UCF STIG Viewer Logo

Solaris 10 X86 Security Technical Implementation Guide


Overview

Date Finding Count (182)
2014-06-27 CAT I (High): 8 CAT II (Med): 155 CAT III (Low): 19
STIG Description
The Solaris 10 (X86) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-12033 High The root account must be the only account with GID of 0.
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-11988 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-847 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-24386 High The telnet daemon must not be running.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-4688 High The rexec daemon must not be running.
V-4687 High The rsh daemon must not be running.
V-4273 Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
V-4276 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-4277 Medium Files in /etc/news must be owned by root.
V-4274 Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
V-4275 Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
V-12022 Medium The SSH daemon must be configured for IP filtering.
V-4278 Medium The files in /etc/news must be group-owned by root.
V-4370 Medium The traceroute command must be group-owned by sys, bin, or root.
V-22561 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
V-22560 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
V-831 Medium The alias file must be owned by root.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-22489 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-768 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-819 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-818 Medium The audit system must be configured to audit login, logout, and session initiation.
V-816 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-815 Medium The audit system must be configured to audit file deletions.
V-766 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-813 Medium System audit logs must have mode 0640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-12031 Medium The nosuid option must be configured in the /etc/rmmount.conf file.
V-4090 Medium All system start-up files must be group-owned by root, sys, or bin.
V-22332 Medium The /etc/passwd file must be owned by root.
V-4304 Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
V-4300 Medium The NFS server must have logging implemented.
V-778 Medium The system must prevent the root account from directly logging in except from the system console.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-773 Medium The root account must be the only account having an UID of 0.
V-907 Medium Run control scripts' executable search paths must contain only absolute paths.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-4089 Medium All system start-up files must be owned by root.
V-867 Medium The Network Information System (NIS) protocol must not be used.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-822 Medium The inetd.conf file must have mode 0440 or less permissive.
V-981 Medium Cron and crontab directories must be group-owned by root, sys, or bin.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-983 Medium The cronlog file must have mode 0600 or less permissive.
V-22290 Medium The system clock must be synchronized continuously, or at least daily.
V-985 Medium The at.deny file must not be empty if it exists.
V-984 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-4394 Medium The /etc/syslog.conf file must be group-owned by root, bin, or sys.
V-22582 Medium The system must employ a local firewall.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-957 Medium The /usr/aset/userlist file must have mode 0600 or less permissive.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-978 Medium Crontab files must have mode 0600 or less permissive.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-1027 Medium The smb.conf file must be owned by root.
V-1028 Medium The smb.conf file must have mode 0644 or less permissive.
V-1029 Medium The smbpasswd file must be owned by root.
V-22329 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-22328 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
V-22327 Medium The /etc/nsswitch.conf file must be owned by root.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-22456 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-1023 Medium The system must not run an Internet Network News (INN) server.
V-22604 Medium The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
V-776 Medium The root account's executable search path must be the vendor default and must contain only absolute paths.
V-22600 Medium The /usr/aset/userlist file must be group-owned by root.
V-4245 Medium The /etc/security/audit_user file must have mode 0640 or less permissive.
V-22603 Medium The /etc/zones directory, and its contents, must be owned by root.
V-4321 Medium The system must not run Samba unless needed.
V-22320 Medium The /etc/resolv.conf file must be group-owned by root, bin, or sys.
V-22605 Medium The /etc/zones directory, and its contents, must not be group- or world-writable.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
V-12001 Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
V-22335 Medium The /etc/group file must be owned by root.
V-22336 Medium The /etc/group file must be group-owned by root, bin, or sys.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22444 Medium The ftpusers file must be group-owned by root, bin, or sys.
V-22333 Medium The /etc/passwd file must be group-owned by root, bin, or sys.
V-824 Medium The services file must have mode 0444 or less permissive.
V-11999 Medium The system must implement non-executable program stacks.
V-916 Medium The /etc/shells (or equivalent) file must exist.
V-12014 Medium All .Xauthority files must have mode 0600 or less permissive.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-4430 Medium The cron.deny file must be owned by root, bin, or sys.
V-955 Medium The /usr/aset/userlist file must exist.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-22304 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-22306 Medium The system must require at least four characters be changed between the old and new passwords during a password change.
V-22383 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-1049 Medium Audio devices must be owned by root.
V-1047 Medium The system must not permit root logins using remote access programs such as SSH.
V-22434 Medium The rexecd service must not be installed.
V-22433 Medium The rlogind service must not be installed.
V-22432 Medium The rlogind service must not be running.
V-22431 Medium The rshd service must not be installed.
V-814 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-22459 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
V-11989 Medium The .rhosts file must not be supported in PAM.
V-840 Medium The ftpusers file must exist.
V-811 Medium Auditing must be implemented.
V-842 Medium The ftpusers file must be owned by root.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-11985 Medium All global initialization files' executable search paths must contain only absolute paths.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by bin.
V-1058 Medium The smbpasswd file must be group-owned by root.
V-4351 Medium The /etc/security/audit_user file must be group-owned by root, sys, or bin.
V-4352 Medium The /etc/security/audit_user file must be owned by root.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-22548 Medium The DHCP client must be disabled if not needed.
V-22702 Medium System audit logs must be group-owned by root, bin, or sys.
V-1059 Medium The smbpasswd file must have mode 0600 or less permissive.
V-22429 Medium The portmap or rpcbind service must not be running unless needed.
V-22398 Medium The at.deny file must be group-owned by root, bin, or sys.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-22397 Medium The at.allow file must be group-owned by root, bin, or sys.
V-22394 Medium The cron.deny file must be group-owned by root, bin, or sys.
V-1056 Medium The smb.conf file must be group-owned by root, bin, or sys.
V-22392 Medium The at.deny file must have mode 0600 or less permissive.
V-22391 Medium The cron.allow file must be group-owned by root, bin, or sys.
V-22427 Medium The services file must be group-owned by root, bin, or sys.
V-823 Medium The services file must be owned by root or bin.
V-22295 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-787 Medium System log files must have mode 0640 or less permissive.
V-793 Medium Library files must have mode 0755 or less permissive.
V-22501 Medium Samba must be configured to not allow guest access to shares.
V-836 Medium The system syslog service must log informational and more severe SMTP service messages.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-928 Medium The NFS export configuration file must be owned by root.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-4369 Medium The traceroute command owner must be root.
V-956 Medium The /usr/aset/userlist file must be owned by root.
V-22559 Medium If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-4361 Medium The cron.allow file must be owned by root, bin, or sys.
V-1061 Medium Audio devices must be group-owned by root, sys, or bin.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22492 Medium The NFS export configuration file must be group-owned by root, bin, or sys.
V-22324 Medium The /etc/hosts file must be group-owned by root, bin, or sys.
V-22499 Medium Samba must be configured to use an authentication mechanism other than "share."
V-790 Medium NIS/NIS+/yp files must be group-owned by root, sys, or bin.
V-791 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-4701 Low The system must not have the finger service active.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-22577 Low Automated file system mounting tools must not be enabled unless needed.
V-22370 Low System audit tool executables must be owned by root.
V-22371 Low System audit tool executables must be group-owned by root, bin, or sys.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-774 Low The root user's home directory must not be the root directory (/).
V-22588 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-23739 Low The system must use a separate filesystem for /tmp (or equivalent).
V-900 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-12003 Low A separate file system must be used for user home directories (such as /home or equivalent).
V-825 Low Global initialization files must contain the mesg -n or mesg n commands.
V-22578 Low The system must have USB disabled unless needed.
V-11997 Low The kernel core dump data directory must be owned by root.
V-929 Low The NFS export configuration file must have mode 0644 or less permissive.
V-835 Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-781 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.