UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48241 SOL-11.1-050190 SV-61113r1_rule Medium
Description
Non-local maintenance and diagnostic communications often contain sensitive information and must be protected. This data's integrity and confidentiality can be ensured by sending non-local maintenance and diagnostic communications through encrypted channels enforced via firewall configurations.
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2017-03-02

Details

Check Text ( C-50673r1_chk )
The IP Filter Management profile is required.

Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed.

# svcs ipfilter

If ipfilter is not listed with a state of online, this is a finding.

The IP Filter Management profile is required.

Check that the filters are configured properly.

# ipfstat -io

If the output of this command does not include these lines:

block out log all keep state keep frags
pass in log quick proto tcp from any to any port = ssh keep state
block in log all
block in log from any to 255.255.255.255/32
block in log from any to 127.0.0.1/32

this is a finding.

Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding.
Fix Text (F-51849r1_fix)
The root role is required.

Configure and enable the IP Filters policy.

# pfedit /etc/ipf/ipf.conf.

Add these lines to the file:

# Allow SSH (note you cannot restrict to SSHv2 here. This can
# only be done in /etc/ssh/sshd_config.)
pass in log quick proto tcp from any to any port = 22 keep state
# Do not allow all outbound traffic, keep state, and log
block out log all keep state keep frags
# Block and log everything else that comes in
block in log all
block in log from any to 255.255.255.255
block in log from any to 127.0.0.1/32

Enable ipfilter.

# svcadm enable ipfilter

Notify ipfilter to use the new configuration file.

# ipf -Fa -f /etc/ipf/ipf.conf


Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.