UCF STIG Viewer Logo

Solaris 11 X86 Security Technical Implementation Guide


Overview

Date Finding Count (234)
2015-06-26 CAT I (High): 19 CAT II (Med): 162 CAT III (Low): 53
STIG Description
Developed by Oracle in coordination with DISA for the DoD. The Solaris 11 (X86) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-48107 High Login must not be permitted with empty/null passwords for SSH.
V-47879 High The operating system must protect audit information from unauthorized deletion.
V-47875 High The operating system must protect audit information from unauthorized modification.
V-48119 High There must be no user .rhosts files.
V-47963 High The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
V-48121 High The system must not allow autologin capabilities from the GNOME desktop.
V-47955 High The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
V-47959 High The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
V-48027 High The operating system must be a supported release.
V-61025 High X displays must not be exported to the world.
V-47845 High The operating system must alert designated organizational officials in the event of an audit processing failure.
V-47843 High The audit system must alert the System Administrator (SA) if there is any type of audit failure.
V-48143 High The operating system must not allow logins for users with blank passwords.
V-47995 High SNMP communities, users, and passphrases must be changed from the default.
V-47915 High The telnet service daemon must not be installed unless required.
V-47911 High The FTP daemon must not be installed unless required.
V-47913 High The TFTP service daemon must not be installed unless required.
V-49621 High The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
V-47905 High The NIS package must not be installed.
V-48217 Medium The system must disable network routing unless required.
V-48215 Medium The operating system must enforce requirements for remote connections to the information system.
V-59841 Medium All system start-up files must be group-owned by root, sys, or bin.
V-59843 Medium System start-up files must only execute programs owned by a privileged UID or an application.
V-48103 Medium Direct root account login must not be permitted for SSH access.
V-48101 Medium The rhost-based authentication for SSH must be disabled.
V-48187 Medium The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
V-48183 Medium The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
V-48181 Medium The system must not respond to broadcast ICMP echo requests.
V-48029 Medium The operator must document all file system objects that have non-standard access control list settings.
V-47977 Medium The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-47975 Medium The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-47973 Medium The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
V-47971 Medium The system must require passwords to contain at least one uppercase alphabetic character.
V-48073 Medium Duplicate user names must not exist.
V-48179 Medium The operating system must protect the integrity of transmitted information.
V-48077 Medium Reserved UIDs 0-99 must only be used by system accounts.
V-48079 Medium User accounts must be locked after 35 days of inactivity.
V-48171 Medium The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
V-48175 Medium The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
V-47883 Medium The system must verify that package updates are digitally signed.
V-47881 Medium The System packages must be up to date with the most recent vendor updates and security fixes.
V-48207 Medium The system must set maximum number of half-open TCP connections to 4096.
V-47887 Medium The operating system must protect audit tools from unauthorized modification.
V-47885 Medium The operating system must protect audit tools from unauthorized access.
V-48115 Medium Groups assigned to users must exist in the /etc/group file.
V-47889 Medium The operating system must protect audit tools from unauthorized deletion.
V-48117 Medium The use of FTP must be restricted.
V-48113 Medium Host-based authentication for login-based services must be disabled.
V-48195 Medium The operating system must terminate all sessions and network connections when non-local maintenance is completed.
V-61005 Medium All .Xauthority files must have mode 0600 or less permissive.
V-61003 Medium Any X Windows host must write .Xauthority files.
V-48191 Medium The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
V-48193 Medium The system must set strict multihoming.
V-47965 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-47809 Medium The audit system must be configured to audit account modification.
V-47967 Medium The system must require at least four characters be changed between the old and new passwords during a password change.
V-47961 Medium Users must not reuse the last 5 passwords.
V-47803 Medium Audit records must include the outcome (success or failure) of the events that occurred.
V-47801 Medium Audit records must include the sources of the events that occurred.
V-47807 Medium The audit system must be configured to audit account creation.
V-47969 Medium The operating system must prevent the execution of prohibited mobile code.
V-47805 Medium The audit system must be configured to audit file deletions.
V-48061 Medium The default umask for system and users must be 077.
V-48063 Medium World-writable files must not exist.
V-48065 Medium The system must not allow users to configure .forward files.
V-48067 Medium User .netrc files must not exist.
V-48069 Medium Duplicate group names must not exist.
V-48219 Medium The operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers.
V-48129 Medium Permissions on user . (hidden) files must be 750 or less permissive.
V-47891 Medium System packages must be configured with the vendor-provided files, permissions, and ownerships.
V-48233 Medium The boundary protection system (firewall) must be configured to only allow encrypted protocols to ensure that passwords are transmitted via encryption.
V-48235 Medium The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
V-48237 Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-47899 Medium The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
V-48123 Medium Permissions on user .netrc files must be 750 or less permissive.
V-48125 Medium Unauthorized use of the at or cron capabilities must not be permitted.
V-48127 Medium Logins to the root account must be restricted to the system console only.
V-47953 Medium The operating system must enforce minimum password lifetime restrictions.
V-47957 Medium User passwords must be at least 15 characters in length.
V-47811 Medium The operating system must automatically audit account disabling actions.
V-47813 Medium The operating system must automatically audit account termination.
V-47815 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
V-47817 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-48087 Medium Login services for serial ports must be disabled.
V-48055 Medium The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.
V-48057 Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-48053 Medium The system must prevent the use of dictionary words for passwords.
V-48039 Medium The operating system must have no unowned files.
V-48229 Medium The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.
V-48227 Medium The operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
V-48035 Medium The root account must be the only account with GID of 0.
V-48225 Medium The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
V-48223 Medium The operating system must use cryptography to protect the integrity of remote access sessions.
V-48031 Medium The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
V-47821 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-61027 Medium .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
V-61029 Medium The .Xauthority utility must only permit access to authorized hosts.
V-47943 Medium User passwords must be changed at least every 56 days.
V-47941 Medium The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-48043 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-48047 Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.
V-48045 Medium The system must require users to re-authenticate to unlock a graphical desktop environment.
V-48231 Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-47823 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-47785 Medium The audit system records must be able to be used by a report generation capability.
V-48025 Medium The system must implement non-executable program stacks.
V-48021 Medium Process core dumps must be disabled unless needed.
V-47835 Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
V-61031 Medium X Window System connections that are not required must be disabled.
V-47939 Medium The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
V-48137 Medium The sticky bit must be set on all world writable directories.
V-47783 Medium The audit system must support an audit reduction capability.
V-47935 Medium TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
V-48239 Medium The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-48135 Medium The operating system must provide the capability for users to directly initiate session lock mechanisms.
V-48133 Medium Permissions on user home directories must be 750 or less permissive.
V-48139 Medium The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
V-48019 Medium The centralized process core dump data directory must be owned by root.
V-59833 Medium Run control scripts library search paths must contain only absolute paths.
V-59835 Medium Run control scripts lists of preloaded libraries must contain only absolute paths.
V-47791 Medium The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
V-59839 Medium All system start-up files must be owned by root.
V-48241 Medium The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-48013 Medium Kernel core dumps must be disabled unless needed.
V-48243 Medium Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
V-48015 Medium The centralized process core dump data directory must have mode 0700 or less permissive.
V-48245 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-48017 Medium The centralized process core dump data directory must be group-owned by root, bin, or sys.
V-47789 Medium The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
V-48091 Medium Duplicate UIDs must not exist for multiple non-organizational users.
V-48093 Medium X11 forwarding for SSH must be disabled.
V-48095 Medium Duplicate User IDs (UIDs) must not exist for users within the organization.
V-48097 Medium All home directories must be owned by the respective user assigned to it in /etc/passwd.
V-47929 Medium The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
V-47841 Medium The systems physical devices must not be assigned to non-global zones.
V-47921 Medium The VNC server package must not be installed unless required.
V-47923 Medium The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
V-47925 Medium The operating system must be configured to provide essential capabilities.
V-47927 Medium The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
V-48141 Medium The operating system must protect the integrity of transmitted information.
V-48147 Medium The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
V-47797 Medium Audit records must include when (date and time) the events occurred.
V-49635 Medium The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
V-47999 Medium The system must not have accounts configured with blank or null passwords.
V-47781 Medium The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.
V-59829 Medium All run control scripts must have no extended ACLs.
V-59827 Medium All run control scripts must have mode 0755 or less permissive.
V-47997 Medium The operating system must implement transaction recovery for transaction-based systems.
V-47991 Medium The system must require passwords to contain at least one special character.
V-47795 Medium Audit records must include what type of events occurred.
V-48089 Medium The nobody access for RPC encryption key storage service must be disabled.
V-47793 Medium The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
V-48085 Medium Emergency accounts must be locked after 35 days of inactivity.
V-47787 Medium The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
V-48083 Medium The operating system must manage information system identifiers for users and devices by disabling the user identifier after 35 days of inactivity.
V-47857 Medium The operating system must allocate audit record storage capacity.
V-59837 Medium Run control scripts must not execute world writable programs or scripts.
V-47919 Medium The rpcbind service must be configured for local only services.
V-48011 Medium The kernel core dump data directory must be owned by root.
V-48157 Medium The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-48159 Medium The operating system must use cryptography to protect the confidentiality of remote access sessions.
V-48081 Medium Duplicate Group IDs (GIDs) must not exist for multiple groups.
V-47989 Medium The system must require passwords to contain at least one numeric character.
V-47983 Medium Direct logins must not be permitted to shared, default, application, or utility accounts.
V-47981 Medium The operating system must enforce password complexity requiring that at least one lowercase character is used.
V-47987 Medium A file integrity baseline must be created, maintained, and reviewed on at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
V-47985 Medium The operating system must synchronize internal information system clocks at least once every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-59831 Medium Run control scripts executable search paths must contain only absolute paths.
V-47903 Medium The operating system must identify potentially security-relevant error conditions.
V-47901 Medium The legacy remote network access utilities daemons must not be installed.
V-47799 Medium Audit records must include where the events occurred.
V-61023 Medium The .Xauthority files must not have extended ACLs.
V-49625 Medium The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
V-47863 Medium The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
V-47869 Medium The operating system must protect audit information from unauthorized read access.
V-48007 Medium The kernel core dump data directory must have mode 0700 or less permissive.
V-47907 Medium The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
V-48167 Medium The operating system must protect the confidentiality of transmitted information.
V-48161 Medium The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
V-48163 Medium The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
V-48009 Medium The kernel core dump data directory must be group-owned by root.
V-48213 Low The system must prevent local applications from generating source-routed packets.
V-48211 Low The system must set maximum number of incoming connections to 1024.
V-48105 Low A users defined home directory must exist.
V-48185 Low The system must not respond to multicast echo requests.
V-48189 Low The system must ignore ICMP redirect messages.
V-48109 Low Users must have a valid home directory assignment.
V-47979 Low The system must not have any unnecessary accounts.
V-48071 Low The default umask for FTP users must be 077.
V-48075 Low The value mesg n must be configured as the default setting for all users.
V-48173 Low The system must not respond to ICMP broadcast timestamp requests.
V-48177 Low The system must not respond to ICMP broadcast netmask requests.
V-48205 Low The operating system must display the DoD approved system use notification message or banner for SSH connections.
V-48203 Low The GNOME service must display the DoD approved system use notification message or banner before granting access to the system.
V-48111 Low The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
V-48197 Low The system must disable ICMP redirect messages.
V-48199 Low The FTP service must display the DoD approved system use notification message or banner before granting access to the system.
V-47893 Low The finger daemon package must not be installed.
V-47895 Low The limitpriv zone option must be set to the vendor default or less permissive.
V-47897 Low The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
V-47951 Low Intrusion detection and prevention capabilities must be architected and implemented to prevent non-privileged users from circumventing such protections.
V-47819 Low The audit system must be configured to audit login, logout, and session initiation.
V-48059 Low All valid SUID/SGID files must be documented.
V-48037 Low The operating system must have no files with extended attributes.
V-48033 Low The operating system must reveal error messages only to authorized personnel.
V-48221 Low The system must implement TCP Wrappers.
V-47825 Low The audit system must be configured to audit failed attempts to access files and programs.
V-47827 Low The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
V-47949 Low The operating system must automatically terminate temporary accounts within 72 hours.
V-47947 Low The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
V-47945 Low The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
V-48151 Low The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
V-48023 Low Address Space Layout Randomization (ASLR) must be enabled.
V-47831 Low The auditing system must not define a different auditing level for specific users.
V-47837 Low The audit system must maintain a central audit trail for all zones.
V-47839 Low The audit system must identify in which zone an event occurred.
V-47933 Low Systems services that are not required must be disabled.
V-47931 Low Generic Security Services (GSS) must be disabled.
V-47937 Low All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
V-48131 Low The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
V-48099 Low Consecutive login attempts for SSH must be limited to 3.
V-48145 Low The operating system must use cryptographic mechanisms to protect the integrity of audit information.
V-48149 Low The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
V-47993 Low The system must require passwords to contain no more than three consecutive repeating characters.
V-47917 Low The UUCP service daemon must not be installed unless required.
V-48201 Low The system must disable TCP reverse IP source routing.
V-48153 Low The operating system must protect the confidentiality and integrity of information at rest.
V-48155 Low The operating system must employ cryptographic mechanisms to protect information in storage.
V-47909 Low The pidgin IM client package must not be installed.
V-48001 Low The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).
V-48209 Low The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.
V-48005 Low System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. (Intel)
V-48169 Low The system must not respond to ICMP timestamp requests.
V-48165 Low The system must disable directed broadcast packet forwarding.