Solaris 11 SPARC Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The system must prevent the use of dictionary words for passwords.
The use of common words in passwords simplifies password-cracking attacks.Rule Medium Severity -
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
Allowing any user to elevate their privileges can allow them excessive control of the system tools.Rule Medium Severity -
The default umask for system and users must be 077.
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.Rule Medium Severity -
The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs a...Rule Low Severity -
The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote c...Rule Medium Severity -
The system must ignore ICMP redirect messages.
Ignoring ICMP redirect messages reduces the likelihood of denial of service attacks.Rule Low Severity -
The system must disable ICMP redirect messages.
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in a...Rule Low Severity -
The system must disable TCP reverse IP source routing.
If enabled, reverse IP source routing would allow an attacker to more easily complete a three-way TCP handshake and spoof new connections.Rule Low Severity -
The system must set maximum number of half-open TCP connections to 4096.
This setting controls how many half-open connections can exist for a TCP port. It is necessary to control the number of completed connections to the system to provide some protection against denia...Rule Medium Severity -
The system must implement TCP Wrappers.
TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP ...Rule Low Severity -
The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and ...Rule Medium Severity -
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet)....Rule Medium Severity -
The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk gu...Rule Medium Severity -
The operating system must protect the confidentiality and integrity of information at rest.
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and d...Rule Low Severity -
There must be no user .rhosts files.
Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for tho...Rule High Severity -
Reserved UIDs 0-99 must only be used by system accounts.
If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.Rule Medium Severity -
The operating system must have no unowned files.
A new user who is assigned a deleted user's user ID or group ID may then end up owning these files, and thus have more access on the system than was intended.Rule Medium Severity -
The system must implement non-executable program stacks.
A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the spac...Rule Medium Severity -
The system must be configured to store any process core dumps in a specific, centralized directory.
Specifying a centralized location for core file creation allows for the centralized protection of core files. Process core dumps contain the memory in use by the process when it crashed. Any data t...Rule Medium Severity -
The centralized process core dump data directory must have mode 0700 or less permissive.
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the proces...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.