svc:/system/auditd, that is enabled by default
and should not be disabled. See the audit(1M) man page.
Remediation script:
# audit -s
|
Audit parameters are set to recommended valuesruleAt minimum, events in the lo class are audited and audit policy is set
to argv,cnt. Add audit classes and policy per your site's security
requirements. See the auditconfig(1M) man page.
Remediation script:
# auditconfig -setpolicy argv,cnt
# auditconfig -getpolicy
configured audit policies = argv,cnt
active audit policies = argv,cnt
# auditconfig -setflags lo
user default audit flags = lo(0x1000,0x1000)
|
All roles are audited with the "cusa" audit classruleThe cusa audit class contains events that cover administrative actions
that could affect the system's security posture.
See the audit_class(4), audit_event(4), rolemod(1M), and userattr(1) man pages.
Remediation script:
# logins -r
...list of roles ...
For each role, check the assigned audit flags:
# userattr audit_flags <rolename>
If no output, set the cusa audit flag and verify:
# rolemod -K audit_flags=cusa:no <rolename>>
# userattr audit_flags <rolename>>
cusa:no
|
Verify user configurationgroupEach user at a site must have a unique login and ID, and be assigned a home directory.
User passwords must be as secure as possible, and their files at creation must be
protected from modification by other users. User configuration should protect regular
users and prevent or discourage malicious users.
For more information, see the User Rights guide
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=OSSUP).
In this section, you verify password constraints and other user configuration features.
You also correct role configuration, verify that system accounts are still correctly
configured, and check for duplicate and unknown users.
|
| contains 44 rules |
Passwords are hashed with the SHA-256 algorithmruleThe second field in the /etc/shadow file indicates the algorithm that was used
to create the password hash. If the entry begins with "$5$", then the password is
hashed with the SHA-256 algorithm. See the crypt.conf(4) and policy.conf(4) man pages.
Remediation script:
# cd /etc/security
# cp policy.conf policy.conf.save
# pfedit policy.conf
CRYPT_ALGORITHMS_ALLOW=5
CRYPT_DEFAULT=5
# passwd <username>
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
# grep <username> /etc/shadow
<username>:$5$xxxxx::::::10 xxxxx
# cp policy.conf.save policy.conf
|
Password history logs the last ten passwordsruleHISTORY in the /etc/default/passwd file prevents users from using similar passwords within the
HISTORY value. If MINWEEKS is set to 3 and HISTORY is set to 10, passwords are checked for
reuse for ten months. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 10
#HISTORY=0
HISTORY=10
...
|
Passwords allow repeat charactersruleMAXREPEATS in the `/etc/default/passwd file allows users to repeat characters in passwords.
The default is 0, which permits repeated characters. Any other value indicates how many
characters can be repeated. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 0 which is the default
#MAXREPEATS=1 /** not default value **/
MAXREPEATS=0
...
|
Passwords allow whitespaceruleWHITESPACE in the /etc/default/login file indicates whether passwords can include
the space character. The space character provides some protection against
dictionary-based password attacks. The default is YES. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/login
...
# Compliance to the PCI-DSS benchmark is YES which is the default
#WHITESPACE=NO /** not default value **/
WHITESPACE=YES
...
|
Passwords require at least two alphabetic charactersruleMINALPHA in the /etc/default/passwd file indicates the minimum number of alphabetic characters
that passwords must contain. Alphabetic characters provide more values than numeric or
special characters, so allow for more variation. The default value is 2. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 2 which is the default
#MINALPHA=1 /** not default value **/
MINALPHA=2
...
|
Passwords require at least three characters difference from the previous passwordruleMINDIFF in the /etc/default/passwd file indicates the minimum difference a password must have from
the previous password. The default is 3. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 3 which is the default
#MINDIFF=3
...
|
Passwords require at least one digitruleMINDIGIT in the /etc/default/passwd file indicates the minimum number of digits that a password
must contain. Digits provide some protection against dictionary-based password attacks.
The default is 0. A value of at least 1 is recommended. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 1
#MINDIGIT=0
MINDIGIT=1
...
|
Passwords require at least one lowercase characterruleMINLOWER in the /etc/default/passwd file indicates the minimum number of lowercase
letters that a password must contain. This provide some protection against
dictionary-based password attacks. The default is 0. A value of at least 1
is recommended. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 1
#MINLOWER=0
MINLOWER=1
...
|
Passwords require a minimum of one non-alphabetic characterruleMINNONALPHA in the /etc/default/passwd file indicates the minimum number of non-alphabetic
characters that a password must contain. Non-alphabetic characters provide some
protection against dictionary-based password attacks. The default is 0. A value of
at least 1 is recommended. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 1 which is the default
#MINNONALPHA=0
MINNONALPHA=1
...
|
Passwords require at least one special characterruleMINSPECIAL in the /etc/default/passwd file indicates the minimum number of special
characters that a password must contain. Special characters provide some protection
against dictionary-based password attacks. The default is 0. A value of at least 1
is recommended. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 1
#MINSPECIAL=0
MINSPECIAL=1
...
|
Passwords require at least one uppercase characterruleMINUPPER in the /etc/default/passwd file indicates the minimum number of uppercase letters
that a password must contain. Uppercase letters provide some protection against
dictionary-based password attacks. The default is 0.
A value of at least 1 is recommended. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 1
#MINUPPER=0
MINUPPER=1
...
|
Passwords require at least eight charactersrulePASSLENGTH in the /etc/default/login file indicates the minimum number of
characters that a password must contain. A longer password length plus a strong
password hashing algorithm provide some protection against password attacks.
The default for Oracle Solaris 12 is 8.
See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 8
#PASSLENGTH=6
PASSLENGTH=8
...
|
Passwords cannot be changed for at least three weeksruleMINWEEKS in the /etc/default/passwd file indicates the minimum number of weeks before a
password can be changed. This value prevents users from reusing a password quickly.
The default is unspecified. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 3
#MINWEEKS=
MINWEEKS=3
...
|
Passwords must be changed at least every 13 weeksruleMAXWEEKS in the /etc/default/passwd file indicates the maximum number of weeks that a
password can be used. This value is a balance between users remembering a new password
and malicious users attacking long-term passwords. The default is unspecified.
See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is 13
#MAXWEEKS=
MAXWEEKS=13
...
|
DICTIONBDIR is set to /var/passwdruleDICTIONBDIR in the /etc/default/passwd file points to the /var/passwd dictionary
by default. A password dictionary can strengthen users' password selection
by preventing the use of common words or letter combinations. The passwd
command performs dictionary lookups in the dictionary that DICTIONBDIR indicates.
See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is /var/passwd
#DICTIONBDIR=
DICTIONBDIR=/var/passwd
...
|
DISABLETIME is set for loginsrule DISABLETIME in the /etc/default/login file is set to 20 by default. Any value
greater than zero indicates the seconds before a login prompt appears after
RETRIES failed login attempts. This delay can mitigate rapid-fire, brute
force attacks on passwords. See the login(1) man page.
Remediation script:
# pfedit /etc/default/login
...
# Compliance to the PCI-DSS benchmark is 20 which is the default
#DISABLETIME=6 /** not default value **/
DISABLETIME=20
...
|
SLEEPTIME following an invalid login attempt is set to 4ruleSLEEPTIME in the /etc/default/login file is set to 4 by default. This number
indicates the number of seconds that elapse before the "login incorrect"
message appears after an incorrect password is typed. The maximum number
is 5. This delay can mitigate rapid-fire, brute force attacks on passwords.
See the login(1) man page.
Remediation script:
# pfedit /etc/default/login
...
# Compliance to the PCI-DSS benchmark is 4 which is the default
#SLEEPTIME=1 /**not default value**/
SLEEPTIME=4
...
|
NAMECHECK for passwords is set to YESruleNAMECHECK in the /etc/default/passwd file indicates whether login names are checked
in the files naming service. The default, YES, prevents malicious users from
using a login name that is not in a local file. See the passwd(1) man page.
Remediation script:
# pfedit /etc/default/passwd
...
# Compliance to the PCI-DSS benchmark is YES which is the default
#NAMECHECK=NO /** not default value **/
NAMECHECK=YES
...
|
Logins require passwordsrulePASSREQ in the /etc/default/login file indicates whether logins require passwords.
Passwords are required for defense against computer attacks. The default is YES.
See the login(1) man page.
Remediation script:
# pfedit /etc/default/login
...
# Compliance to the PCI-DSS benchmark is YES which is the default
#PASSREQ=NO /** not default value **/
PASSREQ=YES
...
|
Default system accounts are lockedruleOracle Solaris is installed with correctly configured system accounts.
These accounts should not be modified.
Remediation script:
# passwd -l <username>
|
Default system accounts are no-loginruleOracle Solaris is installed with correctly configured system accounts.
These accounts should not be modified.
Remediation script:
# passwd -N <username>
|
Reserved system accounts remain unusedruleAccounts whose ID is 100 or less are system accounts.
These accounts should not be replaced or reconfigured.
Remediation script:
# usermod <options> <username>
|
root is a roleruleBy default, root is a role. Roles cannot log in directly. Rather, a user logs
in and then assumes the root role, thus providing an audit trail of who is operating
as root. See the roles(1), user_attr(4), and usermod(1M) man pages.
Remediation script:
# usermod -K type=role root
# userattr type root
role
Then, assign the role to a trusted user.
# usermod -R root <trusted-user>
|
root is the only user with UID=0ruleThe UID of 0 has superuser privileges. Only root should have those privileges.
Remediation script:
# userdel <duplicate UID username>
or
# usermod -u <new UID> <login>
|
The root password is hashed with the SHA-256 algorithmruleThe second field in the /etc/shadow file indicates the algorithm that was used to
create the password hash. If the entry begins with "$5$", then the password is hashed
with the SHA-256 algorithm. See the crypt.conf(4) and policy.conf(4) man pages.
Remediation script:
# cd /etc/security
# cp policy.conf policy.conf.save
# pfedit policy.conf
CRYPT_ALGORITHMS_ALLOW=5
CRYPT_DEFAULT=5
# passwd root
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
# grep root /etc/shadow
root:$5$xxxxx::::::14 xxxxx
# cp policy.conf.save policy.conf
|
The root PATH variable is correctruleThe root PATH variable should not include the current directory (.), or any
paths not related to administration.
Remediation script:
# PATH=/usr/bin:/usr/sbin
|
Role details are unchangedruleOracle Solaris ships with Role Based Access Control (RBAC). This feature enables
administrators to delegate specific, limited, additional privileges and authorizations
to individual users to administer parts of the system without giving them access to
the root account. The provided rights databases should not be changed directly. To add
rights to roles, use the roleadd and rolemod commands. These commands add entries to
the /etc/user_attr file.
See the profiles(1), auths(1), roles(1), rbac(5), roleadd(1M), rolemod(1M), and
user_attr(4) man pages.
Remediation script:
# pkg revert /etc/user_attr.d/<changed file>
Then
# roleadd <role>
# rolemod <role>
|
shadow(4) password fields are not emptyruleThe second field in the /etc/shadow file contains passwords. When creating
roles, you can easily forget to assign a password. See the shadow(4) and passwd(1)
man pages.
Remediation script:
# userdel <account-with-no-password>
or
# passwd <account-with-no-password>>
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
|
All groups specified in /etc/passwd are defined in /etc/groupruleUsers are assigned to at least one group and can be assigned to secondary groups.
All groups must be defined in the /etc/group file.
Remediation script:
# groupadd <missing-group>
|
Find and list duplicate GIDsruleGroups, like users, are unique. Duplicate group IDs must be removed.
Remediation script:
# groupmod -<options> <group>
|
Find and list duplicate group namesruleGroups, like users, are unique. Duplicate group names must be removed.
Remediation script:
# groupmod -<options> <group>
|
Find and list duplicate UIDsruleUsers are identified by IDs, which must be unique. Duplicate user IDs must be removed.
Remediation script:
# usermod -<options> <username>
|
Find and list duplicate usernamesruleUsers log in by name, which must be unique. Duplicate user names must be removed.
Remediation script:
# usermod -<options> <username>
|
Inactive user accounts will be locked after 35 daysruleInactive user accounts can provide a back door into the system.
User accounts should be locked after a period of inactivity.
Remediation script:
To manually lock an account
# passwd -l <username>
To set the default inactive time, change the value of MAXWEEKS in the /etc/default/passwd file.
# pfedit /etc/default/passwd
...
MAXWEEKS=5
or
set the default with useradd
# useradd -D -f 70
|
The default user UMASK is 022ruleUMASK in the /etc/default/login file indicates the permissions on user files
at creation. This value should not allow group or world write. The
default value is 022, which allows group and world to read files owned by a user.
See the login(1) man page.
Remediation script:
# pfedit /etc/default/login
...
# Compliance to the PCI-DSS benchmark is 022 which is the default
#UMASK=077 /** not default value **/
UMASK=022
...
|
Local users are assigned home directoriesruleUsers need a place to store and create files. A home directory enables a user
to place configuration files, such as the .profile file, and ongoing work in a directory
that is owned by the user.
Remediation script:
# useradd -m <login>
|
Home directories for all users existruleUsers need a place to store and create files. A home directory enables
a user to place configuration files, such as the .profile file, and ongoing work
in a directory that is owned by the user.
Remediation script:
# useradd -m <login>
|
User home directories have appropriate permissionsruleHome directories must be writable and searchable by their owners. Typically,
other users do not have rights to modify those files or add files to the user's
home directory.
Remediation script:
# chmod 750 <user-home-dir>
|
User home directory ownership is correctruleThe user must own the user's home directory.
Remediation script:
# chown <username> </path/to/home-dir/username>
|
Find and list .rhosts filesrule.rhosts files can provide easy access to remote hosts by bypassing the
password requirement. These files should be removed.
Remediation script:
# rm </path/to/.rhost>
|
Find and list .forward filesrule.forward files can provide easy transport of information outside the firewall
or outside the user's home directory.
Remediation script:
# rm </path/to/.forward>
|
Find and list .netrc filesruleThe .netrc file contains data for logging in to a remote
host over the network for file transfers by FTP.
Remediation script:
# rm </path/to/.netrc>
|
Permissions on User .netrc Files are correctruleThe .netrc file contains login credentials to remote systems for file
transfers by FTP. The permissions should be set to disallow read access
by group and others. See the chmod(1) man page.
Remediation script:
# chmod 600 </path/to/.netrc>
|
Permissions on User "." (Hidden) Files are correctruleHidden files in a user's home directory should be owned by the user. Directories
should allow read-write-execute (rwx) permissions to the user only.
Files should allow read-write (rw) permissions to the user only.
Remediation script:
# chmod 600 </path/to/hidden-file>
and
# chmod 700 </path/to/hidden-directory/>
|