Solaris 11 SPARC Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The system must prevent the use of dictionary words for passwords.
The use of common words in passwords simplifies password-cracking attacks.Rule Medium Severity -
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
Allowing any user to elevate their privileges can allow them excessive control of the system tools.Rule Medium Severity -
The default umask for system and users must be 077.
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.Rule Medium Severity -
The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs a...Rule Low Severity -
The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote c...Rule Medium Severity -
The system must ignore ICMP redirect messages.
Ignoring ICMP redirect messages reduces the likelihood of denial of service attacks.Rule Low Severity -
The system must disable ICMP redirect messages.
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in a...Rule Low Severity -
The system must disable TCP reverse IP source routing.
If enabled, reverse IP source routing would allow an attacker to more easily complete a three-way TCP handshake and spoof new connections.Rule Low Severity -
The system must set maximum number of half-open TCP connections to 4096.
This setting controls how many half-open connections can exist for a TCP port. It is necessary to control the number of completed connections to the system to provide some protection against denia...Rule Medium Severity -
The system must implement TCP Wrappers.
TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP ...Rule Low Severity -
The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and ...Rule Medium Severity -
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet)....Rule Medium Severity -
The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk gu...Rule Medium Severity -
The operating system must protect the confidentiality and integrity of information at rest.
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and d...Rule Low Severity -
There must be no user .rhosts files.
Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for tho...Rule High Severity -
Reserved UIDs 0-99 must only be used by system accounts.
If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.Rule Medium Severity -
The operating system must have no unowned files.
A new user who is assigned a deleted user's user ID or group ID may then end up owning these files, and thus have more access on the system than was intended.Rule Medium Severity -
The system must implement non-executable program stacks.
A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the spac...Rule Medium Severity -
The system must be configured to store any process core dumps in a specific, centralized directory.
Specifying a centralized location for core file creation allows for the centralized protection of core files. Process core dumps contain the memory in use by the process when it crashed. Any data t...Rule Medium Severity -
The centralized process core dump data directory must have mode 0700 or less permissive.
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the proces...Rule Medium Severity -
The operating system must implement transaction recovery for transaction-based systems.
Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and trans...Rule Medium Severity -
The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
Operating system backup is a critical step in maintaining data assurance and availability. System-level information is data generated for/by the host (such as configuration settings) and/or admin...Rule Medium Severity -
The operating system must prevent the execution of prohibited mobile code.
Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies incl...Rule Medium Severity -
The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an orga...Rule Medium Severity -
The audit system must identify in which zone an event occurred.
Tracking the specific Solaris zones in the audit trail reduces the time required to determine the cause of a security event.Rule Low Severity -
The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., noteb...Rule Medium Severity -
The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and ...Rule Medium Severity -
The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
Addition of unauthorized code or packages may result in data corruption or theft.Rule Medium Severity -
The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., noteb...Rule Medium Severity -
The operating system must protect the integrity of transmitted information.
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across inter...Rule Medium Severity -
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
Ensuring that transmitted information does not become disclosed to unauthorized entities requires the operating system take feasible measures to employ transmission layer security. This requirement...Rule Medium Severity -
The operating system must employ cryptographic mechanisms to protect information in storage.
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and d...Rule Low Severity -
The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable ...Rule Medium Severity -
The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.