STIGQter STIGQter: STIG Summary: Solaris 10 X86 Security Technical Implementation Guide

Version: 1

Release: 26 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-36752r1_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-41504r1_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-27061r2_ruleAll accounts on the system must have unique user or account names.
SV-27065r1_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-28596r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-27080r1_ruleSuccessful and unsuccessful logins and logouts must be logged.
SV-39815r1_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-27094r1_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-769r2_ruleThe root user must not own the logon session for an application requiring a continuous display.
SV-27105r1_ruleThe system must not have accounts configured with blank or null passwords.
SV-39820r1_ruleThe root account must be the only account having an UID of 0.
SV-774r2_ruleThe root user's home directory must not be the root directory (/).
SV-775r2_ruleThe root account's home directory (other than /) must have mode 0700.
SV-776r4_ruleThe root accounts executable search path must contain only authorized paths.
SV-37075r1_ruleThe root account must not have world-writable directories in its executable search path.
SV-27143r1_ruleThe system must prevent the root account from directly logging in except from the system console.
SV-28658r1_ruleGIDs reserved for system accounts must not be assigned to non-system groups.
SV-27069r1_ruleAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-41526r2_ruleThe system must have a host-based intrusion detection tool installed.
SV-40813r2_ruleSystem security patches and updates must be installed and up-to-date.
SV-39833r1_ruleSystem files and directories must not have uneven access permissions.
SV-785r2_ruleAll files and directories must have a valid owner.
SV-27161r1_ruleAll network services daemon files must have mode 0755 or less permissive.
SV-39832r2_ruleSystem log files must have mode 0640 or less permissive.
SV-788r2_ruleAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
SV-27166r1_ruleNIS/NIS+/yp files must be owned by root, sys, or bin.
SV-27171r1_ruleNIS/NIS+/yp files must be group-owned by root, sys, or bin.
SV-27175r1_ruleThe NIS/NIS+/yp command files must have mode 0755 or less permissive.
SV-39835r2_ruleManual page files must have mode 0655 or less permissive.
SV-39821r1_ruleLibrary files must have mode 0755 or less permissive.
SV-794r4_ruleAll system command files must have mode 755 or less permissive.
SV-795r2_ruleAll system files, programs, and directories must be owned by a system account.
SV-796r2_ruleSystem files, programs, and directories must be group-owned by a system group.
SV-39826r1_ruleThe /etc/shadow (or equivalent) file must be owned by root.
SV-798r2_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-800r2_ruleThe /etc/shadow (or equivalent) file must have mode 0400.
SV-801r2_ruleThe owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
SV-802r2_ruleThe owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
SV-803r2_ruleThe system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SV-804r2_ruleThe system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SV-39813r2_ruleRemovable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
SV-806r2_ruleThe sticky bit must be set on all public directories.
SV-807r2_ruleAll public directories must be owned by root or an application account.
SV-28641r3_ruleThe system and user default umask must be 077.
SV-39834r2_ruleDefault system accounts must be disabled or removed.
SV-27266r2_ruleAuditing must be implemented.
SV-27271r1_ruleSystem audit logs must be owned by root.
SV-27282r1_ruleSystem audit logs must have mode 0640 or less permissive.
SV-27287r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-27292r1_ruleThe audit system must be configured to audit file deletions.
SV-27298r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-27303r1_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-27309r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-39883r1_ruleThe inetd.conf file must be owned by root or bin.
SV-39885r1_ruleThe inetd.conf file must have mode 0440 or less permissive.
SV-823r2_ruleThe services file must be owned by root or bin.
SV-824r2_ruleThe services file must have mode 0444 or less permissive.
SV-39828r1_ruleGlobal initialization files must contain the mesg -n or mesg n commands.
SV-40457r1_ruleThe hosts.lpd file (or equivalent) must not contain a "+" character.
SV-37455r3_ruleThe hosts.lpd (or equivalent) file must be owned by root.
SV-37457r2_ruleThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.
SV-40493r1_ruleThe alias file must be owned by root.
SV-40651r1_ruleThe alias file must have mode 0644 or less permissive.
SV-833r2_ruleFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
SV-835r2_ruleSendmail logging must not be set to less than nine in the sendmail.cf file.
SV-41546r1_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-837r2_ruleThe SMTP service log file must be owned by root.
SV-838r2_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-28404r1_ruleThe ftpusers file must exist.
SV-28407r1_ruleThe ftpusers file must contain account names not allowed to use FTP.
SV-28410r1_ruleThe ftpusers file must be owned by root.
SV-28413r1_ruleThe ftpusers file must have mode 0640 or less permissive.
SV-40816r1_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-846r2_ruleAnonymous FTP must not be active on the system unless authorized.
SV-28419r3_ruleThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
SV-40392r1_ruleThe TFTP daemon must have mode 0755 or less permissive.
SV-39825r1_ruleThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
SV-850r2_ruleAny X Windows host must write .Xauthority files.
SV-867r2_ruleThe Network Information System (NIS) protocol must not be used.
SV-27184r1_ruleAll interactive users must be assigned a home directory in the /etc/passwd file.
SV-27192r1_ruleAll interactive user home directories defined in the /etc/passwd file must exist.
SV-901r2_ruleAll users' home directories must have mode 0750 or less permissive.
SV-39822r1_ruleAll interactive user's home directories must be owned by their respective users.
SV-39823r1_ruleAll interactive user's home directories must be group-owned by the home directory owner's primary group.
SV-904r3_ruleAll local initialization files must be owned by the user or root.
SV-905r2_ruleAll local initialization files must have mode 0740 or less permissive.
SV-27199r2_ruleAll run control scripts must have mode 0755 or less permissive.
SV-39837r4_ruleRun control scripts executable search paths must contain only authorized paths.
SV-39810r1_ruleRun control scripts must not execute world-writable programs or scripts.
SV-913r2_ruleThere must be no .netrc files on the system.
SV-39836r1_ruleAll files and directories contained in interactive user's home directories must be owned by the home directory's owner.
SV-39840r1_ruleAll files and directories contained in user's home directories must have mode 0750 or less permissive.
SV-40806r1_ruleThe /etc/shells (or equivalent) file must exist.
SV-917r2_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-39824r1_ruleAccounts must be locked upon 35 days of inactivity.
SV-921r2_ruleAll shell files must be owned by root or bin.
SV-922r2_ruleAll shell files must have mode 0755 or less permissive.
SV-923r2_ruleThe system must be checked for extraneous device files at least weekly.
SV-924r3_ruleDevice files and directories must only be writable by users with a system account or as configured by the vendor.
SV-925r2_ruleDevice files used for backup must only be readable and/or writable by root or the backup user.
SV-28453r1_ruleAny NIS+ server must be operating at security level 2.
SV-28444r1_ruleThe NFS export configuration file must be owned by root.
SV-28446r1_ruleThe NFS export configuration file must have mode 0644 or less permissive.
SV-40303r1_ruleAll NFS-exported system files and system directories must be owned by root.
SV-40304r1_ruleThe NFS anonymous UID and GID must be configured to values that have no permissions.
SV-40305r1_ruleThe NFS server must be configured to restrict file system access to local hosts.
SV-40306r1_ruleThe system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
SV-40307r2_ruleThe NFS server must not allow remote root access.
SV-28452r1_ruleThe nosuid option must be enabled on all NFS client mounts.
SV-28459r2_ruleThe system must use an access control program.
SV-941r2_ruleThe system's access control program must log each system access attempt.
SV-953r2_ruleThe Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.
SV-36750r1_ruleThe asetenv file YPCHECK variable must be set to true when NIS+ is configured.
SV-955r2_ruleThe /usr/aset/userlist file must exist.
SV-956r2_ruleThe /usr/aset/userlist file must be owned by root.
SV-957r2_ruleThe /usr/aset/userlist file must have mode 0600 or less permissive.
SV-27317r1_ruleAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SV-27323r1_ruleThe cron.allow file must have mode 0600 or less permissive.
SV-27329r1_ruleCron must not execute group-writable or world-writable programs.
SV-27331r1_ruleCron must not execute programs in, or subordinate to, world-writable directories.
SV-27340r1_ruleCrontab files must have mode 0600 or less permissive.
SV-27342r1_ruleCron and crontab directories must have mode 0755 or less permissive.
SV-27345r1_ruleCron and crontab directories must be owned by root or bin.
SV-27347r1_ruleCron and crontab directories must be group-owned by root, sys, or bin.
SV-27349r1_ruleCron logging must be implemented.
SV-27354r1_ruleThe cronlog file must have mode 0600 or less permissive.
SV-27376r1_ruleAccess to the at utility must be controlled via the at.allow and/or at.deny file(s).
SV-27380r1_ruleThe at.deny file must not be empty if it exists.
SV-27384r1_ruleDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SV-27388r1_ruleThe at.allow file must have mode 0600 or less permissive.
SV-40411r1_ruleThe "at" daemon must not execute group-writable or world-writable programs.
SV-40412r1_ruleThe "at" daemon must not execute programs in, or subordinate to, world-writable directories.
SV-40281r2_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-40262r1_ruleThe snmpd.conf file must have mode 0600 or less permissive.
SV-40817r1_ruleManagement Information Base (MIB) files must have mode 0640 or less permissive.
SV-1010r3_rulePublic directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-27430r1_ruleInetd or xinetd logging/tracing must be enabled.
SV-1013r2_ruleThe system must be configured to only boot from the system boot device.
SV-1023r2_ruleThe system must not run an Internet Network News (INN) server.
SV-42313r1_ruleThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SV-40291r2_ruleThe smb.conf file must be owned by root.
SV-40294r2_ruleThe smb.conf file must have mode 0644 or less permissive.
SV-40284r1_ruleThe smbpasswd file must be owned by root.
SV-40298r2_ruleThe smb.conf file must use the hosts option to restrict access to Samba.
SV-39809r1_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-1046r2_ruleRoot passwords must never be passed over a network in clear text form.
SV-39811r1_ruleThe system must not permit root logins using remote access programs such as SSH.
SV-27241r1_ruleAudio devices must have mode 0660 or less permissive.
SV-27246r1_ruleAudio devices must be owned by root.
SV-39890r3_ruleThe smb.conf file must be group-owned by root, bin, or sys.
SV-40287r1_ruleThe smbpasswd file must be group-owned by root.
SV-40289r1_ruleThe smbpasswd file must have mode 0600 or less permissive.
SV-27251r1_ruleAudio devices must be group-owned by root, sys, or bin.
SV-27157r1_ruleThe root shell must be located in the / file system.
SV-39814r1_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
SV-27132r1_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-39812r1_ruleUser start-up files must not execute world-writable programs.
SV-27207r1_ruleAll system start-up files must be owned by root.
SV-27213r1_ruleAll system start-up files must be group-owned by root, sys, or bin.
SV-27219r1_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-4245r2_ruleThe /etc/security/audit_user file must have mode 0640 or less permissive.
SV-4246r2_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-41534r1_ruleThe system must not use removable media as the boot loader.
SV-4248r3_ruleFor systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
SV-4249r3_ruleThe system boot loader must require authentication.
SV-4250r3_ruleThe system's boot loader configuration file(s) must have mode 0600 or less permissive.
SV-4255r2_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-4269r3_ruleThe system must not have unnecessary accounts.
SV-4273r2_ruleThe /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
SV-4274r2_ruleThe /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
SV-4275r2_ruleThe /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
SV-4276r2_ruleThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
SV-40487r1_ruleFiles in /etc/news must be owned by root.
SV-40489r1_ruleThe files in /etc/news must be group-owned by root.
SV-39817r1_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-27147r1_ruleRemote consoles must be disabled or protected from unauthorized access.
SV-40041r1_ruleThe NFS server must have logging implemented.
SV-40040r3_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-40021r1_ruleThe root file system must employ journaling or another mechanism ensuring file system consistency.
SV-4309r2_ruleIf the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.
SV-4312r2_ruleThe /usr/aset/masters/uid_aliases must be empty.
SV-36751r1_ruleThe ASET master files must be located in the /usr/aset/masters directory.
SV-4321r2_ruleThe system must not run Samba unless needed.
SV-4351r2_ruleThe /etc/security/audit_user file must be group-owned by root, sys, or bin.
SV-4352r2_ruleThe /etc/security/audit_user file must be owned by root.
SV-4353r2_ruleThe /etc/security/audit_user file must not define a different auditing level for specific users.
SV-4357r2_ruleAudit logs must be rotated daily.
SV-27359r1_ruleThe cron.deny file must have mode 0600 or less permissive.
SV-27364r1_ruleCron programs must not set the umask to a value less restrictive than 077.
SV-27366r1_ruleThe cron.allow file must be owned by root, bin, or sys.
SV-40391r1_ruleThe "at" directory must have mode 0755 or less permissive.
SV-39886r1_ruleThe "at" directory must be owned by root, bin, or sys.
SV-40416r1_rule"At" jobs must not set the umask to a value less restrictive than 077.
SV-27392r1_ruleThe at.allow file must be owned by root, bin, or sys.
SV-27396r1_ruleThe at.deny file must be owned by root, bin, or sys.
SV-28392r1_ruleThe traceroute command owner must be root.
SV-28395r1_ruleThe traceroute command must be group-owned by sys, bin, or root.
SV-28399r1_ruleThe traceroute file must have mode 0700 or less permissive.
SV-4382r2_ruleAdministrative accounts must not run a web browser, except as needed for local service administration.
SV-42310r1_ruleThe SMTP services SMTP greeting must not provide version information.
SV-39827r1_ruleThe system must not use .forward files.
SV-4387r2_ruleAnonymous FTP accounts must not have a functional shell.
SV-39838r1_ruleThe anonymous FTP account must be configured to use chroot or a similarly isolated environment.
SV-4392r2_ruleIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
SV-4393r2_ruleThe /etc/syslog.conf file must be owned by root.
SV-39892r1_ruleThe /etc/syslog.conf file must be group-owned by root, bin, or sys.
SV-4395r2_ruleThe system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
SV-30079r1_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-4398r2_ruleA system used for routing must not run other network services or applications.
SV-4399r2_ruleThe system must not use UDP for NIS/NIS+.
SV-40331r1_ruleAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
SV-40341r1_ruleAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
SV-27371r1_ruleThe cron.deny file must be owned by root, bin, or sys.
SV-27435r1_ruleThe rsh daemon must not be running.
SV-27438r1_ruleThe rexec daemon must not be running.
SV-39819r1_ruleThe SMTP service must be an up-to-date version.
SV-42311r1_ruleThe Sendmail server must have the debug feature disabled.
SV-42312r1_ruleThe SMTP service must not have a uudecode alias active.
SV-4692r2_ruleThe SMTP service must not have the EXPN feature active.
SV-4693r2_ruleThe SMTP service must not have the VRFY feature active.
SV-4694r2_ruleThe Sendmail service must not have the wizard backdoor active.
SV-28423r1_ruleAny active TFTP daemon must be authorized and approved in the system accreditation package.
SV-28428r2_ruleThe system must not have the UUCP service active.
SV-4697r2_ruleX displays must not be exported to the world.
SV-27441r2_ruleThe system must not have the finger service active.
SV-4702r2_ruleIf the system is an anonymous FTP server, it must be isolated to the DMZ network.
SV-27051r1_ruleThe operating system must be a supported release.
SV-12442r2_ruleA file integrity baseline must be created and maintained.
SV-28610r2_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-12447r2_ruleUIDs reserved for system accounts must not be assigned to non-system accounts.
SV-27110r2_ruleThe system must require passwords contain a minimum of 15 characters.
SV-27115r1_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-27119r1_ruleThe system must require passwords to contain at least one numeric character.
SV-27123r1_ruleThe system must require passwords to contain at least one special character.
SV-27126r1_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-39845r3_ruleUser passwords must be changed at least every 60 days.
SV-12478r2_ruleAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.
SV-39848r1_ruleThe root account must not be used for direct logins.
SV-39850r1_ruleThe system must log successful and unsuccessful access to the root account.
SV-39829r1_ruleAll global initialization files must have mode 0644 or less permissive.
SV-39830r1_ruleAll global initialization files must be owned by root.
SV-39831r1_ruleAll global initialization files must be group-owned by root, sys, or bin.
SV-12485r3_ruleAll skeleton files and directories (typically in /etc/skel) must be owned by root.
SV-12486r4_ruleAll global initialization files executable search paths must contain only authorized paths.
SV-12487r5_ruleAll local initialization files executable search paths must contain only authorized paths.
SV-12488r2_ruleThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SV-40332r1_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
SV-40334r1_ruleThe .rhosts file must not be supported in PAM.
SV-12491r2_ruleAll public directories must be group-owned by root or an application group.
SV-27333r1_ruleCrontabs must be owned by root or the crontab creator.
SV-27335r1_ruleDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-27400r1_ruleProcess core dumps must be disabled unless needed.
SV-27407r1_ruleThe kernel core dump data directory must be owned by root.
SV-27412r2_ruleThe system must implement non-executable program stacks.
SV-27416r1_ruleThe system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
SV-27420r2_ruleThe system must not forward IPv4 source-routed packets.
SV-28618r3_ruleA separate file system must be used for user home directories (such as /home or equivalent).
SV-12505r2_ruleThe system must log authentication informational data.
SV-27426r1_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-42309r1_ruleThe SMTP service HELP command must not be enabled.
SV-28635r1_ruleUnencrypted FTP must not be used on the system.
SV-12512r2_ruleAll FTP users must have a default umask of 077.
SV-12515r2_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-12517r2_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-12518r2_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-12519r2_ruleX Window System connections that are not required must be disabled.
SV-40274r2_ruleThe snmpd.conf files must be owned by root.
SV-41515r1_ruleThe system must not be used as a syslog server (log host) for systems external to the enclave.
SV-28431r1_ruleThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-40279r1_ruleThe SSH daemon must be configured for IP filtering.
SV-28581r1_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-41525r1_ruleThe system must not have a public Instant Messaging (IM) client installed.
SV-12526r2_ruleThe system must not have any peer-to-peer file-sharing application installed.
SV-12527r2_ruleNIS maps must be protected through hard-to-guess domain names.
SV-41530r1_ruleThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
SV-41532r1_ruleThe system's access control program must be configured to grant or deny system access to specific hosts.
SV-12532r3_ruleThe nosuid option must be configured in the /etc/rmmount.conf file.
SV-12533r2_ruleHidden extended file attributes must not exist on the system.
SV-12534r2_ruleThe root account must be the only account with GID of 0.
SV-40811r1_ruleNetwork analysis tools must not be installed.
SV-28461r6_ruleThe system must use a virus scan program.
SV-26291r2_ruleThe system clock must be synchronized continuously.
SV-26303r2_ruleThe system must use at least two time sources for clock synchronization.
SV-26305r2_ruleThe system must use time sources local to the enclave.
SV-26293r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-26296r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
SV-26298r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-26301r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
SV-26310r1_ruleThe system must display the date and time of the last successful account login upon login.
SV-39865r1_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-26318r1_ruleThe system must enforce compliance of the entire password during authentication.
SV-40776r2_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
SV-40790r2_ruleThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-26324r2_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-26345r1_ruleThe system must prevent the use of dictionary words for passwords.
SV-39876r1_ruleThe system must restrict the ability to switch to the root user to members of a defined group.
SV-26353r1_ruleThe root account's home directory must not have an extended ACL.
SV-26355r1_ruleThe root account's library search path must be the system default and must contain only absolute paths.
SV-26357r1_ruleThe root account's list of preloaded libraries must be empty.
SV-26358r1_ruleAll files and directories must have a valid group-owner.
SV-26361r1_ruleAll network services daemon files must not have extended ACLs.
SV-26365r1_ruleAll system command files must not have extended ACLs.
SV-26369r1_ruleSystem log files must not have extended ACLs, except as needed to support authorized software.
SV-26373r1_ruleAll manual page files must not have extended ACLs.
SV-26377r1_ruleAll library files must not have extended ACLs.
SV-26388r1_ruleNIS/NIS+/yp command files must not have extended ACLs.
SV-26395r1_ruleThe /etc/resolv.conf file must be owned by root.
SV-39894r1_ruleThe /etc/resolv.conf file must be group-owned by root, bin, or sys.
SV-26397r1_ruleThe /etc/resolv.conf file must have mode 0644 or less permissive.
SV-26402r1_ruleThe /etc/resolv.conf file must not have an extended ACL.
SV-26410r2_ruleThe /etc/hosts file must be owned by root.
SV-39896r1_ruleThe /etc/hosts file must be group-owned by root, bin, or sys.
SV-26412r1_ruleThe /etc/hosts file must have mode 0644 or less permissive.
SV-26415r1_ruleThe /etc/hosts file must not have an extended ACL.
SV-26417r1_ruleThe /etc/nsswitch.conf file must be owned by root.
SV-39897r1_ruleThe /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
SV-26419r1_ruleThe /etc/nsswitch.conf file must have mode 0644 or less permissive.
SV-26422r1_ruleThe /etc/nsswitch.conf file must not have an extended ACL.
SV-26425r1_ruleThe /etc/passwd file must be owned by root.
SV-39898r1_ruleThe /etc/passwd file must be group-owned by root, bin, or sys.
SV-26429r1_ruleThe /etc/passwd file must not have an extended ACL.
SV-26431r1_ruleThe /etc/group file must be owned by root.
SV-39899r1_ruleThe /etc/group file must be group-owned by root, bin, or sys.
SV-26433r1_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-26436r1_ruleThe /etc/group file must not have an extended ACL.
SV-39900r1_ruleThe /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
SV-26440r1_ruleThe /etc/shadow file must not have an extended ACL.
SV-26467r1_ruleThe /etc/passwd file must not contain password hashes.
SV-26447r1_ruleThe /etc/group file must not contain any group password hashes.
SV-26451r1_ruleUser's home directories must not have extended ACLs.
SV-39877r1_ruleAll files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member.
SV-26456r1_ruleAll files and directories contained in user home directories must not have extended ACLs.
SV-26460r1_ruleAll run control scripts must have no extended ACLs.
SV-26462r3_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-26464r3_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-26471r1_ruleAll global initialization files must not have extended ACLs.
SV-26475r1_ruleSkeleton files must not have extended ACLs.
SV-39901r2_ruleAll skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
SV-26478r3_ruleGlobal initialization files library search paths must contain only authorized paths.
SV-39839r3_ruleGlobal initialization files lists of preloaded libraries must contain only authorized paths.
SV-37101r1_ruleLocal initialization files must be group-owned by the user's primary group or root.
SV-26484r1_ruleLocal initialization files must not have extended ACLs.
SV-26486r4_ruleLocal initialization files library search paths must contain only authorized paths.
SV-26488r4_ruleLocal initialization files lists of preloaded libraries must contain only authorized paths.
SV-39902r1_ruleAll shell files must be group-owned by root, bin, or sys.
SV-26492r1_ruleAll shell files must not have extended ACLs.
SV-26496r1_ruleAudio devices must not have extended ACLs.
SV-26502r1_ruleAll system audit files must not have extended ACLs.
SV-26505r1_ruleSystem audit tool executables must be owned by root.
SV-26508r1_ruleSystem audit tool executables must be group-owned by root, bin, or sys.
SV-26511r1_ruleSystem audit tool executables must have mode 0750 or less permissive.
SV-26515r1_ruleSystem audit tool executables must not have extended ACLs.
SV-40562r1_ruleThe audit system must alert the SA in the event of an audit processing failure.
SV-40564r1_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-40605r1_ruleThe audit system must be configured to audit account creation.
SV-40607r1_ruleThe audit system must be configured to audit account modification.
SV-40610r1_ruleThe audit system must be configured to audit account disabling.
SV-40611r1_ruleThe audit system must be configured to audit account termination.
SV-26524r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-26528r1_ruleThe cron.allow file must not have an extended ACL.
SV-41044r1_ruleCrontab files must be group-owned by root, sys, or the crontab creator's primary group.
SV-26534r1_ruleCrontab files must not have extended ACLs.
SV-26538r1_ruleCron and crontab directories must not have extended ACLs.
SV-26542r1_ruleThe cron log files must not have extended ACLs.
SV-26546r1_ruleThe cron.deny file must not have an extended ACL.
SV-26550r1_ruleThe at.allow file must not have an extended ACL.
SV-26553r1_ruleThe cron.allow file must be group-owned by root, bin, or sys.
SV-26556r1_ruleThe at.deny file must have mode 0600 or less permissive.
SV-26560r1_ruleThe at.deny file must not have an extended ACL.
SV-26563r1_ruleThe cron.deny file must be group-owned by root, bin, or sys.
SV-26566r1_ruleThe "at" directory must not have an extended ACL.
SV-40414r1_ruleThe "at" directory must be group-owned by root, bin, or sys.
SV-26570r1_ruleThe at.allow file must be group-owned by root, bin, or sys.
SV-26573r1_ruleThe at.deny file must be group-owned by root, bin, or sys.
SV-26576r2_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.
SV-26579r1_ruleThe centralized process core dump data directory must be owned by root.
SV-26582r2_ruleThe centralized process core dump data directory must be group-owned by root, bin, or sys.
SV-26596r1_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-26602r1_ruleThe centralized process core dump data directory must not have an extended ACL.
SV-26605r1_ruleKernel core dumps must be disabled unless needed.
SV-26610r1_ruleThe kernel core dump data directory must be group-owned by root.
SV-26614r1_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-26618r1_ruleThe kernel core dump data directory must not have an extended ACL.
SV-26621r2_ruleThe system must not process ICMP timestamp requests.
SV-26622r2_ruleThe system must not respond to ICMPv4 echoes sent to a broadcast address.
SV-26624r2_ruleThe system must not respond to ICMP timestamp requests sent to a broadcast address.
SV-26626r2_ruleThe system must not apply reversed source routing to TCP responses.
SV-29709r1_ruleThe system must prevent local applications from generating source-routed packets.
SV-29711r2_ruleThe system must not accept source-routed IPv4 packets.
SV-29603r2_ruleProxy ARP must not be enabled on the system.
SV-26630r2_ruleThe system must ignore IPv4 ICMP redirect messages.
SV-26632r2_ruleThe system must not send IPv4 ICMP redirects.
SV-29773r2_ruleThe system must log martian packets.
SV-42308r1_ruleThe system must not be configured for network bridging.
SV-26638r3_ruleAll local file systems must employ journaling or another mechanism ensuring file system consistency.
SV-39884r1_ruleThe inetd.conf file must be group-owned by root, bin, or sys.
SV-26653r1_ruleThe inetd.conf file must not have extended ACLs.
SV-39903r1_ruleThe services file must be group-owned by root, bin, or sys.
SV-26660r1_ruleThe services file must not have an extended ACL.
SV-26664r2_ruleThe portmap or rpcbind service must not be running unless needed.
SV-40810r1_ruleThe portmap or rpcbind service must not be installed unless needed.
SV-26668r1_ruleThe rshd service must not be installed.
SV-39863r1_ruleThe rlogind service must not be running.
SV-26670r1_ruleThe rlogind service must not be installed.
SV-26674r1_ruleThe rexecd service must not be installed.
SV-37456r2_ruleThe hosts.lpd (or equivalent) file must be group-owned by root, bin, or sys.
SV-26678r2_ruleThe hosts.lpd (or equivalent) file must not have an extended ACL.
SV-26682r1_ruleThe traceroute file must not have an extended ACL.
SV-37458r1_ruleThe aliases file must be group-owned by root, sys, smmsp, or bin.
SV-26687r1_ruleThe alias file must not have an extended ACL.
SV-39904r1_ruleFiles executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
SV-26696r1_ruleFiles executed through a mail aliases file must not have extended ACLs.
SV-26700r1_ruleThe SMTP service log file must not have an extended ACL.
SV-39905r1_ruleThe ftpusers file must be group-owned by root, bin, or sys.
SV-26707r1_ruleThe ftpusers file must not have an extended ACL.
SV-26711r1_ruleThe .Xauthority files must not have extended ACLs.
SV-26715r1_ruleThe SNMP service must use only SNMPv3 or its successors.
SV-26727r1_ruleManagement Information Base (MIB) files must not have extended ACLs.
SV-26733r1_ruleThe snmpd.conf file must be group-owned by root, sys, or bin.
SV-26737r1_ruleThe snmpd.conf file must not have an extended ACL.
SV-26740r1_ruleThe /etc/syslog.conf file must have mode 0640 or less permissive.
SV-26743r1_ruleThe /etc/syslog.conf file must not have an extended ACL.
SV-26745r1_ruleThe system must use a remote syslog server (log host).
SV-26749r1_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-26750r1_ruleThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.
SV-41035r1_ruleThe SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
SV-26752r2_ruleThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SV-26753r2_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-26754r1_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-26755r1_ruleThe SSH client must be configured to not use CBC-based ciphers.
SV-26756r2_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-26763r1_ruleThe SSH daemon must restrict login ability to specific users and/or groups.
SV-26764r1_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-26765r1_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-26766r1_ruleThe SSH daemon must not permit GSSAPI authentication unless needed.
SV-26767r1_ruleThe SSH client must not permit GSSAPI authentication unless needed.
SV-40400r1_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-40396r1_ruleThe SSH daemon must not allow rhosts RSA authentication.
SV-26787r1_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-40280r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) login banner.
SV-26804r1_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-26810r1_ruleThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SV-26813r1_ruleThe NFS export configuration file must be group-owned by root, bin, or sys.
SV-26816r1_ruleThe NFS exports configuration file must not have an extended ACL.
SV-26821r2_ruleAll NFS exported system files and system directories must be group-owned by root, bin, or sys.
SV-26824r2_ruleThe smb.conf file must not have an extended ACL.
SV-26828r1_ruleThe smbpasswd file must not have an extended ACL.
SV-40295r2_ruleSamba must be configured to use an authentication mechanism other than "share."
SV-40296r2_ruleSamba must be configured to use encrypted passwords.
SV-40297r2_ruleSamba must be configured to not allow guest access to shares.
SV-26835r1_ruleThe /etc/news/hosts.nntp file must not have an extended ACL.
SV-26842r1_ruleThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
SV-26846r1_ruleThe /etc/news/nnrp.access file must not have an extended ACL.
SV-26850r1_ruleThe /etc/news/passwd.nntp file must not have an extended ACL.
SV-26857r1_ruleThe system package management tool must be used to verify system software periodically.
SV-26858r1_ruleThe file integrity tool must be configured to verify ACLs.
SV-26860r1_ruleThe file integrity tool must be configured to verify extended attributes.
SV-26861r1_ruleThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
SV-26894r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-26902r1_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or not installed.
SV-26921r1_ruleThe system must not have 6to4 enabled.
SV-26927r1_ruleThe system must not have IP tunnels configured.
SV-26931r1_ruleThe DHCP client must be disabled if not needed.
SV-26937r2_ruleThe system must ignore IPv6 ICMP redirect messages.
SV-26938r2_ruleThe system must not send IPv6 ICMP redirects.
SV-26227r1_ruleThe system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
SV-26940r2_ruleThe system must not forward IPv6 source-routed packets.
SV-41038r1_ruleIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SV-40726r1_ruleIf the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
SV-40727r1_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
SV-39906r1_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
SV-40728r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
SV-40755r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SV-39907r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, or sys.
SV-40760r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
SV-37427r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SV-26965r1_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-26968r1_ruleThe system must have USB disabled unless needed.
SV-26970r4_ruleThe system must have USB Mass Storage disabled unless needed.
SV-26972r1_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-26974r3_ruleThe system must employ a local firewall.
SV-26976r2_ruleThe system's local firewall must implement a deny-all, allow-by-exception policy.
SV-26985r2_ruleThe system's boot loader configuration file(s) must not have extended ACLs.
SV-26987r2_ruleThe system's boot loader configuration files must be owned by root.
SV-26989r2_ruleThe system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
SV-26991r1_ruleThe system package management tool must cryptographically verify the authenticity of software packages during installation.
SV-40814r1_ruleThe system package management tool must not automatically obtain updates.
SV-27004r1_ruleThe /etc/security/audit_user file must not have an extended ACL.
SV-27013r1_ruleThe /usr/aset/userlist file must be group-owned by root.
SV-27015r1_ruleThe /usr/aset/userlist file must not have an extended ACL.
SV-27016r2_ruleThe /etc/zones directory, and its contents, must be owned by root.
SV-27018r2_ruleThe /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
SV-27019r2_ruleThe /etc/zones directory, and its contents, must not be group- or world-writable.
SV-27020r2_ruleThe /etc/zones directory, and its contents, must not have an extended ACL.
SV-27022r1_ruleThe inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.
SV-27023r1_ruleThe limitpriv zone option must be set to the vendor default or less permissive.
SV-27024r2_ruleThe physical devices must not be assigned to non-global zones.
SV-39878r1_ruleThe system must not be running any routing protocol daemons, unless the system is a router.
SV-27277r1_ruleSystem audit logs must be group-owned by root, bin, or sys.
SV-39879r1_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-28628r2_ruleThe system must use a separate file system for the system audit data path.
SV-28632r1_ruleThe system must use a separate filesystem for /tmp (or equivalent).
SV-28639r2_ruleTCP backlog queue sizes must be set appropriately.
SV-28908r1_ruleMail relaying must be restricted.
SV-29785r2_ruleThe system must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-39880r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-30004r2_ruleThe system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-39881r2_ruleThe system must be configured to send audit records to a remote audit server.
SV-39864r1_ruleThe telnet daemon must not be running.
SV-42317r2_ruleThe system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
SV-87413r1_ruleWireless network adapters must be disabled.