Solaris 11 X86 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The system must require passwords to contain at least one numeric character.
<VulnDiscussion>Complex passwords can reduce the likelihood of success of automated password-guessing attacks.</VulnDiscussion><Fals...Rule Medium Severity -
SRG-OS-000266
<GroupDescription></GroupDescription>Group -
The system must require passwords to contain at least one special character.
<VulnDiscussion>Complex passwords can reduce the likelihood of success of automated password-guessing attacks.</VulnDiscussion><Fals...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The system must require passwords to contain no more than three consecutive repeating characters.
<VulnDiscussion>Complex passwords can reduce the likelihood of success of automated password-guessing attacks.</VulnDiscussion><Fals...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The system must not have accounts configured with blank or null passwords.
<VulnDiscussion>Complex passwords can reduce the likelihood of success of automated password-guessing attacks.</VulnDiscussion><Fals...Rule Medium Severity -
SRG-OS-000073
<GroupDescription></GroupDescription>Group -
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
<VulnDiscussion>Cryptographic hashes provide quick password authentication while not actually storing the password.</VulnDiscussion><...Rule Medium Severity -
The delay between login prompts following a failed login attempt must be at least 4 seconds.
<VulnDiscussion>As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire...Rule Medium Severity -
SRG-OS-000028
<GroupDescription></GroupDescription>Group -
The system must require users to re-authenticate to unlock a graphical desktop environment.
<VulnDiscussion>Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to t...Rule Medium Severity -
SRG-OS-000029
<GroupDescription></GroupDescription>Group -
Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.
<VulnDiscussion>Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to t...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The system must prevent the use of dictionary words for passwords.
<VulnDiscussion>The use of common words in passwords simplifies password-cracking attacks.</VulnDiscussion><FalsePositives></F...Rule Medium Severity -
SRG-OS-000109
<GroupDescription></GroupDescription>Group -
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
<VulnDiscussion>Allowing any user to elevate their privileges can allow them excessive control of the system tools.</VulnDiscussion><...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The default umask for system and users must be 077.
<VulnDiscussion>Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.</Vu...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The default umask for FTP users must be 077.
<VulnDiscussion>Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.</Vu...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The value mesg n must be configured as the default setting for all users.
<VulnDiscussion>The "mesg n" command blocks attempts to use the "write" or "talk" commands to contact users at their terminals, but has the s...Rule Low Severity -
The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
<VulnDiscussion>This requirement applies to both internal and external networks. Terminating network connections associated with communicat...Rule Low Severity -
User accounts must be locked after 35 days of inactivity.
<VulnDiscussion>Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an applicatio...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Login services for serial ports must be disabled.
<VulnDiscussion>Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system....Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The nobody access for RPC encryption key storage service must be disabled.
<VulnDiscussion>If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a ...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
X11 forwarding for SSH must be disabled.
<VulnDiscussion>As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote ...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Consecutive login attempts for SSH must be limited to 3.
<VulnDiscussion>Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limi...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The rhost-based authentication for SSH must be disabled.
<VulnDiscussion>Setting this parameter forces users to enter a password when authenticating with SSH.</VulnDiscussion><FalsePositive...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Direct root account login must not be permitted for SSH access.
<VulnDiscussion>The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a spec...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Host-based authentication for login-based services must be disabled.
<VulnDiscussion>The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure She...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The use of FTP must be restricted.
<VulnDiscussion>FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, i...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The system must not allow autologin capabilities from the GNOME desktop.
<VulnDiscussion>As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabl...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Unauthorized use of the at or cron capabilities must not be permitted.
<VulnDiscussion>On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Logins to the root account must be restricted to the system console only.
<VulnDiscussion>Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. Thes...Rule Medium Severity -
SRG-OS-000025
<GroupDescription></GroupDescription>Group -
The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date a...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.