Solaris 11 X86 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000396
Group -
The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.Rule Medium Severity -
SRG-OS-000423
Group -
The operating system must protect the integrity of transmitted information.
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across inter...Rule Medium Severity -
SRG-OS-000424
Group -
SRG-OS-000425
Group -
The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across inter...Rule Medium Severity -
SRG-OS-000423
Group -
SRG-OS-000424
Group -
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
Ensuring that transmitted information does not become disclosed to unauthorized entities requires the operating system take feasible measures to employ transmission layer security. This requirement...Rule Medium Severity -
SRG-OS-000425
Group -
The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
Ensuring that transmitted information remains confidential during aggregation, packaging, and transformation requires the operating system take feasible measures to employ transmission layer securi...Rule Medium Severity -
SRG-OS-000404
Group -
SRG-OS-000404
Group -
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and d...Rule Low Severity -
SRG-OS-000423
Group -
SRG-OS-000327
Group -
The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable ...Rule Medium Severity -
SRG-OS-000356
Group -
The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including time-based login and activity restrictions, automa...Rule Medium Severity -
SRG-OS-000445
Group -
The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as for the underlying security model. The need to...Rule Medium Severity -
SRG-OS-000324
Group -
The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated prior to entering protected enclaves v...Rule Medium Severity -
SRG-OS-000445
Group -
SRG-OS-000480
Group -
The sshd server must bind the X11 forwarding server to the loopback address.
As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as key...Rule Medium Severity -
The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. Without accurate time stamps, source, user, and ...Rule Medium Severity -
The audit system must be configured to audit file deletions.
Without auditing, malicious activity cannot be detected.Rule Medium Severity -
The operating system must protect audit information from unauthorized access.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. T...Rule Medium Severity -
The NIS package must not be installed.
NIS is an insecure protocol.Rule High Severity -
The TFTP service daemon must not be installed unless required.
TFTP is an insecure protocol.Rule High Severity -
The operating system must be configured to provide essential capabilities.
Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications.Rule Medium Severity -
Run control scripts must not execute world writable programs or scripts.
World writable files could be modified accidentally or maliciously to compromise system integrity.Rule Medium Severity -
The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
Externally accessible graphical desktop software may open the system to remote attacks.Rule Medium Severity -
TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP...Rule Medium Severity -
The operating system must automatically terminate temporary accounts within 72 hours.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of al...Rule Low Severity -
The system must require passwords to contain at least one uppercase alphabetic character.
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.Rule Medium Severity -
The system must not have accounts configured with blank or null passwords.
Complex passwords can reduce the likelihood of success of automated password-guessing attacks.Rule Medium Severity -
The value mesg n must be configured as the default setting for all users.
The "mesg n" command blocks attempts to use the "write" or "talk" commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's TTY device.Rule Low Severity -
Unauthorized use of the at or cron capabilities must not be permitted.
On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in the "cron.allow" file, cron jobs can still be run as that user. The "cr...Rule Medium Severity -
The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote c...Rule Medium Severity -
The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. The organization may define the maximum number of concurrent sessions for an informa...Rule Low Severity -
The system must disable directed broadcast packet forwarding.
This parameter must be disabled to reduce the risk of denial of service attacks.Rule Low Severity -
The system must not respond to ICMP timestamp requests.
By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.Rule Low Severity -
The system must not respond to ICMP broadcast timestamp requests.
By accurately determining the system's clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.Rule Low Severity -
The system must not respond to ICMP broadcast netmask requests.
By determining the netmasks of various computers in your network, an attacker can better map your subnet structure and infer trust relationships.Rule Low Severity -
The system must not respond to broadcast ICMP echo requests.
ICMP echo requests can be useful for reconnaissance of systems and for denial of service attacks.Rule Medium Severity -
The system must not respond to multicast echo requests.
Multicast echo requests can be useful for reconnaissance of systems and for denial of service attacks.Rule Low Severity -
The system must set strict multihoming.
These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. This rule is NA for documented...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.