Solaris 11 X86 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480
Group -
The system must not allow autologin capabilities from the GNOME desktop.
As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf.Rule High Severity -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
User .netrc files must not exist.
The .netrc file presents a significant security risk since it stores passwords in unencrypted form.Rule Medium Severity -
SRG-OS-000480
Group -
The system must not allow users to configure .forward files.
Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to e...Rule Medium Severity -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
The operating system must have no files with extended attributes.
Attackers or malicious users could hide information, exploits, etc. in extended attribute areas. Since extended attributes are rarely used, it is important to find files with extended attributes se...Rule Low Severity -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
Logins to the root account must be restricted to the system console only.
Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems.Rule Medium Severity -
SRG-OS-000025
Group -
The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if a...Rule Low Severity -
SRG-OS-000030
Group -
The operating system must provide the capability for users to directly initiate session lock mechanisms.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of t...Rule Medium Severity -
SRG-OS-000031
Group -
The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of ...Rule Medium Severity -
SRG-OS-000480
Group -
The operating system must not allow logins for users with blank passwords.
If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user.Rule High Severity -
SRG-OS-000480
Group -
The root account must be the only account with GID of 0.
All accounts with a GID of 0 have root group privileges and must be limited to the group account only.Rule Medium Severity -
SRG-OS-000206
Group -
The operating system must reveal error messages only to authorized personnel.
Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages.Rule Low Severity -
SRG-OS-000480
Group -
The operator must document all file system objects that have non-standard access control list settings.
Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings ca...Rule Medium Severity -
SRG-OS-000480
Group -
The operating system must be a supported release.
An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security iss...Rule High Severity -
SRG-OS-000480
Group -
The system must implement non-executable program stacks.
A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the spac...Rule Medium Severity -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
Process core dumps must be disabled unless needed.
Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which m...Rule Medium Severity -
SRG-OS-000480
Group -
SRG-OS-000480
Group -
The centralized process core dump data directory must be owned by root.
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centra...Rule Medium Severity -
SRG-OS-000480
Group -
The centralized process core dump data directory must be group-owned by root, bin, or sys.
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the centra...Rule Medium Severity -
SRG-OS-000480
Group -
The centralized process core dump data directory must have mode 0700 or less permissive.
Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the proces...Rule Medium Severity -
SRG-OS-000480
Group -
Kernel core dumps must be disabled unless needed.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by e...Rule Medium Severity -
SRG-OS-000480
Group -
The kernel core dump data directory must be owned by root.
Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel co...Rule Medium Severity -
SRG-OS-000480
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.