Solaris 11 SPARC Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.Rule Medium Severity -
SRG-OS-000423
Group -
SRG-OS-000424
Group -
The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
Ensuring that transmitted information is not altered during transmission requires the operating system take feasible measures to employ transmission layer security. This requirement applies to comm...Rule Medium Severity -
SRG-OS-000425
Group -
The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across inter...Rule Medium Severity -
SRG-OS-000423
Group -
The operating system must protect the confidentiality of transmitted information.
Ensuring the confidentiality of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across...Rule Medium Severity -
SRG-OS-000424
Group -
SRG-OS-000425
Group -
The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
Ensuring that transmitted information remains confidential during aggregation, packaging, and transformation requires the operating system take feasible measures to employ transmission layer securi...Rule Medium Severity -
SRG-OS-000404
Group -
SRG-OS-000404
Group -
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and d...Rule Low Severity -
SRG-OS-000423
Group -
The operating system must protect the integrity of transmitted information.
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across inter...Rule Medium Severity -
SRG-OS-000327
Group -
SRG-OS-000356
Group -
The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including time-based login and activity restrictions, automa...Rule Medium Severity -
SRG-OS-000445
Group -
SRG-OS-000324
Group -
The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves v...Rule Medium Severity -
SRG-OS-000445
Group -
The operating system must identify potentially security-relevant error conditions.
Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to...Rule Medium Severity -
SRG-OS-000480
Group -
The sshd server must bind the X11 forwarding server to the loopback address.
As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as key...Rule Medium Severity -
Audit records must include when (date and time) the events occurred.
Without accurate time stamps malicious activity cannot be accurately tracked.Rule Medium Severity -
Audit records must include the sources of the events that occurred.
Without accurate source information malicious activity cannot be accurately tracked.Rule Medium Severity -
The audit system must be configured to audit account modification.
Without auditing, malicious activity cannot be detected.Rule Medium Severity -
The audit system must be configured to audit all administrative, privileged, and security actions.
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.Rule Medium Severity -
The audit system must be configured to audit login, logout, and session initiation.
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.Rule Low Severity -
The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood o...Rule Low Severity -
The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
Continuing to operate a system without auditing working properly can result in undocumented access or system changes.Rule Medium Severity -
The operating system must protect audit tools from unauthorized access.
Failure to maintain system configurations may result in privilege escalation.Rule Medium Severity -
The operating system must protect audit tools from unauthorized modification.
Failure to maintain system configurations may result in privilege escalation.Rule Medium Severity -
The FTP daemon must not be installed unless required.
FTP is an insecure protocol.Rule High Severity -
The operating system must be configured to provide essential capabilities.
Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.Rule Medium Severity -
All run control scripts must have no extended ACLs.
If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.Rule Medium Severity -
Run control scripts executable search paths must contain only authorized paths.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory ...Rule Medium Severity -
Run control scripts must not execute world writable programs or scripts.
World writable files could be modified accidentally or maliciously to compromise system integrity.Rule Medium Severity -
All system start-up files must be owned by root.
System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network ...Rule Medium Severity -
All system start-up files must be group-owned by root, sys, or bin.
If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.Rule Medium Severity -
System start-up files must only execute programs owned by a privileged UID or an application.
System start-up files executing programs owned by other than root (or another privileged user) or an application indicates the system may have been compromised.Rule Medium Severity -
All .Xauthority files must have mode 0600 or less permissive.
.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Servi...Rule Medium Severity -
X Window System connections that are not required must be disabled.
If unauthorized clients are permitted access to the X server, a user's X session may be compromised.Rule Medium Severity -
The operating system must enforce minimum password lifetime restrictions.
Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the pas...Rule Medium Severity -
User passwords must be at least 15 characters in length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine s...Rule Medium Severity -
The operating system must enforce password complexity requiring that at least one lowercase character is used.
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.Rule Medium Severity -
The system must disable accounts after three consecutive unsuccessful login attempts.
Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.Rule Medium Severity -
Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.
Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.