STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide

Version: 1

Release: 20 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-60657r1_ruleThe audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.
SV-60659r1_ruleThe audit system must support an audit reduction capability.
SV-60661r1_ruleThe audit system records must be able to be used by a report generation capability.
SV-60663r1_ruleThe operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
SV-60665r1_ruleThe audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
SV-60667r1_ruleThe operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
SV-60669r1_ruleThe operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
SV-60671r1_ruleAudit records must include what type of events occurred.
SV-60673r1_ruleAudit records must include when (date and time) the events occurred.
SV-60675r1_ruleAudit records must include where the events occurred.
SV-60677r1_ruleAudit records must include the sources of the events that occurred.
SV-60679r1_ruleAudit records must include the outcome (success or failure) of the events that occurred.
SV-60681r2_ruleThe audit system must be configured to audit file deletions.
SV-60683r2_ruleThe audit system must be configured to audit account creation.
SV-60685r2_ruleThe audit system must be configured to audit account modification.
SV-60687r2_ruleThe operating system must automatically audit account disabling actions.
SV-60689r2_ruleThe operating system must automatically audit account termination.
SV-60691r2_ruleThe operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
SV-60693r2_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-60695r2_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-60697r2_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-60699r2_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-60701r2_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-60703r2_ruleThe operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
SV-60705r1_ruleThe auditing system must not define a different auditing level for specific users.
SV-60709r1_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-60711r1_ruleThe audit system must maintain a central audit trail for all zones.
SV-60713r1_ruleThe audit system must identify in which zone an event occurred.
SV-60715r1_ruleThe systems physical devices must not be assigned to non-global zones.
SV-60717r1_ruleThe audit system must alert the System Administrator (SA) if there is any type of audit failure.
SV-60719r1_ruleThe operating system must alert designated organizational officials in the event of an audit processing failure.
SV-60731r2_ruleThe operating system must allocate audit record storage capacity.
SV-60737r2_ruleThe operating system must shut down by default upon audit failure (unless availability is an overriding concern).
SV-60741r1_ruleThe operating system must protect audit information from unauthorized read access.
SV-60747r1_ruleThe operating system must protect audit information from unauthorized modification.
SV-60751r1_ruleThe operating system must protect audit information from unauthorized deletion.
SV-60753r2_ruleThe System packages must be up to date with the most recent vendor updates and security fixes.
SV-60755r1_ruleThe system must verify that package updates are digitally signed.
SV-60757r1_ruleThe operating system must protect audit tools from unauthorized access.
SV-60759r1_ruleThe operating system must protect audit tools from unauthorized modification.
SV-60761r1_ruleThe operating system must protect audit tools from unauthorized deletion.
SV-60763r1_ruleSystem packages must be configured with the vendor-provided files, permissions, and ownerships.
SV-60765r1_ruleThe finger daemon package must not be installed.
SV-60767r3_ruleThe limitpriv zone option must be set to the vendor default or less permissive.
SV-60769r1_ruleThe /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
SV-60771r1_ruleThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
SV-60773r1_ruleThe legacy remote network access utilities daemons must not be installed.
SV-60775r1_ruleThe operating system must identify potentially security-relevant error conditions.
SV-60777r1_ruleThe NIS package must not be installed.
SV-60779r1_ruleThe operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
SV-60781r1_ruleThe pidgin IM client package must not be installed.
SV-60783r1_ruleThe FTP daemon must not be installed unless required.
SV-60785r2_ruleThe TFTP service daemon must not be installed unless required.
SV-60787r2_ruleThe telnet service daemon must not be installed unless required.
SV-60789r2_ruleThe UUCP service daemon must not be installed unless required.
SV-60791r2_ruleThe rpcbind service must be configured for local only services unless organizationally defined.
SV-60793r1_ruleThe VNC server package must not be installed unless required.
SV-60795r1_ruleThe operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
SV-60797r1_ruleThe operating system must be configured to provide essential capabilities.
SV-60799r1_ruleThe operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
SV-60801r1_ruleThe graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
SV-60803r1_ruleGeneric Security Services (GSS) must be disabled.
SV-60805r1_ruleSystems services that are not required must be disabled.
SV-60807r2_ruleTCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
SV-60809r1_ruleAll manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
SV-60811r1_ruleThe operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
SV-60813r1_ruleThe operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-60815r2_ruleUser passwords must be changed at least every 56 days.
SV-60817r1_ruleThe operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
SV-60821r1_ruleThe operating system must automatically terminate temporary accounts within 72 hours.
SV-60823r1_ruleIntrusion detection and prevention capabilities must be architected and implemented to prevent non-privileged users from circumventing such protections.
SV-60825r2_ruleThe operating system must enforce minimum password lifetime restrictions.
SV-60827r3_ruleThe operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
SV-60829r1_ruleUser passwords must be at least 15 characters in length.
SV-60831r3_ruleThe operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
SV-60833r1_ruleUsers must not reuse the last 5 passwords.
SV-60835r3_ruleThe operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
SV-60839r2_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-60841r2_ruleThe operating system must prevent the execution of prohibited mobile code.
SV-60843r1_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-60845r1_ruleThe operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
SV-60847r1_ruleThe operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
SV-60849r1_ruleThe operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
SV-60851r1_ruleThe system must not have any unnecessary accounts.
SV-60853r1_ruleThe operating system must enforce password complexity requiring that at least one lowercase character is used.
SV-60855r2_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-60857r2_ruleThe operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
SV-60859r1_ruleA file integrity baseline must be created, maintained, and reviewed on at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
SV-60861r1_ruleThe system must require passwords to contain at least one numeric character.
SV-60863r1_ruleThe system must require passwords to contain at least one special character.
SV-60865r1_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-60867r2_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-60869r1_ruleThe operating system must implement transaction recovery for transaction-based systems.
SV-60871r1_ruleThe system must not have accounts configured with blank or null passwords.
SV-60873r4_ruleThe system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).
SV-60877r2_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. (Intel)
SV-60879r1_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-60881r1_ruleThe kernel core dump data directory must be group-owned by root.
SV-60883r1_ruleThe kernel core dump data directory must be owned by root.
SV-60885r1_ruleKernel core dumps must be disabled unless needed.
SV-60887r1_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-60889r2_ruleThe centralized process core dump data directory must be group-owned by root.
SV-60891r1_ruleThe centralized process core dump data directory must be owned by root.
SV-60893r2_ruleProcess core dumps must be disabled unless needed.
SV-60895r3_ruleAddress Space Layout Randomization (ASLR) must be enabled.
SV-60897r2_ruleThe system must implement non-executable program stacks.
SV-60899r1_ruleThe operating system must be a supported release.
SV-60901r1_ruleThe operator must document all file system objects that have non-standard access control list settings.
SV-60903r2_ruleThe operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
SV-60905r2_ruleThe operating system must reveal error messages only to authorized personnel.
SV-60907r1_ruleThe root account must be the only account with GID of 0.
SV-60909r2_ruleThe operating system must have no files with extended attributes.
SV-60911r1_ruleThe operating system must have no unowned files.
SV-60915r1_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-60917r4_ruleThe system must require users to re-authenticate to unlock a graphical desktop environment.
SV-60919r3_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.
SV-60925r1_ruleThe system must prevent the use of dictionary words for passwords.
SV-60927r2_ruleThe system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.
SV-60929r2_ruleThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
SV-60931r2_ruleAll valid SUID/SGID files must be documented.
SV-60933r2_ruleThe default umask for system and users must be 077.
SV-60935r1_ruleWorld-writable files must not exist.
SV-60937r1_ruleThe system must not allow users to configure .forward files.
SV-60939r2_ruleUser .netrc files must not exist.
SV-60941r2_ruleDuplicate group names must not exist.
SV-60943r1_ruleThe default umask for FTP users must be 077.
SV-60945r1_ruleDuplicate user names must not exist.
SV-60947r2_ruleThe value mesg n must be configured as the default setting for all users.
SV-60949r6_ruleReserved UIDs 0-99 must only be used by system accounts.
SV-60951r1_ruleUser accounts must be locked after 35 days of inactivity.
SV-60953r1_ruleDuplicate Group IDs (GIDs) must not exist for multiple groups.
SV-60955r1_ruleThe operating system must manage information system identifiers for users and devices by disabling the user identifier after 35 days of inactivity.
SV-60957r1_ruleEmergency accounts must be locked after 35 days of inactivity.
SV-60959r1_ruleLogin services for serial ports must be disabled.
SV-60961r1_ruleThe nobody access for RPC encryption key storage service must be disabled.
SV-60963r1_ruleDuplicate UIDs must not exist for multiple non-organizational users.
SV-60965r1_ruleX11 forwarding for SSH must be disabled.
SV-60967r1_ruleDuplicate User IDs (UIDs) must not exist for users within the organization.
SV-60969r2_ruleAll home directories must be owned by the respective user assigned to it in /etc/passwd.
SV-60971r3_ruleConsecutive login attempts for SSH must be limited to 3.
SV-60973r1_ruleThe rhost-based authentication for SSH must be disabled.
SV-60975r1_ruleDirect root account login must not be permitted for SSH access.
SV-60977r3_ruleAll user accounts must be configured to use a home directory that exists.
SV-60979r2_ruleLogin must not be permitted with empty/null passwords for SSH.
SV-60981r1_ruleUsers must have a valid home directory assignment.
SV-60983r2_ruleThe operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
SV-60985r4_ruleHost-based authentication for login-based services must be disabled.
SV-60987r1_ruleGroups assigned to users must exist in the /etc/group file.
SV-60989r1_ruleThe use of FTP must be restricted.
SV-60991r1_ruleThere must be no user .rhosts files.
SV-60993r1_ruleThe system must not allow autologin capabilities from the GNOME desktop.
SV-60995r1_rulePermissions on user .netrc files must be 750 or less permissive.
SV-60997r3_ruleUnauthorized use of the at or cron capabilities must not be permitted.
SV-60999r1_ruleLogins to the root account must be restricted to the system console only.
SV-61001r1_rulePermissions on user . (hidden) files must be 750 or less permissive.
SV-61003r1_ruleThe operating system, upon successful logon, must display to the user the date and time of the last logon (access).
SV-61005r1_rulePermissions on user home directories must be 750 or less permissive.
SV-61007r2_ruleThe operating system must provide the capability for users to directly initiate session lock mechanisms.
SV-61009r1_ruleThe sticky bit must be set on all world writable directories.
SV-61011r2_ruleThe operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
SV-61013r1_ruleThe operating system must protect the integrity of transmitted information.
SV-61015r1_ruleThe operating system must not allow logins for users with blank passwords.
SV-61017r1_ruleThe operating system must use cryptographic mechanisms to protect the integrity of audit information.
SV-61019r1_ruleThe operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
SV-61021r1_ruleThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
SV-61023r2_ruleThe operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
SV-61025r1_ruleThe operating system must protect the confidentiality and integrity of information at rest.
SV-61027r1_ruleThe operating system must employ cryptographic mechanisms to protect information in storage.
SV-61029r1_ruleThe operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
SV-61031r1_ruleThe operating system must use cryptography to protect the confidentiality of remote access sessions.
SV-61033r1_ruleThe operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
SV-61035r1_ruleThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
SV-61037r1_ruleThe system must disable directed broadcast packet forwarding.
SV-61039r1_ruleThe operating system must protect the confidentiality of transmitted information.
SV-61041r1_ruleThe system must not respond to ICMP timestamp requests.
SV-61043r1_ruleThe operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
SV-61045r1_ruleThe system must not respond to ICMP broadcast timestamp requests.
SV-61047r1_ruleThe operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
SV-61049r1_ruleThe system must not respond to ICMP broadcast netmask requests.
SV-61051r1_ruleThe operating system must protect the integrity of transmitted information.
SV-61053r1_ruleThe system must not respond to broadcast ICMP echo requests.
SV-61055r1_ruleThe operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
SV-61057r1_ruleThe system must not respond to multicast echo requests.
SV-61059r3_ruleThe operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
SV-61061r1_ruleThe system must ignore ICMP redirect messages.
SV-61063r2_ruleThe operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
SV-61065r1_ruleThe system must set strict multihoming.
SV-61067r1_ruleThe operating system must terminate all sessions and network connections when non-local maintenance is completed.
SV-61069r3_ruleThe system must disable ICMP redirect messages.
SV-61071r1_ruleThe FTP service must display the DoD approved system use notification message or banner before granting access to the system.
SV-61073r1_ruleThe system must disable TCP reverse IP source routing.
SV-61075r1_ruleThe GNOME service must display the DoD approved system use notification message or banner before granting access to the system.
SV-61077r1_ruleThe operating system must display the DoD approved system use notification message or banner for SSH connections.
SV-61079r1_ruleThe system must set maximum number of half-open TCP connections to 4096.
SV-61081r1_ruleThe operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.
SV-61083r1_ruleThe system must set maximum number of incoming connections to 1024.
SV-61085r4_ruleThe system must prevent local applications from generating source-routed packets.
SV-61087r2_ruleThe operating system must enforce requirements for remote connections to the information system.
SV-61089r1_ruleThe system must disable network routing unless required.
SV-61091r2_ruleThe operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers.
SV-61093r2_ruleThe system must implement TCP Wrappers.
SV-61095r2_ruleThe operating system must use cryptography to protect the integrity of remote access sessions.
SV-61097r2_ruleThe operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
SV-61099r2_ruleThe operating system must disable the use of organization-defined networking protocols within the operating system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
SV-61101r2_ruleThe operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.
SV-61103r2_ruleThe operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
SV-61105r2_ruleThe boundary protection system (firewall) must be configured to only allow encrypted protocols to ensure that passwords are transmitted via encryption.
SV-61107r2_ruleThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
SV-61109r2_ruleThe operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-61111r2_ruleThe operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
SV-61113r2_ruleThe operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
SV-61115r4_ruleSystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
SV-61117r1_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-62545r1_ruleThe operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
SV-62549r1_ruleThe operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
SV-62559r2_ruleThe operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
SV-74257r1_ruleAll run control scripts must have mode 0755 or less permissive.
SV-74259r1_ruleAll run control scripts must have no extended ACLs.
SV-74261r3_ruleRun control scripts executable search paths must contain only authorized paths.
SV-74263r2_ruleRun control scripts library search paths must contain only authorized paths.
SV-74265r2_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-74267r3_ruleRun control scripts must not execute world writable programs or scripts.
SV-74269r1_ruleAll system start-up files must be owned by root.
SV-74271r1_ruleAll system start-up files must be group-owned by root, sys, or bin.
SV-74273r1_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-75471r2_ruleAny X Windows host must write .Xauthority files.
SV-75473r2_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-75491r2_ruleThe .Xauthority files must not have extended ACLs.
SV-75493r1_ruleX displays must not be exported to the world.
SV-75495r2_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-75497r2_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-75499r1_ruleX Window System connections that are not required must be disabled.
SV-87479r2_ruleWireless network adapters must be disabled.
SV-101309r1_ruleSystems using OpenSSH must be configured per site policy to only allow access by approved networks or hosts.
SV-104855r1_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.