{
"stig": {
"date": "2015-04-02",
"description": "The Sun Ray 4 Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-16397": {
"checkid": "C-17275r1_chk",
"checktext": "Request a copy of all the Sun Ray infrastructure documentation. Documentation must include all routers, switches, servers (Solaris, Windows), applications (such as Citrix XenApp and Sun Ray Software), Sun Ray Desktop Units, IP addresses, and any third party applications. If the documentation does not include all of these components, this is a finding.",
"description": "Without current and accurate documentation, any changes to the Sun Ray infrastructure may jeopardize the network\u2019s integrity. To assist in the management, auditing, and security of the network, facility drawings and topology maps are a necessity. Topology maps and documentation are important because they show the overall layout of the network infrastructure and where devices are physically located. They also show the relationship and inter-connectivity between devices and where possible intrusive attacks could take place. If an incident were to occur, the lack of documentation would impact the ability to respond. Additionally, documentation along with diagrams of the network topology are required to be submitted to the Connection Approval Process (CAP) for approval to connect to the NIPRNet or SIPRNet.",
"fixid": "F-16427r1_fix",
"fixtext": "Develop up-to-date documentation for the Sun Ray infrastructure.",
"iacontrols": [
"DCSW-1"
],
"id": "V-16397",
"ruleID": "SV-17390r1_rule",
"severity": "medium",
"title": "There is no up-to-date documentation or diagrams of the Sun Ray infrastructure.",
"version": "SUN0010"
},
"V-16400": {
"checkid": "C-17276r1_chk",
"checktext": "Request a copy of the user registration documentation from the IAO/SA. Review the document for step by step procedures in registering users in the Sun Ray System. ",
"description": " Without proper user registration documentation, users and system administrators may not register users in the Sun Ray system properly and potentially grant users more privileges than necessary.",
"fixid": "F-16430r1_fix",
"fixtext": "Develop Sun Ray system user registration documentation.",
"iacontrols": [
"ECSC-1"
],
"id": "V-16400",
"ruleID": "SV-17393r1_rule",
"severity": "low",
"title": "User Registration process is not clearly documented.",
"version": "SUN0060"
},
"V-16409": {
"checkid": "C-17277r1_chk",
"checktext": "Ask the IAO/SA to provide actual update notification or email to verify that they are on the subscription list. The email subscription for Sun is the SunSolve Patch Club Report and it is sent out weekly by Sun. If no emails or documentation can be provided, this is a finding.",
"description": "Organizations need to stay current with all applicable Sun Ray Server software updates that are released from Sun. In order to be aware of updates as they are released, Sun Ray system administrators will subscribe to Sun Ray Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New Sun Ray Server patches and updates should be reviewed for the Sun Ray Server before moving them into a production environment.",
"fixid": "F-16435r1_fix",
"fixtext": "Access Sun Microsystem's website and update your profile by going to subscriptions and select the SunSolve Patch Club Report. This will ensure you get emails on all new and updated patches through SunSolve.",
"iacontrols": [
"ECSC-1"
],
"id": "V-16409",
"ruleID": "SV-17402r1_rule",
"severity": "medium",
"title": "The IAO/SA is not receiving Sun Ray security and patch notifications.",
"version": "SUN0100"
},
"V-16411": {
"checkid": "C-17281r1_chk",
"checktext": "Request a copy of the documentation that lists all approved applications. If unapproved applications are published to users that are not on the list, this is a finding. If no list exists, this is a finding.",
"description": "Publishing applications to users via the Kiosk mode bypasses a login mode. Therefore, some applications may or may not provide security to identify and authorize users to the application. For instance, adding the xterm application provides users with access to a command-line interface from a Kiosk mode session. This is not ideal since users should not be able to access the server\u2019s command line functionality. Therefore, only approved applications will be published to users. ",
"fixid": "F-16436r1_fix",
"fixtext": "Document and approve all published applications running on the Sun Ray network.",
"iacontrols": [
"ECSC-1"
],
"id": "V-16411",
"ruleID": "SV-17404r1_rule",
"severity": "medium",
"title": "Applications published to users are not approved by the IAO/SA. ",
"version": "SUN0150"
},
"V-16412": {
"checkid": "C-17282r1_chk",
"checktext": "Ask the IAO/SA what applications are running on the SRSS. Besides the documented UNIX services, the SRSS may have the following running as part of the Sun Ray solution and these are not applicable to this check:\n- DHCP Server\n- Sun Ray Connector for Windows OS \n",
"description": "The availability of the Sun Ray Session Server (SRSS) is critical since it manages the sessions associated with the Desktop Units. The Sun Ray software controls user authentication, encryption between Sun Ray servers and Desktop Units, system administration tools, session management, policy enforcement, and device management. If other applications are competing or using hardware resources, the availability of the SRSS may be a risk. Furthermore, application programs such as web servers, databases, or messaging systems may provide an avenue by which a privileged user may unintentionally introduce malicious code.",
"fixid": "F-16437r1_fix",
"fixtext": "Remove all applications that are not required for the SRSS.",
"iacontrols": [
"DCBP-1"
],
"id": "V-16412",
"ruleID": "SV-17405r1_rule",
"severity": "medium",
"title": "The Sun Ray Session Server (SRSS) is used to host other applications.",
"version": "SUN0220"
},
"V-16413": {
"checkid": "C-17296r1_chk",
"checktext": "Critical Sun Ray log files are the administration, authentication, automatic mounting, mass storage devices, messages, and web administration. These logs are listed below. Ask the IAO/SA if Sun Ray logs are reviewed weekly.\n\n# ls-lL /var/opt/SUNWut/log | less\n\nadmin_log\nauth_log\nutmountd.log\nutstoraged.log\nmessages\nutwebadmin.log\n\nIf these logs are being written to an external syslog server, ask the IAO/SA if these are reviewed weekly.\n",
"description": "If a system administrator does not review Sun Ray logs weekly, there is the potential that an attack or other security issue can go unnoticed for a week or more, which is unacceptable in DoD environments.",
"fixid": "F-16439r1_fix",
"fixtext": "Review Sun Ray logs at a minimum weekly.",
"iacontrols": [
"ECAT-1",
"ECAT-2"
],
"id": "V-16413",
"ruleID": "SV-17406r1_rule",
"severity": "medium",
"title": "The Sun Ray system and user logs are not reviewed weekly.",
"version": "SUN0240"
},
"V-16414": {
"checkid": "C-17297r1_chk",
"checktext": "Ask for a copy of the site\u2019s Continuity of Operations Planning (COOP). Verify the Sun Ray system is specifically mentioned in the plan. Ensure the plan addresses the restoration of the Sun Ray system within 24 hours of activation of the COOP. Additionally, ensure that the Sun Ray system restoration is validated at least annually as part of the normal COOP testing process. If any of these requirements is not met, this is a finding.",
"description": "If the disaster recovery plan does not include the Sun Ray system, recovering from a disaster would not be possible. All peripherals and necessary equipment must be included in the disaster recovery plan to ensure a successful restoration of data, servers, and clients are possible.",
"fixid": "F-16440r1_fix",
"fixtext": "Add the Sun Ray system to the COOP. ",
"iacontrols": [
"CODP-1",
"CODP-2",
"CODP-3"
],
"id": "V-16414",
"ruleID": "SV-17407r1_rule",
"severity": "medium",
"title": "The disaster recovery plan does not include the Sun Ray system (network infrastructure and peripherals).",
"version": "SUN0280"
},
"V-16415": {
"checkid": "C-17300r1_chk",
"checktext": "Request a copy of the procedures to backup the Sun Ray system. If the documentation cannot be produced, this is a finding.",
"description": "Backup and recovery procedures are critical to the availability and protection of the Sun Ray system. Availability of the system will be hindered if the system is compromised, shutdown, or not available. Backup and recovery of the Sun Ray system includes the operating system, applications, and databases. Due to the complexity of the Sun Ray system and potential third party applications, procedures will need to be developed to provide guidance to system administrators. Without a process in place describing the steps to backup and recover the Sun Ray system, backups and recoveries may be inconsistent based on the system administrator performing the action. Furthermore, if a system administrator would leave the position, there will be no documentation on the process to backup or recover the system.",
"fixid": "F-16441r1_fix",
"fixtext": "Produce backup documentation for the Sun Ray system.",
"iacontrols": [
"DCSD-1"
],
"id": "V-16415",
"ruleID": "SV-17411r1_rule",
"severity": "low",
"title": "There are no backup and recovery procedures for the Sun Ray system.",
"version": "SUN0290"
},
"V-16416": {
"checkid": "C-17301r1_chk",
"checktext": "Ask the IOA/SA to show you where the spare Desktop Units are located in case of a failure. If no spares exist, this is a finding.",
"description": "Users will not be able to access the required applications for their job function if the Sun Ray Desktop Unit fails or malfunctions. Having a spare Sun Ray Desktop Unit will provide users a quick replacement of the failed unit, while giving them minimal downtime. ",
"fixid": "F-16442r1_fix",
"fixtext": "Purchase a spare Desktop Unit in case of a failure. ",
"iacontrols": [
"DCHW-1"
],
"id": "V-16416",
"ruleID": "SV-17412r1_rule",
"severity": "medium",
"title": "There is no spare Sun Ray Desktop Unit available for use in the event of a Sun Ray Desktop Unit malfunction or failure.",
"version": "SUN0300"
},
"V-16417": {
"checkid": "C-17302r1_chk",
"checktext": "Ask to see the documented configuration management process for Sun Ray system.\nEnsure that the plan includes a site Configuration Control Board (CCB). If a plan that includes a CCB exists, this is not a finding. If a plan exists but does not include a CCB or there is not a plan, this is a finding.\n",
"description": "Security integrity of the system and the ability to back-up and recover from failures cannot be maintained without the control of the system configuration. Unless the configuration is controlled by an independent board it is much less likely to be in its approved accredited state.",
"fixid": "F-16443r1_fix",
"fixtext": "Implement a configuration management process for the Sun Ray system.",
"iacontrols": [
"DCCB-1"
],
"id": "V-16417",
"ruleID": "SV-17413r1_rule",
"severity": "medium",
"title": "The Sun Ray system is not under direct control of a site Configuration Control Board.",
"version": "SUN0350"
},
"V-16418": {
"checkid": "C-17303r1_chk",
"checktext": "If either inbound or outbound traffic to the Sun Ray server is leaving the local\nenclave, verify that the server has been registered in the Ports and Protocols (PNP) database (https://pnp.cert.smil.mil) for the site. If it not registered this is a finding. If the traffic is completely contained within the local enclave, this requirement does not apply.\n",
"description": "DoDI 8550.1 Ports, Protocols, and Services Management (PPSM) is the DoD\u2019s policy on IP Ports, Protocols, and Services (PPS). It controls the PPS that are permitted or approved to cross DoD network boundaries. Standard well known and registered IP ports and associated protocols and services are assessed for vulnerabilities and threats to the entire Global Information Grid (GIG) which includes the DISN backbone networks. The results are published in a Vulnerability Assessment (VA) report. Each port and protocol is given a rating of green, yellow, orange, or red in association with \neach of the 16 defined boundary types. Green means the protocol is relatively secure and is approved to cross the associated boundary without restrictions. Yellow means the protocol has security issues that must be mitigated to be used. Red means that the protocol is prohibited due to vulnerabilities that cannot be mitigated or approved, and is banned when crossing that boundary. The orange category requires DSAWG approval if the protocol exists and is necessary on the network. However, the orange category mandates that new systems and applications must not be developed using this protocol whether it crosses a boundary or not. \n\nThe PPS Assurance Categories Assignment List (CAL) contains information regarding the assessed ports and protocols and defined boundaries, which is updated on a monthly basis. The PPSM information is available on the IASE and DKO/DoD IA Portal web sites. A portion of the DoDI 8550.1 PPS policy requires registration of those PPS that cross any of the boundaries defined by the policy that are \u201cvisible to DoD-managed components\u201d. Therefore, to comply with the policy and ensure that protocols and ports are acceptable, Sun Ray servers will be registered as automated information \nsystems (AIS) with their associated TCP or UDP ports in the DoD Ports and Protocol Registration System.",
"fixid": "F-16444r1_fix",
"fixtext": "Register all Sun Ray traffic that is leaving the local enclave in the PNP database for the site.",
"iacontrols": [
"DCPP-1"
],
"id": "V-16418",
"ruleID": "SV-17414r1_rule",
"severity": "medium",
"title": "The site has not configured the Sun Ray server in the PNP database.",
"version": "SUN0360"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-16397": "true",
"V-16400": "true",
"V-16409": "true",
"V-16411": "true",
"V-16412": "true",
"V-16413": "true",
"V-16414": "true",
"V-16415": "true",
"V-16416": "true",
"V-16417": "true",
"V-16418": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "sun_ray_4_policy",
"title": "Sun Ray 4 Policy STIG",
"version": "1"
}
}