UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SOLARIS 10 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE


Overview

Date Finding Count (184)
2017-07-28 CAT I (High): 12 CAT II (Med): 155 CAT III (Low): 17
STIG Description
The Solaris 10 (X86) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-12033 High The root account must be the only account with GID of 0.
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-770 High The system must not have accounts configured with blank or null passwords.
V-4249 High The system boot loader must require authentication.
V-4248 High For systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
V-848 High The TFTP daemon must have mode 0755 or less permissive.
V-11988 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-847 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-24386 High The telnet daemon must not be running.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-4688 High The rexec daemon must not be running.
V-4687 High The rsh daemon must not be running.
V-4273 Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
V-4276 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-4277 Medium Files in /etc/news must be owned by root.
V-4274 Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
V-4275 Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
V-12022 Medium The SSH daemon must be configured for IP filtering.
V-4278 Medium The files in /etc/news must be group-owned by root.
V-4370 Medium The traceroute command must be group-owned by sys, bin, or root.
V-22561 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
V-22560 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
V-831 Medium The alias file must be owned by root.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-22489 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-768 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-1027 Medium The smb.conf file must be owned by root.
V-818 Medium The audit system must be configured to audit login, logout, and session initiation.
V-816 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-815 Medium The audit system must be configured to audit file deletions.
V-766 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-813 Medium System audit logs must have mode 0640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-12031 Medium The nosuid option must be configured in the /etc/rmmount.conf file.
V-4090 Medium All system start-up files must be group-owned by root, sys, or bin.
V-22332 Medium The /etc/passwd file must be owned by root.
V-4304 Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
V-4300 Medium The NFS server must have logging implemented.
V-778 Medium The system must prevent the root account from directly logging in except from the system console.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-773 Medium The root account must be the only account having an UID of 0.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-4089 Medium All system start-up files must be owned by root.
V-867 Medium The Network Information System (NIS) protocol must not be used.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-822 Medium The inetd.conf file must have mode 0440 or less permissive.
V-981 Medium Cron and crontab directories must be group-owned by root, sys, or bin.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-983 Medium The cronlog file must have mode 0600 or less permissive.
V-22290 Medium The system clock must be synchronized continuously.
V-985 Medium The at.deny file must not be empty if it exists.
V-984 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-4394 Medium The /etc/syslog.conf file must be group-owned by root, bin, or sys.
V-22582 Medium The system must employ a local firewall.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-11947 Medium The system must require passwords contain a minimum of 15 characters.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-957 Medium The /usr/aset/userlist file must have mode 0600 or less permissive.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-978 Medium Crontab files must have mode 0600 or less permissive.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-1028 Medium The smb.conf file must have mode 0644 or less permissive.
V-1029 Medium The smbpasswd file must be owned by root.
V-22329 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-22328 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
V-22327 Medium The /etc/nsswitch.conf file must be owned by root.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-22456 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-22323 Medium The /etc/hosts file must be owned by root.
V-4245 Medium The /etc/security/audit_user file must have mode 0640 or less permissive.
V-1023 Medium The system must not run an Internet Network News (INN) server.
V-22604 Medium The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
V-776 Medium The root accounts executable search path must contain only authorized paths.
V-22600 Medium The /usr/aset/userlist file must be group-owned by root.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-22603 Medium The /etc/zones directory, and its contents, must be owned by root.
V-4321 Medium The system must not run Samba unless needed.
V-22320 Medium The /etc/resolv.conf file must be group-owned by root, bin, or sys.
V-22605 Medium The /etc/zones directory, and its contents, must not be group- or world-writable.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
V-12001 Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
V-907 Medium Run control scripts executable search paths must contain only authorized paths.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
V-22335 Medium The /etc/group file must be owned by root.
V-22336 Medium The /etc/group file must be group-owned by root, bin, or sys.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22444 Medium The ftpusers file must be group-owned by root, bin, or sys.
V-22333 Medium The /etc/passwd file must be group-owned by root, bin, or sys.
V-824 Medium The services file must have mode 0444 or less permissive.
V-11999 Medium The system must implement non-executable program stacks.
V-916 Medium The /etc/shells (or equivalent) file must exist.
V-12014 Medium All .Xauthority files must have mode 0600 or less permissive.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-4430 Medium The cron.deny file must be owned by root, bin, or sys.
V-955 Medium The /usr/aset/userlist file must exist.
V-819 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-22304 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-22306 Medium The system must require at least eight characters be changed between the old and new passwords during a password change.
V-22383 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-1049 Medium Audio devices must be owned by root.
V-1047 Medium The system must not permit root logins using remote access programs such as SSH.
V-22434 Medium The rexecd service must not be installed.
V-22433 Medium The rlogind service must not be installed.
V-22432 Medium The rlogind service must not be running.
V-22431 Medium The rshd service must not be installed.
V-814 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-22459 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
V-11989 Medium The .rhosts file must not be supported in PAM.
V-840 Medium The ftpusers file must exist.
V-842 Medium The ftpusers file must be owned by root.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-11985 Medium All global initialization files executable search paths must contain only authorized paths.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by bin.
V-1058 Medium The smbpasswd file must be group-owned by root.
V-4351 Medium The /etc/security/audit_user file must be group-owned by root, sys, or bin.
V-4352 Medium The /etc/security/audit_user file must be owned by root.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-22548 Medium The DHCP client must be disabled if not needed.
V-22702 Medium System audit logs must be group-owned by root, bin, or sys.
V-1059 Medium The smbpasswd file must have mode 0600 or less permissive.
V-22429 Medium The portmap or rpcbind service must not be running unless needed.
V-22398 Medium The at.deny file must be group-owned by root, bin, or sys.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-22397 Medium The at.allow file must be group-owned by root, bin, or sys.
V-22394 Medium The cron.deny file must be group-owned by root, bin, or sys.
V-1056 Medium The smb.conf file must be group-owned by root, bin, or sys.
V-22392 Medium The at.deny file must have mode 0600 or less permissive.
V-22391 Medium The cron.allow file must be group-owned by root, bin, or sys.
V-22427 Medium The services file must be group-owned by root, bin, or sys.
V-823 Medium The services file must be owned by root or bin.
V-22295 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-787 Medium System log files must have mode 0640 or less permissive.
V-793 Medium Library files must have mode 0755 or less permissive.
V-22501 Medium Samba must be configured to not allow guest access to shares.
V-836 Medium The system syslog service must log informational and more severe SMTP service messages.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-928 Medium The NFS export configuration file must be owned by root.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-4369 Medium The traceroute command owner must be root.
V-956 Medium The /usr/aset/userlist file must be owned by root.
V-22559 Medium If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-4361 Medium The cron.allow file must be owned by root, bin, or sys.
V-1061 Medium Audio devices must be group-owned by root, sys, or bin.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22492 Medium The NFS export configuration file must be group-owned by root, bin, or sys.
V-22324 Medium The /etc/hosts file must be group-owned by root, bin, or sys.
V-22499 Medium Samba must be configured to use an authentication mechanism other than "share."
V-790 Medium NIS/NIS+/yp files must be group-owned by root, sys, or bin.
V-791 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-4701 Low The system must not have the finger service active.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-22577 Low Automated file system mounting tools must not be enabled unless needed.
V-22370 Low System audit tool executables must be owned by root.
V-22371 Low System audit tool executables must be group-owned by root, bin, or sys.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-774 Low The root user's home directory must not be the root directory (/).
V-22588 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-23739 Low The system must use a separate filesystem for /tmp (or equivalent).
V-825 Low Global initialization files must contain the mesg -n or mesg n commands.
V-22578 Low The system must have USB disabled unless needed.
V-11997 Low The kernel core dump data directory must be owned by root.
V-929 Low The NFS export configuration file must have mode 0644 or less permissive.
V-835 Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-781 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.