UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SOLARIS 9 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE


Overview

Date Finding Count (142)
2015-09-15 CAT I (High): 3 CAT II (Med): 123 CAT III (Low): 16
STIG Description
The Solaris 9 (SPARC) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-12033 High The root account must be the only account with GID of 0.
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-4273 Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
V-4276 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-4274 Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
V-4275 Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
V-4370 Medium The traceroute command must be group-owned by sys, bin, or root.
V-22561 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
V-22560 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
V-11999 Medium The system must implement non-executable program stacks.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-819 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-818 Medium The audit system must be configured to audit login, logout, and session initiation.
V-815 Medium The audit system must be configured to audit file deletions.
V-814 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-813 Medium System audit logs must have mode 0640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-12031 Medium The nosuid option must be configured in the /etc/rmmount.conf file.
V-4090 Medium All system start-up files must be group-owned by root, sys, or bin.
V-22332 Medium The /etc/passwd file must be owned by root.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-773 Medium The root account must be the only account having an UID of 0.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-4089 Medium All system start-up files must be owned by root.
V-867 Medium The Network Information System (NIS) protocol must not be used.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-790 Medium NIS/NIS+/yp files must be group-owned by root, sys, or bin.
V-981 Medium Cron and crontab directories must be group-owned by root, sys, or bin.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-983 Medium The cronlog file must have mode 0600 or less permissive.
V-985 Medium The at.deny file must not be empty if it exists.
V-984 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-4394 Medium The /etc/syslog.conf file must be group-owned by root, bin, or sys.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-11947 Medium The system must require passwords contain a minimum of 15 characters.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-957 Medium The /usr/aset/userlist file must have mode 0600 or less permissive.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-978 Medium Crontab files must have mode 0600 or less permissive.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-22459 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
V-842 Medium The ftpusers file must be owned by root.
V-22329 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-22328 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
V-22327 Medium The /etc/nsswitch.conf file must be owned by root.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-22456 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-1023 Medium The system must not run an Internet Network News (INN) server.
V-776 Medium The root account's executable search path must be the vendor default and must contain only absolute paths.
V-22600 Medium The /usr/aset/userlist file must be group-owned by root.
V-4245 Medium The /etc/security/audit_user file must have mode 0640 or less permissive.
V-4321 Medium The system must not run Samba unless needed.
V-22320 Medium The /etc/resolv.conf file must be group-owned by root, bin, or sys.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
V-12001 Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
V-907 Medium Run control scripts' executable search paths must contain only absolute paths.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
V-22335 Medium The /etc/group file must be owned by root.
V-22336 Medium The /etc/group file must be group-owned by root, bin, or sys.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22444 Medium The ftpusers file must be group-owned by root, bin, or sys.
V-22333 Medium The /etc/passwd file must be group-owned by root, bin, or sys.
V-916 Medium The /etc/shells (or equivalent) file must exist.
V-12014 Medium All .Xauthority files must have mode 0600 or less permissive.
V-4430 Medium The cron.deny file must be owned by root, bin, or sys.
V-824 Medium The services file must have mode 0444 or less permissive.
V-22383 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-1049 Medium Audio devices must be owned by root.
V-1047 Medium The system must not permit root logins using remote access programs such as SSH.
V-4369 Medium The traceroute command owner must be root.
V-22434 Medium The rexecd service must not be installed.
V-22433 Medium The rlogind service must not be installed.
V-22431 Medium The rshd service must not be installed.
V-840 Medium The ftpusers file must exist.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-11985 Medium All global initialization files' executable search paths must contain only absolute paths.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by bin.
V-4351 Medium The /etc/security/audit_user file must be group-owned by root, sys, or bin.
V-4352 Medium The /etc/security/audit_user file must be owned by root.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-22548 Medium The DHCP client must be disabled if not needed.
V-22702 Medium System audit logs must be group-owned by root, bin, or sys.
V-22398 Medium The at.deny file must be group-owned by root, bin, or sys.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-22397 Medium The at.allow file must be group-owned by root, bin, or sys.
V-22394 Medium The cron.deny file must be group-owned by root, bin, or sys.
V-1056 Medium The smb.conf file must be group-owned by root, bin, or sys.
V-22392 Medium The at.deny file must have mode 0600 or less permissive.
V-22391 Medium The cron.allow file must be group-owned by root, bin, or sys.
V-22427 Medium The services file must be group-owned by root, bin, or sys.
V-823 Medium The services file must be owned by root or bin.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-22295 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
V-836 Medium The system syslog service must log informational and more severe SMTP service messages.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-928 Medium The NFS export configuration file must be owned by root.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-956 Medium The /usr/aset/userlist file must be owned by root.
V-22559 Medium If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
V-955 Medium The /usr/aset/userlist file must exist.
V-4361 Medium The cron.allow file must be owned by root, bin, or sys.
V-1061 Medium Audio devices must be group-owned by root, sys, or bin.
V-22492 Medium The NFS export configuration file must be group-owned by root, bin, or sys.
V-22324 Medium The /etc/hosts file must be group-owned by root, bin, or sys.
V-822 Medium The inetd.conf file must have mode 0440 or less permissive.
V-791 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-793 Medium Library files must have mode 0755 or less permissive.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-22370 Low System audit tool executables must be owned by root.
V-22371 Low System audit tool executables must be group-owned by root, bin, or sys.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-774 Low The root user's home directory must not be the root directory (/).
V-22588 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-23739 Low The system must use a separate filesystem for /tmp (or equivalent).
V-900 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-825 Low Global initialization files must contain the mesg -n or mesg n commands.
V-929 Low The NFS export configuration file must have mode 0644 or less permissive.
V-22578 Low The system must have USB disabled unless needed.
V-11997 Low The kernel core dump data directory must be owned by root.
V-781 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-12003 Low A separate file system must be used for user home directories (such as /home or equivalent).
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.