Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Any NIS+ server must be operating at security level 2.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-926 | GEN006460 | SV-28453r1_rule | ECSC-1 | Medium |
| Description |
|---|
| If the NIS+ server is not operating in, at least, security level 2, there is no encryption and the system could be penetrated by intruders and/or malicious users. |
| STIG | Date |
|---|---|
| SOLARIS 9 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2015-10-01 |
Details
| Check Text ( C-852r2_chk ) |
|---|
| If the system is not using NIS+, this is not applicable. Check the system to determine if NIS+ security level 2 is implemented. Procedure: # niscat cred.org_dir If the second column does not contain DES, the system is not using NIS+ security level 2, and this is a finding. |
| Fix Text (F-1080r2_fix) |
|---|
| Ensure the NIS+ server is operating at security level 2 by editing /usr/lib/nis/nisserver and ensuring the line containing SEC= is set to the numeral 2, for example: SEC=2 # 2=DES or 3=RSA Security Level 0 is designed for testing and initial setup of the NIS+ namespace. When running at level 0, the daemon does not enforce access control. Any client is allowed to perform any operation, including updates and deletions. Security level 1 accepts AUTH_SYS and AUTH_DES credentials for authenticating clients and authorizing them to perform NIS+ operations. This is not a secure mode of operation since AUTH_SYS credentials are easily forged. It should not be used on networks in which any untrusted user may potentially have access. Security level 2 accepts only AUTH_DES credentials for authentication and authorization. This is the highest level of security currently provided by the NIS+ service and the default security level if the -S option is not used. |