Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Solaris 11 SPARC Security Technical Implementation Guide
Solaris 11 SPARC Security Technical Implementation Guide
An XCCDF Benchmark
Details
Profiles
Items
Prose
File Metadata
217 rules organized in 217 groups
SRG-OS-000255
1 Rule
The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.
Medium Severity
Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked.
SRG-OS-000054
1 Rule
The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
Medium Severity
Without an audit reporting capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000064
1 Rule
The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000037
1 Rule
Audit records must include what type of events occurred.
Medium Severity
Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000038
1 Rule
Audit records must include when (date and time) the events occurred.
Medium Severity
Without accurate time stamps malicious activity cannot be accurately tracked.
SRG-OS-000039
1 Rule
Audit records must include where the events occurred.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000040
1 Rule
Audit records must include the sources of the events that occurred.
Medium Severity
Without accurate source information malicious activity cannot be accurately tracked.
SRG-OS-000041
1 Rule
Audit records must include the outcome (success or failure) of the events that occurred.
Medium Severity
Tracking both the successful and unsuccessful attempts aids in identifying threats to the system.
SRG-OS-000480
1 Rule
The audit system must be configured to audit file deletions.
Medium Severity
Without auditing, malicious activity cannot be detected.
SRG-OS-000004
1 Rule
The audit system must be configured to audit account creation.
Medium Severity
Without auditing, malicious activity cannot be detected.
SRG-OS-000239
1 Rule
The audit system must be configured to audit account modification.
Medium Severity
Without auditing, malicious activity cannot be detected.
SRG-OS-000240
1 Rule
The operating system must automatically audit account disabling actions.
Medium Severity
Without auditing, malicious activity cannot be detected.
SRG-OS-000241
1 Rule
The operating system must automatically audit account termination.
Medium Severity
Without auditing, malicious activity cannot be detected.
SRG-OS-000480
1 Rule
The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
Medium Severity
Without auditing, malicious activity cannot be detected.
SRG-OS-000480
1 Rule
The audit system must be configured to audit all administrative, privileged, and security actions.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000032
1 Rule
The audit system must be configured to audit login, logout, and session initiation.
Low Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000480
1 Rule
The audit system must be configured to audit failed attempts to access files and programs.
Low Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000061
1 Rule
The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
Low Severity
Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood of an individual being able to deny performing an action. Solaris has supported rsyslog since version 11.1 and the differences between syslog and rsyslog are numerous. Solaris 11.4 installs rsyslog by default, but previous versions require a manual installation. When establishing a rsyslog server to forward to, it is important to consider the network requirements for this action. Note the following configuration options: There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. Examples of each configuration: UDP *.* @remotesystemname TCP *.* @@remotesystemname RELP *.* :omrelp:remotesystemname:2514 Please note that a port number was given as there is no standard port for RELP.
SRG-OS-000480
1 Rule
The auditing system must not define a different auditing level for specific users.
Low Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000046
1 Rule
The operating system must alert designated organizational officials in the event of an audit processing failure.
High Severity
Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues.
SRG-OS-000047
1 Rule
The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
Medium Severity
Continuing to operate a system without auditing working properly can result in undocumented access or system changes.
SRG-OS-000057
1 Rule
The operating system must protect audit information from unauthorized access.
Medium Severity
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access. Satisfies: SRG-OS-000057, SRG-OS-000058, SRG-OS-000059
SRG-OS-000480
1 Rule
The System packages must be up to date with the most recent vendor updates and security fixes.
Medium Severity
Failure to install security updates can provide openings for attack.
SRG-OS-000256
1 Rule
The operating system must protect audit tools from unauthorized access.
Medium Severity
Failure to maintain system configurations may result in privilege escalation.
SRG-OS-000257
1 Rule
The operating system must protect audit tools from unauthorized modification.
Medium Severity
Failure to maintain system configurations may result in privilege escalation.
SRG-OS-000258
1 Rule
The operating system must protect audit tools from unauthorized deletion.
Medium Severity
Failure to maintain system configurations may result in privilege escalation.
SRG-OS-000278
1 Rule
System packages must be configured with the vendor-provided files, permissions, and ownerships.
Medium Severity
Failure to maintain system configurations may result in privilege escalation.
SRG-OS-000480
1 Rule
The finger daemon package must not be installed.
Low Severity
Finger is an insecure protocol.
SRG-OS-000480
1 Rule
The legacy remote network access utilities daemons must not be installed.
Medium Severity
Legacy remote access utilities allow remote control of a system without proper authentication.
SRG-OS-000480
1 Rule
The NIS package must not be installed.
High Severity
NIS is an insecure protocol.
SRG-OS-000480
1 Rule
The pidgin IM client package must not be installed.
Low Severity
Instant messaging is an insecure protocol.
SRG-OS-000480
1 Rule
The FTP daemon must not be installed unless required.
High Severity
FTP is an insecure protocol.
SRG-OS-000480
1 Rule
The TFTP service daemon must not be installed unless required.
High Severity
TFTP is an insecure protocol.
SRG-OS-000480
1 Rule
The telnet service daemon must not be installed unless required.
High Severity
Telnet is an insecure protocol.
SRG-OS-000480
1 Rule
The UUCP service daemon must not be installed unless required.
Low Severity
UUCP is an insecure protocol.
SRG-OS-000480
1 Rule
The rpcbind service must be configured for local only services unless organizationally defined.
Medium Severity
The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using remote procedure calls (RPCs). The organization may define and document the limited use of services (for example NFS) that may use these services with approval from their Authorizing Official.
SRG-OS-000480
1 Rule
The VNC server package must not be installed unless required.
Medium Severity
The VNC service uses weak authentication capabilities and provides the user complete graphical system access.
SRG-OS-000095
1 Rule
The operating system must be configured to provide essential capabilities.
Medium Severity
Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.
SRG-OS-000480
1 Rule
All run control scripts must have mode 0755 or less permissive.
Medium Severity
If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.
SRG-OS-000480
1 Rule
All run control scripts must have no extended ACLs.
Medium Severity
If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files.
SRG-OS-000480
1 Rule
Run control scripts executable search paths must contain only authorized paths.
Medium Severity
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
SRG-OS-000480
1 Rule
Run control scripts library search paths must contain only authorized paths.
Medium Severity
The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
SRG-OS-000480
1 Rule
Run control scripts lists of preloaded libraries must contain only authorized paths.
Medium Severity
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries to the current working directory that have not been authorized, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with a slash (/) are absolute paths.
SRG-OS-000480
1 Rule
Run control scripts must not execute world writable programs or scripts.
Medium Severity
World writable files could be modified accidentally or maliciously to compromise system integrity.
SRG-OS-000480
1 Rule
All system start-up files must be owned by root.
Medium Severity
System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.
SRG-OS-000480
1 Rule
All system start-up files must be group-owned by root, sys, or bin.
Medium Severity
If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.
SRG-OS-000480
1 Rule
System start-up files must only execute programs owned by a privileged UID or an application.
Medium Severity
System start-up files executing programs owned by other than root (or another privileged user) or an application indicates the system may have been compromised.
SRG-OS-000480
1 Rule
Any X Windows host must write .Xauthority files.
Medium Severity
.Xauthority files ensure the user is authorized to access the specific X Windows host. If .Xauthority files are not used, it may be possible to obtain unauthorized access to the X Windows host.
SRG-OS-000480
1 Rule
All .Xauthority files must have mode 0600 or less permissive.
Medium Severity
.Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.
SRG-OS-000480
1 Rule
The .Xauthority files must not have extended ACLs.
Medium Severity
.Xauthority files ensure the user is authorized to access the specific X Windows host. Extended ACLs may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.
SRG-OS-000480
1 Rule
X displays must not be exported to the world.
High Severity
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.
SRG-OS-000480
1 Rule
.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
Medium Severity
If access to the X server is not restricted, a user's X session may be compromised.
SRG-OS-000480
1 Rule
The .Xauthority utility must only permit access to authorized hosts.
Medium Severity
If unauthorized clients are permitted access to the X server, a user's X session may be compromised.
SRG-OS-000480
1 Rule
X Window System connections that are not required must be disabled.
Medium Severity
If unauthorized clients are permitted access to the X server, a user's X session may be compromised.
SRG-OS-000480
1 Rule
The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
Medium Severity
Externally accessible graphical desktop software may open the system to remote attacks.
SRG-OS-000480
1 Rule
Generic Security Services (GSS) must be disabled.
Low Severity
This service should be disabled if it is not required.
SRG-OS-000480
1 Rule
Systems services that are not required must be disabled.
Low Severity
Services that are enabled but not required by the mission may provide excessive access or additional attack vectors to penetrate the system.
SRG-OS-000480
1 Rule
TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
Medium Severity
TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
SRG-OS-000076
1 Rule
User passwords must be changed at least every 60 days.
Medium Severity
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a password change every 60 days.
SRG-OS-000002
1 Rule
The operating system must automatically terminate temporary accounts within 72 hours.
Low Severity
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after 72 hours. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.
SRG-OS-000075
1 Rule
The operating system must enforce minimum password lifetime restrictions.
Medium Severity
Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.
SRG-OS-000078
1 Rule
User passwords must be at least 15 characters in length.
Medium Severity
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
SRG-OS-000072
1 Rule
The system must require at least eight characters be changed between the old and new passwords during a password change.
Medium Severity
To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.
SRG-OS-000069
1 Rule
The system must require passwords to contain at least one uppercase alphabetic character.
Medium Severity
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SRG-OS-000070
1 Rule
The operating system must enforce password complexity requiring that at least one lowercase character is used.
Medium Severity
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SRG-OS-000071
1 Rule
The system must require passwords to contain at least one numeric character.
Medium Severity
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SRG-OS-000266
1 Rule
The system must require passwords to contain at least one special character.
Medium Severity
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SRG-OS-000480
1 Rule
The system must require passwords to contain no more than three consecutive repeating characters.
Low Severity
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SRG-OS-000480
1 Rule
The system must not have accounts configured with blank or null passwords.
Medium Severity
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.
SRG-OS-000073
1 Rule
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
Medium Severity
Cryptographic hashes provide quick password authentication while not actually storing the password.
SRG-OS-000021
1 Rule
The system must disable accounts after three consecutive unsuccessful login attempts.
Medium Severity
Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks.
SRG-OS-000480
1 Rule
The delay between login prompts following a failed login attempt must be at least 4 seconds.
Medium Severity
As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user.
SRG-OS-000028
1 Rule
The system must require users to re-authenticate to unlock a graphical desktop environment.
Medium Severity
Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.
SRG-OS-000029
1 Rule
Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.
Medium Severity
Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.
SRG-OS-000480
1 Rule
The system must prevent the use of dictionary words for passwords.
Medium Severity
The use of common words in passwords simplifies password-cracking attacks.
SRG-OS-000109
1 Rule
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
Medium Severity
Allowing any user to elevate their privileges can allow them excessive control of the system tools.
SRG-OS-000480
1 Rule
The default umask for system and users must be 077.
Medium Severity
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.
SRG-OS-000480
1 Rule
The default umask for FTP users must be 077.
Low Severity
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.
SRG-OS-000480
1 Rule
The value mesg n must be configured as the default setting for all users.
Low Severity
The "mesg n" command blocks attempts to use the "write" or "talk" commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's TTY device.
SRG-OS-000003
1 Rule
User accounts must be locked after 35 days of inactivity.
Medium Severity
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise. This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local logon accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. Satisfies: SRG-OS-000003, SRG-OS-000118
SRG-OS-000480
1 Rule
Login services for serial ports must be disabled.
Medium Severity
Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port.
SRG-OS-000480
1 Rule
Access to a domain console via telnet must be restricted to the local host.
Medium Severity
Telnet is an insecure protocol.
SRG-OS-000480
1 Rule
Access to a logical domain console must be restricted to authorized users.
Medium Severity
A logical domain is a discrete, logical grouping with its own operating system, resources, and identity within a single computer system. Access to the logical domain console provides system-level access to the OBP of the domain.
SRG-OS-000480
1 Rule
The nobody access for RPC encryption key storage service must be disabled.
Medium Severity
If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.
SRG-OS-000480
1 Rule
X11 forwarding for SSH must be disabled.
Medium Severity
As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs.
SRG-OS-000480
1 Rule
Consecutive login attempts for SSH must be limited to 3.
Low Severity
Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks.
SRG-OS-000480
1 Rule
The rhost-based authentication for SSH must be disabled.
Medium Severity
Setting this parameter forces users to enter a password when authenticating with SSH.
SRG-OS-000480
1 Rule
Direct root account login must not be permitted for SSH access.
Medium Severity
The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user.
SRG-OS-000480
1 Rule
Login must not be permitted with empty/null passwords for SSH.
High Severity
Permitting login without a password is inherently risky.
SRG-OS-000163
1 Rule
The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
Low Severity
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.
SRG-OS-000480
1 Rule
Host-based authentication for login-based services must be disabled.
Medium Severity
The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.
SRG-OS-000480
1 Rule
The use of FTP must be restricted.
Medium Severity
FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to ensure that the default "system" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on the system such as user "oracle" and the account which the web server process runs under.
SRG-OS-000480
1 Rule
The system must not allow autologin capabilities from the GNOME desktop.
High Severity
As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.
SRG-OS-000480
1 Rule
Unauthorized use of the at or cron capabilities must not be permitted.
Medium Severity
On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in the "cron.allow" file, cron jobs can still be run as that user. The "cron.allow" file only controls administrative access to the "crontab" command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).
SRG-OS-000480
1 Rule
Logins to the root account must be restricted to the system console only.
Medium Severity
Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.
SRG-OS-000025
1 Rule
The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
Low Severity
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
SRG-OS-000030
1 Rule
The operating system must provide the capability for users to directly initiate session lock mechanisms.
Medium Severity
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. Rather than be forced to wait for a period of time to expire before the user session can be locked, the operating system needs to provide users with the ability to manually invoke a session lock so users may secure their account should the need arise for them to temporarily vacate the immediate physical vicinity.
SRG-OS-000031
1 Rule
The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
Medium Severity
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.
SRG-OS-000480
1 Rule
The operating system must not allow logins for users with blank passwords.
High Severity
If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.
SRG-OS-000480
1 Rule
The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
Medium Severity
This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of the system and to communicate with local resources, such as a printer or file server. The remote device, when connected by a non-remote connection, becomes an extension of the information system allowing dual communications paths, such as split-tunneling, in effect allowing unauthorized external connections into the system. This is a split-tunneling requirement that can be controlled via the operating system by disabling interfaces.
SRG-OS-000027
1 Rule
The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
Low Severity
Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. The organization may define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or by a combination thereof. This requirement addresses concurrent sessions for a single information system account and does not address concurrent sessions by a single user via multiple accounts.
SRG-OS-000480
1 Rule
The system must disable directed broadcast packet forwarding.
Low Severity
This parameter must be disabled to reduce the risk of denial of service attacks.
SRG-OS-000480
1 Rule
The system must not respond to ICMP timestamp requests.
Low Severity
By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.
SRG-OS-000480
1 Rule
The system must not respond to ICMP broadcast timestamp requests.
Low Severity
By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.
SRG-OS-000480
1 Rule
The system must not respond to ICMP broadcast netmask requests.
Low Severity
By determining the netmasks of various computers in your network, an attacker can better map your subnet structure and infer trust relationships.
SRG-OS-000480
1 Rule
The system must not respond to broadcast ICMP echo requests.
Medium Severity
ICMP echo requests can be useful for reconnaissance of systems and for denial of service attacks.
SRG-OS-000480
1 Rule
The system must not respond to multicast echo requests.
Low Severity
Multicast echo requests can be useful for reconnaissance of systems and for denial of service attacks.
SRG-OS-000480
1 Rule
The system must ignore ICMP redirect messages.
Low Severity
Ignoring ICMP redirect messages reduces the likelihood of denial of service attacks.
SRG-OS-000480
1 Rule
The system must set strict multihoming.
Medium Severity
These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. This rule is NA for documented systems that have interfaces that cross strict networking domains (for example, a firewall, a router, or a VPN node).
SRG-OS-000480
1 Rule
The system must disable ICMP redirect messages.
Low Severity
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system.
SRG-OS-000480
1 Rule
The system must disable TCP reverse IP source routing.
Low Severity
If enabled, reverse IP source routing would allow an attacker to more easily complete a three-way TCP handshake and spoof new connections.
SRG-OS-000480
1 Rule
The system must set maximum number of half-open TCP connections to 4096.
Medium Severity
This setting controls how many half-open connections can exist for a TCP port. It is necessary to control the number of completed connections to the system to provide some protection against denial of service attacks.
SRG-OS-000480
1 Rule
The system must set maximum number of incoming connections to 1024.
Low Severity
This setting controls the maximum number of incoming connections that can be accepted on a TCP port limiting exposure to denial of service attacks.
SRG-OS-000480
1 Rule
The system must disable network routing unless required.
Medium Severity
The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts. Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses, including a lack of authentication, zoning, pruning, etc.
SRG-OS-000480
1 Rule
The system must implement TCP Wrappers.
Low Severity
TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provides logging information via syslog about both successful and unsuccessful connections. TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts.
SRG-OS-000480
1 Rule
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
Medium Severity
A firewall that relies on a deny all, permit by exception strategy requires all traffic to have explicit permission before traversing an interface on the host. The firewall must incorporate stateful packet filtering and logging. Nonlocal maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending nonlocal maintenance and diagnostic communications through encrypted channels enforced via firewall configurations. Satisfies: SRG-OS-000074, SRG-OS-000096, SRG-OS-000112, SRG-OS-000113, SRG-OS-000125, SRG-OS-000250, SRG-OS-000393
SRG-OS-000480
1 Rule
The system must prevent local applications from generating source-routed packets.
Low Severity
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
SRG-OS-000023
1 Rule
The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.
Low Severity
Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SRG-OS-000023
1 Rule
The operating system must display the DoD approved system use notification message or banner for SSH connections.
Low Severity
Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SRG-OS-000023
1 Rule
The GNOME service must display the DoD approved system use notification message or banner before granting access to the system.
Low Severity
Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SRG-OS-000023
1 Rule
The FTP service must display the DoD approved system use notification message or banner before granting access to the system.
Low Severity
Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse, this warning content should be set as appropriate.
SRG-OS-000126
1 Rule
The operating system must terminate all sessions and network connections when nonlocal maintenance is completed.
Medium Severity
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. The operating system needs to ensure all sessions and network connections are terminated when nonlocal maintenance is completed.
SRG-OS-000480
1 Rule
The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
Medium Severity
Manipulation of IP addresses can allow untrusted systems to appear as trusted hosts, bypassing firewall and other security mechanism and resulting in system penetration.
SRG-OS-000481
1 Rule
Wireless network adapters must be disabled.
Medium Severity
The use of wireless networking can introduce many different attack vectors into the organization’s network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial-of-service to valid network resources.
SRG-OS-000481
1 Rule
The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
Medium Severity
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. Applications utilizing encryption are required to use approved encryption modules meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules. Satisfies: SRG-OS-000120, SRG-OS-000169
SRG-OS-000033
1 Rule
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Medium Severity
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. Note: SSH in Solaris 11.GA-11.3 used Sun Microsystem’s proprietary SUNWssh. In Solaris 11.3 OpenSSH was offered as optional software and in Solaris 11.4 OpenSSH is the only SSH offered. Both use the same /etc/ssh/sshd_config file and both, by default do not include the ciphers line.
SRG-OS-000480
1 Rule
The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
Medium Severity
When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. The employment of cryptography is at the discretion of the information owner/steward. When the organization has determined the risk warrants it, data written to portable digital media must be encrypted.
SRG-OS-000185
1 Rule
The operating system must protect the confidentiality and integrity of information at rest.
Low Severity
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.
SRG-OS-000216
1 Rule
The operating system must use cryptographic mechanisms to protect the integrity of audit information.
Low Severity
Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data.
SRG-OS-000480
1 Rule
The sticky bit must be set on all world writable directories.
Medium Severity
Files in directories that have had the "sticky bit" enabled can only be deleted by users that have both write permissions for the directory in which the file resides, as well as ownership of the file or directory, or have sufficient privileges. As this prevents users from overwriting each others' files, whether it be accidental or malicious, it is generally appropriate for most world-writable directories (e.g., /tmp).
SRG-OS-000480
1 Rule
Permissions on user home directories must be 750 or less permissive.
Medium Severity
Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges.
SRG-OS-000480
1 Rule
Permissions on user . (hidden) files must be 750 or less permissive.
Medium Severity
Group-writable or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges.
SRG-OS-000480
1 Rule
Permissions on user .netrc files must be 750 or less permissive.
Medium Severity
.netrc files may contain unencrypted passwords that can be used to attack other systems.
SRG-OS-000480
1 Rule
There must be no user .rhosts files.
High Severity
Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.
SRG-OS-000480
1 Rule
Groups assigned to users must exist in the /etc/group file.
Medium Severity
Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed.
SRG-OS-000480
1 Rule
Users must have a valid home directory assignment.
Low Severity
All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory.
SRG-OS-000480
1 Rule
All user accounts must be configured to use a home directory that exists.
Low Severity
If the user's home directory does not exist, the user will be placed in "/" and will not be able to write any files or have local environment variables set.
SRG-OS-000480
1 Rule
All home directories must be owned by the respective user assigned to it in /etc/passwd.
Medium Severity
Since the user is accountable for files stored in the user's home directory, the user must be the owner of the directory.
SRG-OS-000104
1 Rule
Duplicate User IDs (UIDs) must not exist for users within the organization.
Medium Severity
Users within the organization must be assigned unique UIDs for accountability and to ensure appropriate access protections.
SRG-OS-000121
1 Rule
Duplicate UIDs must not exist for multiple non-organizational users.
Medium Severity
Non-organizational users must be assigned unique UIDs for accountability and to ensure appropriate access protections.
SRG-OS-000480
1 Rule
Duplicate Group IDs (GIDs) must not exist for multiple groups.
Medium Severity
User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections.
SRG-OS-000480
1 Rule
Reserved UIDs 0-99 must only be used by system accounts.
Medium Severity
If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID.
SRG-OS-000480
1 Rule
Duplicate user names must not exist.
Medium Severity
If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in passwd.
SRG-OS-000480
1 Rule
Duplicate group names must not exist.
Medium Severity
If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in group. Effectively, the GID is shared, which is a security risk.
SRG-OS-000480
1 Rule
User .netrc files must not exist.
Medium Severity
The .netrc file presents a significant security risk since it stores passwords in unencrypted form.
SRG-OS-000480
1 Rule
The system must not allow users to configure .forward files.
Medium Severity
Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions.
SRG-OS-000480
1 Rule
World-writable files must not exist.
Medium Severity
Data in world-writable files can be read, modified, and potentially compromised by any user on the system. World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.
SRG-OS-000480
1 Rule
All valid SUID/SGID files must be documented.
Low Severity
There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate.
SRG-OS-000480
1 Rule
The operating system must have no unowned files.
Medium Severity
A new user who is assigned a deleted user's user ID or group ID may then end up owning these files, and thus have more access on the system than was intended.
SRG-OS-000480
1 Rule
The operating system must have no files with extended attributes.
Low Severity
Attackers or malicious users could hide information, exploits, etc. in extended attribute areas. Since extended attributes are rarely used, it is important to find files with extended attributes set and correct these attributes.
SRG-OS-000480
1 Rule
The root account must be the only account with GID of 0.
Medium Severity
All accounts with a GID of 0 have root group privileges and must be limited to the group account only.
SRG-OS-000206
1 Rule
The operating system must reveal error messages only to authorized personnel.
Low Severity
Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.
SRG-OS-000480
1 Rule
The operator must document all file system objects that have non-standard access control list settings.
Medium Severity
Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files.
SRG-OS-000480
1 Rule
The operating system must be a supported release.
High Severity
An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
SRG-OS-000480
1 Rule
The system must implement non-executable program stacks.
Medium Severity
A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.
SRG-OS-000480
1 Rule
Address Space Layout Randomization (ASLR) must be enabled.
Low Severity
Modification of memory area can result in executable code vulnerabilities. ASLR can reduce the likelihood of these attacks. ASLR activates the randomization of key areas of the process such as stack, brk-based heap, memory mappings, and so forth.
SRG-OS-000480
1 Rule
Process core dumps must be disabled unless needed.
Medium Severity
Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which may result in denial of service. Process core dumps can be useful for software debugging.
SRG-OS-000480
1 Rule
The system must be configured to store any process core dumps in a specific, centralized directory.
Medium Severity
Specifying a centralized location for core file creation allows for the centralized protection of core files. Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If process core dump creation is not configured to use a centralized directory, core dumps may be created in a directory that does not have appropriate ownership or permissions configured, which could result in unauthorized access to the core dumps.
SRG-OS-000480
1 Rule
The centralized process core dump data directory must be owned by root.
Medium Severity
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centralized process core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.
SRG-OS-000480
1 Rule
The centralized process core dump data directory must be group-owned by root, bin, or sys.
Medium Severity
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centralized process core dump data directory is not group-owned by a system group, the core dumps contained in the directory may be subject to unauthorized access.
SRG-OS-000480
1 Rule
The centralized process core dump data directory must have mode 0700 or less permissive.
Medium Severity
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the process core dump data directory has a mode more permissive than 0700, unauthorized users may be able to view or to modify sensitive information contained in any process core dumps in the directory.
SRG-OS-000480
1 Rule
Kernel core dumps must be disabled unless needed.
Medium Severity
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.
SRG-OS-000480
1 Rule
The kernel core dump data directory must be owned by root.
Medium Severity
Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.
SRG-OS-000480
1 Rule
The kernel core dump data directory must be group-owned by root.
Medium Severity
Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not group-owned by a system group, the core dumps contained in the directory may be subject to unauthorized access.
SRG-OS-000480
1 Rule
The kernel core dump data directory must have mode 0700 or less permissive.
Medium Severity
Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the mode of the kernel core dump data directory is more permissive than 0700, unauthorized users may be able to view or to modify kernel core dump data files.
SRG-OS-000480
1 Rule
The system must require passwords to change the boot device settings. (SPARC)
Low Severity
Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy).
SRG-OS-000480
1 Rule
The operating system must implement transaction recovery for transaction-based systems.
Medium Severity
Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. While this is typically a database function, operating systems could be transactional in nature with respect to file processing.
SRG-OS-000480
1 Rule
SNMP communities, users, and passphrases must be changed from the default.
High Severity
Whether active or not, default SNMP passwords, users, and passphrases must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s).
SRG-OS-000480
1 Rule
A file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
Medium Severity
A file integrity baseline is a collection of file metadata used to evaluate the integrity of the system. A minimal baseline must contain metadata for all device files, setuid files, setgid files, system libraries, system binaries, and system configuration files. The minimal metadata must consist of the mode, owner, group owner, and modification times. For regular files, metadata must also include file size and a cryptographic hash of the file's contents.
SRG-OS-000480
1 Rule
Direct logins must not be permitted to shared, default, application, or utility accounts.
Medium Severity
Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.
SRG-OS-000480
1 Rule
The system must not have any unnecessary accounts.
Low Severity
Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
SRG-OS-000480
1 Rule
The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
Medium Severity
Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.
SRG-OS-000480
1 Rule
The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
Medium Severity
Operating system backup is a critical step in maintaining data assurance and availability. System-level information is data generated for/by the host (such as configuration settings) and/or administrative users. Backups shall be consistent with organizational recovery time and recovery point objectives.
SRG-OS-000480
1 Rule
The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
Medium Severity
Operating system backup is a critical step in maintaining data assurance and availability. System documentation is data generated for/by the host (such as logs) and/or administrative users. Backups shall be consistent with organizational recovery time and recovery point objectives.
SRG-OS-000181
1 Rule
The operating system must prevent the execution of prohibited mobile code.
Medium Severity
Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.
SRG-OS-000480
1 Rule
The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
Medium Severity
Without the use of PKI systems to manage digital certificates, the operating system or other system components may be unable to securely communicate on a network or reliably verify the identity of a user via digital signatures.
SRG-OS-000480
1 Rule
The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
Medium Severity
In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. The requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.
SRG-OS-000215
1 Rule
The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
Medium Severity
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement can be met by the operating system continuously sending records to a centralized logging server.
SRG-OS-000480
1 Rule
All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
Low Severity
Editing a system file with common tools such as vi, emacs, or gedit does not allow the auditing of changes made by an operator. This reduces the capability of determining which operator made security-relevant changes to the system.
SRG-OS-000142
1 Rule
The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
Medium Severity
In the case of denial of service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources.
SRG-OS-000480
1 Rule
The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
Low Severity
Incorrect ownership can result in unauthorized changes or theft of data.
SRG-OS-000480
1 Rule
The limitpriv zone option must be set to the vendor default or less permissive.
Low Severity
Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.
SRG-OS-000480
1 Rule
The systems physical devices must not be assigned to non-global zones.
Medium Severity
Solaris non-global zones can be assigned physical hardware devices. This increases the risk of such a non-global zone having the capability to compromise the global zone.
SRG-OS-000480
1 Rule
The audit system must identify in which zone an event occurred.
Low Severity
Tracking the specific Solaris zones in the audit trail reduces the time required to determine the cause of a security event.
SRG-OS-000480
1 Rule
The audit system must maintain a central audit trail for all zones.
Low Severity
Centralized auditing simplifies the investigative process to determine the cause of a security event.
SRG-OS-000480
1 Rule
The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
Medium Severity
Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.
SRG-OS-000349
1 Rule
The audit system must support an audit reduction capability.
Medium Severity
Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000352
1 Rule
The audit system records must be able to be used by a report generation capability.
Medium Severity
Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000062
1 Rule
The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000062
1 Rule
The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and activity information, malicious activity cannot be accurately tracked. Without an audit reduction and reporting capability, users find it difficult to identify specific patterns of attack.
SRG-OS-000062
1 Rule
The audit system must be configured to audit all discretionary access control permission modifications.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000062
1 Rule
The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
Medium Severity
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
SRG-OS-000343
1 Rule
The audit system must alert the SA when the audit storage volume approaches its capacity.
Medium Severity
Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected.
SRG-OS-000344
1 Rule
The audit system must alert the System Administrator (SA) if there is any type of audit failure.
High Severity
Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues.
SRG-OS-000341
1 Rule
The operating system must allocate audit record storage capacity.
Medium Severity
Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.
SRG-OS-000341
1 Rule
The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
High Severity
Overflowing the audit storage area can result in a denial of service or system outage.
SRG-OS-000366
1 Rule
The system must verify that package updates are digitally signed.
Medium Severity
Digitally signed packages ensure that the source of the package can be identified.
SRG-OS-000363
1 Rule
The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
Medium Severity
Addition of unauthorized code or packages may result in data corruption or theft.
SRG-OS-000368
1 Rule
The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
Medium Severity
Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.
SRG-OS-000183
1 Rule
The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
Medium Severity
Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Auto execution vulnerabilities can result in malicious programs being automatically executed. Examples of information system functionality providing the capability for automatic execution of code are Auto Run and Auto Play. Auto Run and Auto Play are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. This requirement is designed to address vulnerabilities that arise when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.
SRG-OS-000324
1 Rule
The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.
Medium Severity
Allowing any user to elevate their privileges can allow them excessive control of the system tools.
SRG-OS-000396
1 Rule
The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
Medium Severity
FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.
SRG-OS-000423
1 Rule
The operating system must protect the integrity of transmitted information.
Medium Severity
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000424
1 Rule
The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
Medium Severity
Ensuring that transmitted information is not altered during transmission requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000425
1 Rule
The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
Medium Severity
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000423
1 Rule
The operating system must protect the confidentiality of transmitted information.
Medium Severity
Ensuring the confidentiality of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000424
1 Rule
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
Medium Severity
Ensuring that transmitted information does not become disclosed to unauthorized entities requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000425
1 Rule
The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
Medium Severity
Ensuring that transmitted information remains confidential during aggregation, packaging, and transformation requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000404
1 Rule
The operating system must employ cryptographic mechanisms to protect information in storage.
Low Severity
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.
SRG-OS-000404
1 Rule
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
Low Severity
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.
SRG-OS-000423
1 Rule
The operating system must protect the integrity of transmitted information.
Medium Severity
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across internal and external networks.
SRG-OS-000327
1 Rule
The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
Medium Severity
Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an operating system which the user being audited has privileged access to. The privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.
SRG-OS-000356
1 Rule
The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Medium Severity
To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.
SRG-OS-000445
1 Rule
The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
Medium Severity
Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property. For example, successful login triggers an audit entry.
SRG-OS-000324
1 Rule
The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
Medium Severity
In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves via operating system entry and exit points. The requirement states that AV and malware protection applications must be used at entry and exit points. For the operating system, this means an anti-virus application must be installed on machines that are the entry and exit points.
SRG-OS-000445
1 Rule
The operating system must identify potentially security-relevant error conditions.
Medium Severity
Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the operating system to exhibit the desired security behavior or satisfy a security property. For example, successful login triggers an audit entry.
SRG-OS-000480
1 Rule
The sshd server must bind the X11 forwarding server to the loopback address.
Medium Severity
As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to “localhost”. This prevents remote hosts from connecting to the proxy display.