#
# (C) 2015 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
# http://static.tenable.com/prod_docs/Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.0 $
# $Date: Sun Jan 11 13:41:08 2015 -0500 $
#
# Description : This .audit is designed against the CIS Oracle Solaris 11 Benchmark v1.1.0 - 09-30-2013.
# https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf
#
#
#Safeguards Solaris 11 Audit File v1.0
#
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "Solaris 11 is installed"
file : "/etc/release"
regex : "^[\\s]+Oracle[\\s]+Solaris[\\s]"
expect : "^[\\s]+Oracle[\\s]+Solaris[\\s]+11"
description : "CIS Oracle Solaris 11 Benchmark v1.1.0 Level 1"
info : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf
This audit checks the testable Level 1 guidance in the CIS Oracle Solaris 11 Benchmark v1.1.0 document.
NOTE : Please read the .audit header before running a compliance scan. Please review the header notes as some queries may not behave as anticipated due to unique environmental variables that may be present on your system(s).
Thank you.
Tenable Network Security, Inc."
system : "SunOS"
type : CMD_EXEC
description : "Check for graphical-login installed"
cmd : "/usr/bin/svcs -a | /usr/bin/grep graphical-login | /usr/bin/wc -l"
expect : "^[\\s]*[1-9]"
system : "SunOS"
type : CMD_EXEC
description : "2.1 Disable Local-only Graphical Login Environment"
info : "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode.
This service should be disabled if it is not required."
solution : "To disable this service, run the following command:
# svcadm disable svc:/application/graphical-login/gdm:default"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,SANS-CSC|3-2,Level|1S,800-53|CM-7,PCI|2.2.5"
cmd : "/usr/bin/svcs -Ho state /application/graphical-login/gdm:default"
expect : "disabled"
dont_echo_cmd : YES
description : "2.1 Disable Local-only Graphical Login Environment"
info : "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode.
This service should be disabled if it is not required."
info : "NOTE: The graphical login environment was not identified as being installed."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,SANS-CSC|3-2,Level|1S,800-53|CM-7,PCI|2.2.5"
system : "SunOS"
type : SVC_PROP
description : "2.2 Configure sendmail Service for Local-Only Mode"
info : "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled.
However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered.
An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it.
The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
info : "NOTE: Although the benchmark states to set the property to false, the actual value must be true to enforce local-only delivery, which is what this check will evaluate. CIS has a ticket open to resolve this issue."
solution : "Run the following to set sendmail to listen only local interfaces:
# svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=true
# svcadm refresh sendmail
# svcadm restart sendmail"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "/network/smtp:sendmail"
property : "config/local_only"
regex : "true"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.3 Disable RPC Encryption Key"
info : "The keyserv service is only required for sites that are using the Secure RPC mechanism.
The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)
This service should be disabled if it is not required."
solution : "To disable this service, run the following command:
# svcadm disable svc:/network/rpc/keyserv"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/rpc/keyserv:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.4 Disable NIS Server Services - server"
info : "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server.
As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
solution : "To disable this service, run the following commands:
# svcadm disable svc:/network/nis/server
# svcadm disable svc:/network/nis/domain"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/nis/server:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.4 Disable NIS Server Services - domain"
info : "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server.
As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
solution : "To disable this service, run the following commands:
# svcadm disable svc:/network/nis/server
# svcadm disable svc:/network/nis/domain"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/nis/domain:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.5 Disable NIS Client Services - client"
info : "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system.
As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
solution : "To disable this service, run the following commands:
# svcadm disable svc:/network/nis/client
# svcadm disable svc:/network/nis/domain"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/nis/client:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.5 Disable NIS Client Services - domain"
info : "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system.
As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
solution : "To disable this service, run the following commands:
# svcadm disable svc:/network/nis/client
# svcadm disable svc:/network/nis/domain"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
system : "SunOS"
type : SVC_PROP
service : "network/nis/domain:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.6 Disable Kerberos TGT Expiration Warning"
info : "The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be \"local only\" by default.
This service should be disabled if it is not required."
solution : "To disable this service, run the following command:
# svcadm disable svc:/network/security/ktkt_warn"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/security/ktkt_warn:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.7 Disable Generic Security Services (GSS)"
info : "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes.
GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required."
solution : "To disable this service, run the following command:
# svcadm disable svc:/network/rpc/gss"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/rpc/gss:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.8 Disable Removable Volume Manager - rmvolmgr"
info : "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details.
Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports."
solution : "To disable this service, run the following commands:
# svcadm disable svc:/system/filesystem/rmvolmgr
# svcadm disable svc:/network/rpc/smserver"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|5-3,SANS-CSC|17-8,Level|1S,800-53|MP-2,800-53|MP-7,PCI|2.2.2"
service : "system/filesystem/rmvolmgr:default"
property : "restarter/state"
regex : "disabled"
svcprop_option : CAN_BE_NULL
system : "SunOS"
type : SVC_PROP
description : "2.8 Disable Removable Volume Manager - smserver"
info : "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details.
Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports."
solution : "To disable this service, run the following commands:
# svcadm disable svc:/system/filesystem/rmvolmgr
# svcadm disable svc:/network/rpc/smserver"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|5-3,SANS-CSC|17-8,Level|1S,800-53|MP-2,800-53|MP-7,PCI|2.2.2"
service : "network/rpc/smserver:default"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : SVC_PROP
description : "2.9 Disable automount Service"
info : "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration.
This service should be disabled if it is not required."
solution : "To disable this service, run the following command:
# svcadm disable svc:/system/filesystem/autofs"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|5-3,SANS-CSC|17-8,Level|1S,800-53|MP-2,800-53|MP-7,PCI|2.2.2"
service : "system/filesystem/autofs:default"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : SVC_PROP
description : "2.10 Disable Apache Service"
info : "The Apache service provides an instance of the Apache web server.
This service should be disabled if it is not required."
solution : "To disable this service, run the following command:
# svcadm disable svc:/network/http:apache22"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.5"
service : "network/http:apache22"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : SVC_PROP
description : "2.11 Disable Local-only RPC Port Mapping Service"
info : "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS).
By default, the Solaris 11 OS configures this service to be local only.
RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled."
solution : "To disable this service, run the following command:
# svcadm disable svc:/network/rpc/bind
If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|11-1,Level|1S,800-53|CM-7,PCI|2.2.2"
service : "network/rpc/bind:default"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : CMD_EXEC
description : "2.12 Configure TCP Wrappers - inetadm tcp_wrapers = true"
info : "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts."
solution : "To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo \"ALL: /, /\" > /etc/hosts.allow
where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo \"ALL: ALL\" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,SANS-CSC|11-2,Level|1NS,800-53|AC-17,PCI|1.2.1"
cmd : "/usr/sbin/inetadm -p"
regex : "^[\\s]*tcp_wrappers[\\s]*="
expect : "^[\\s]*tcp_wrappers[\\s]*=[\\s]*[Tt][Rr][Uu][Ee]"
dont_echo_cmd : YES
system : "SunOS"
type : SVC_PROP
description : "2.12 Configure TCP Wrappers - svcprop tcp_wrappers false"
info : "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts."
solution : "To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo \"ALL: /, /\" > /etc/hosts.allow
where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo \"ALL: ALL\" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,SANS-CSC|11-2,Level|1NS,800-53|AC-17,PCI|1.2.1"
service : "rpc/bind"
property : "config/enable_tcpwrappers"
regex : "true"
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "2.12 Configure TCP Wrappers - hosts.deny"
info : "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts."
info : "NOTE: Update the value of HOSTS_DENIED_NETWORK with the appropriate value for the local environment."
solution : "To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo \"ALL: /, /\" > /etc/hosts.allow
where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo \"ALL: ALL\" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,SANS-CSC|11-2,Level|1NS,800-53|AC-17,PCI|1.2.1"
file : "/etc/hosts.deny"
regex : "^[\\s]*ALL.*"
expect : "^[\\s]*ALL: @HOSTS_DENIED_NETWORK@"
file_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "2.12 Configure TCP Wrappers - hosts.allow"
info : "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts."
info : "NOTE: Update the value of HOSTS_ALLOW_NETWORK with the appropriate value for the local environment."
solution : "To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo \"ALL: /, /\" > /etc/hosts.allow
where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo \"ALL: ALL\" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,SANS-CSC|11-2,Level|1NS,800-53|AC-17,PCI|1.2.1"
file : "/etc/hosts.allow"
regex : "^[\\s]*ALL[\\s]*:"
expect : "^[\\s]*ALL[\\s]*: @HOSTS_ALLOW_NETWORK@"
file_required : YES
system : "SunOS"
type : SVC_PROP
description : "2.13 Disable Telnet Service"
info : "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access.
The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security."
solution : "Disable telnet server if enabled:
# svcadm disable svc:/network/telnet"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "SANS-CSC|3-7,Level|1S,800-53|AC-17,800-53|CM-7,PCI|2.2.2"
service : "/network/telnet:default"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : FILE_CHECK
description : "3.1 Restrict Core Dumps to Protected Directory - /var/cores"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
file : "/var/cores"
owner : "root"
group : "root" || "sys"
mask : "0077"
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - global core file pattern"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'global core file pattern'"
expect : "\\/var\\/cores\\/core_%n_%f_%u_%g_%t_%p"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - global core file content"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'global core file content'"
expect : "[\\s:]default[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - init core file pattern"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'init core file pattern'"
expect : "[\\s:]core[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - init core file content"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'init core file content'"
expect : "[\\s:]default[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - global core dumps = enabled"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'global core dumps'"
expect : "enabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - per-process core dumps = disabled"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'per-process core dumps'"
expect : "disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - global setid core dumps = enabled"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'global setid core dumps'"
expect : "enabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - per-process setid core dumps = disabled"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'per-process setid core dumps'"
expect : "disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.1 Restrict Core Dumps to Protected Directory - global core dump logging = enabled"
info : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core.
Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
solution : "To implement the recommendation, run the commands:
# chmod 700 /var/cores
# coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid
If the local site chooses, dumping of core files can be completely disabled with the following command:
# coreadm -d global -d global-setid -d process -d proc-setid"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5"
cmd : "/usr/bin/coreadm | /usr/bin/egrep -e 'global core dump logging'"
expect : "enabled"
dont_echo_cmd : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "3.2 Enable Stack Protection - set noexec_user_stack = 1"
info : "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor-supplied and third party software.
Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed."
solution : "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file:
# if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then
cat <>/etc/system
set noexec_user_stack=1 set noexec_user_stack_log=1
END_CFG
fi"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,800-53|SI-16,PCI|2.2.4"
file : "/etc/system"
regex : "^[\\s]*set[\\s]+noexec_user_stack[\\s]*="
expect : "^[\\s]*set[\\s]+noexec_user_stack[\\s]*=[\\s]*1[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "3.2 Enable Stack Protection - set noexec_user_stack_log = 1"
info : "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor-supplied and third party software.
Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed."
solution : "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file:
# if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then
cat <>/etc/system
set noexec_user_stack=1 set noexec_user_stack_log=1
END_CFG
fi"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,800-53|SI-16,PCI|2.2.4"
file : "/etc/system"
regex : "^[\\s]*set[\\s]+noexec_user_stack_log[\\s]*="
expect : "^[\\s]*set[\\s]+noexec_user_stack_log[\\s]*=[\\s]*1[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "3.3 Enable Strong TCP Sequence Number Generation - TCP_STRONG_ISS = 2"
info : "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session.
The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this."
solution : "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file:
# cd /etc/default
# awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS
# mv inetinit.CIS inetinit
To set the TCP_STRONG_ISS parameter on a running system, use the command:
# ipadm set-prop -p _strong_iss=2 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
file : "/etc/default/inetinit"
regex : "^[\\s]*TCP_STRONG_ISS[\\s]*="
expect : "^[\\s]*TCP_STRONG_ISS[\\s]*=[\\s]*2[\\s]*$"
string_required : YES
system : "SunOS"
type : CMD_EXEC
description : "3.4 Disable Source Packet Forwarding - current ipv4 = 0"
info : "This setting controls whether the IPv4 or IPv6 configuration will forward packets with IPv4 routing options or IPv6 routing headers.
Keep this parameter disabled to prevent denial of service attacks through spoofed packets."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _forward_src_routed -co current ipv4"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.4 Disable Source Packet Forwarding - persistent ipv4 = 0"
info : "This setting controls whether the IPv4 or IPv6 configuration will forward packets with IPv4 routing options or IPv6 routing headers.
Keep this parameter disabled to prevent denial of service attacks through spoofed packets."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _forward_src_routed -co persistent,default ipv4 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.4 Disable Source Packet Forwarding - current ipv6 = 0"
info : "This setting controls whether the IPv4 or IPv6 configuration will forward packets with IPv4 routing options or IPv6 routing headers.
Keep this parameter disabled to prevent denial of service attacks through spoofed packets."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _forward_src_routed -co current ipv6"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.4 Disable Source Packet Forwarding - persistent ipv6 = 0"
info : "This setting controls whether the IPv4 or IPv6 configuration will forward packets with IPv4 routing options or IPv6 routing headers.
Keep this parameter disabled to prevent denial of service attacks through spoofed packets."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _forward_src_routed=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _forward_src_routed -co persistent,default ipv6 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.5 Disable Directed Broadcast Packet Forwarding - current ip = 0"
info : "This setting controls whether Solaris forwards broadcast packets for a specific network if it is directly connected to the machine.
Keep this parameter disabled to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _forward_directed_broadcasts=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _forward_directed_broadcasts -co current ip"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.5 Disable Directed Broadcast Packet Forwarding - persistent ip = 0"
info : "This setting controls whether Solaris forwards broadcast packets for a specific network if it is directly connected to the machine.
Keep this parameter disabled to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _forward_directed_broadcasts=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _forward_directed_broadcasts -co persistent,default ip | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.6 Disable Response to ICMP Timestamp Requests - current ip = 0"
info : "This setting controls whether Solaris will respond to ICMP timestamp requests.
Reduce attack surface by restricting this vector used for host discovery."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_timestamp=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_timestamp -co current ip"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.6 Disable Response to ICMP Timestamp Requests - persistent ip = 0"
info : "This setting controls whether Solaris will respond to ICMP timestamp requests.
Reduce attack surface by restricting this vector used for host discovery."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_timestamp=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_timestamp -co persistent,default ip | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.7 Disable Response to ICMP Broadcast Timestamp Requests - current ip = 0"
info : "This setting controls whether Solaris will respond to ICMP broadcast timestamp requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_timestamp_broadcast -co current ip"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.7 Disable Response to ICMP Broadcast Timestamp Requests - persistent ip = 0"
info : "This setting controls whether Solaris will respond to ICMP broadcast timestamp requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_timestamp_broadcast -co persistent,default ip | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.8 Disable Response to ICMP Broadcast Netmask Requests - current ip = 0"
info : "This setting controls whether Solaris will respond to ICMP broadcast netmask requests.
Reduce attack surface by restricting this vector used for host and network discovery and to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_address_mask_broadcast -co current ip"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.8 Disable Response to ICMP Broadcast Netmask Requests - persistent ip = 0"
info : "This setting controls whether Solaris will respond to ICMP broadcast netmask requests.
Reduce attack surface by restricting this vector used for host and network discovery and to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_address_mask_broadcast -co persistent,default ip | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.9 Disable Response to Broadcast ICMPv4 Echo Request - current ip = 0"
info : "This setting controls whether Solaris responds to broadcast ICMPv4 echo requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_echo_broadcast=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_echo_broadcast -co current ip"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.9 Disable Response to Broadcast ICMPv4 Echo Request - persistent ip = 0"
info : "This setting controls whether Solaris responds to broadcast ICMPv4 echo requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _respond_to_echo_broadcast=0 ip"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_echo_broadcast -co persistent,default ip | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.10 Disable Response to Multicast Echo Request - current ipv4 = 0"
info : "These settings control whether Solaris responds to multicast IPv4 and IPv6 echo requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_echo_multicast -co current ipv4"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.10 Disable Response to Multicast Echo Request - persistent ipv4 = 0"
info : "These settings control whether Solaris responds to multicast IPv4 and IPv6 echo requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_echo_multicast -co persistent,default ipv4 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.10 Disable Response to Multicast Echo Request - current ipv6 = 0"
info : "These settings control whether Solaris responds to multicast IPv4 and IPv6 echo requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_echo_multicast -co current ipv6"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.10 Disable Response to Multicast Echo Request - persistent ipv6 = 0"
info : "These settings control whether Solaris responds to multicast IPv4 and IPv6 echo requests.
Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _respond_to_echo_multicast -co persistent,default ipv6 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.11 Ignore ICMP Redirect Messages - current ipv4 = 1"
info : "These settings control whether Solaris will ignore ICMP redirect messages.
IP redirects should not be necessary in a well-designed and maintained network. Set to a value of 1 if there is a high risk for a DoS attack. Otherwise, the default value of 0 is sufficient."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _ignore_redirect -co current ipv4"
regex : "^1[\\s]*$"
expect : "^1[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.11 Ignore ICMP Redirect Messages - persistent ipv4 = 1"
info : "These settings control whether Solaris will ignore ICMP redirect messages.
IP redirects should not be necessary in a well-designed and maintained network. Set to a value of 1 if there is a high risk for a DoS attack. Otherwise, the default value of 0 is sufficient."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _ignore_redirect -co persistent,default ipv4 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^1[\\s]*$"
expect : "^1[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.11 Ignore ICMP Redirect Messages - current ipv6 = 1"
info : "These settings control whether Solaris will ignore ICMP redirect messages.
IP redirects should not be necessary in a well-designed and maintained network. Set to a value of 1 if there is a high risk for a DoS attack. Otherwise, the default value of 0 is sufficient."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _ignore_redirect -co current ipv6"
regex : "^1[\\s]*$"
expect : "^1[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.11 Ignore ICMP Redirect Messages - persistent ipv6 = 1"
info : "These settings control whether Solaris will ignore ICMP redirect messages.
IP redirects should not be necessary in a well-designed and maintained network. Set to a value of 1 if there is a high risk for a DoS attack. Otherwise, the default value of 0 is sufficient."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _ignore_redirect=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _ignore_redirect -co persistent,default ipv6 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^1[\\s]*$"
expect : "^1[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.12 Set Strict Multihoming - current ipv4 = 0"
info : "These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface.
Enable this setting for systems that have interfaces that cross strict networking domains (for example, a firewall or a VPN node)."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _strict_dst_multihoming -co current ipv4"
regex : "^1$"
expect : "^1$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.12 Set Strict Multihoming - persistent ipv4 = 0"
info : "These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface.
Enable this setting for systems that have interfaces that cross strict networking domains (for example, a firewall or a VPN node)."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _strict_dst_multihoming -co persistent,default ipv4 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^1$"
expect : "^1$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.12 Set Strict Multihoming - current ipv6 = 0"
info : "These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface.
Enable this setting for systems that have interfaces that cross strict networking domains (for example, a firewall or a VPN node)."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _strict_dst_multihoming -co current ipv6"
regex : "^1$"
expect : "^1$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.12 Set Strict Multihoming - persistent ipv6 = 0"
info : "These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface.
Enable this setting for systems that have interfaces that cross strict networking domains (for example, a firewall or a VPN node)."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _strict_dst_multihoming=1 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _strict_dst_multihoming -co persistent,default ipv6 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^1$"
expect : "^1$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.13 Disable ICMP Redirect Messages - current ipv4 = 0"
info : "These setting controls whether Solaris sends ICMPv4 and ICMPv6 redirect messages.
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _send_redirects -co current ipv4"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.13 Disable ICMP Redirect Messages - persistent ipv4 = 0"
info : "These setting controls whether Solaris sends ICMPv4 and ICMPv6 redirect messages.
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _send_redirects -co persistent,default ipv4 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.13 Disable ICMP Redirect Messages - current ipv6 = 0"
info : "These setting controls whether Solaris sends ICMPv4 and ICMPv6 redirect messages.
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _send_redirects -co current ipv6"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.13 Disable ICMP Redirect Messages - persistent ipv6 = 0"
info : "These setting controls whether Solaris sends ICMPv4 and ICMPv6 redirect messages.
A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system."
solution : "To enforce this setting for IPv4 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv4
To enforce this setting for IPv6 packets, use the command:
# ipadm set-prop -p _send_redirects=0 ipv6"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _send_redirects -co persistent,default ipv6 | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.14 Disable TCP Reverse IP Source Routing - current tcp = 0"
info : "This setting controls whether TCP reverses the IP source routing option for incoming connections.
If IP source routing is needed for diagnostic purposes, enable it. Otherwise disable it."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _rev_src_routes=0 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _rev_src_routes -co current tcp"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.14 Disable TCP Reverse IP Source Routing - persistent tcp = 0"
info : "This setting controls whether TCP reverses the IP source routing option for incoming connections.
If IP source routing is needed for diagnostic purposes, enable it. Otherwise disable it."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _rev_src_routes=0 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _rev_src_routes -co persistent,default tcp | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^0$"
expect : "^0$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.15 Set Maximum Number of Half-open TCP Connections - current tcp = 4096"
info : "This setting controls how many half-open connections can exist for a TCP port.
It is necessary to control the number of completed connections to the system to provide some protection against Denial of Service attacks. Note that the value of 4096 is a minimum to establish a good security posture for this setting. In environments where connections numbers are high, such as a busy webserver, this value may need to be increased."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _conn_req_max_q0=4096 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _conn_req_max_q0 -co current tcp"
regex : "^(409[6-9]|4[1-9][0-9]{2}|[5-9][0-9]{3}|[1-9][0-9]{4,})$"
expect : "^(409[6-9]|4[1-9][0-9]{2}|[5-9][0-9]{3}|[1-9][0-9]{4,})$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.15 Set Maximum Number of Half-open TCP Connections - persistent tcp = 4096"
info : "This setting controls how many half-open connections can exist for a TCP port.
It is necessary to control the number of completed connections to the system to provide some protection against Denial of Service attacks. Note that the value of 4096 is a minimum to establish a good security posture for this setting. In environments where connections numbers are high, such as a busy webserver, this value may need to be increased."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _conn_req_max_q0=4096 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _conn_req_max_q0 -co persistent,default tcp | /usr/bin/awk -F: '{ if ($1 != \"\") { print $1 } else { print $2 } }'"
regex : "^(409[6-9]|4[1-9][0-9]{2}|[5-9][0-9]{3}|[1-9][0-9]{4,})$"
expect : "^(409[6-9]|4[1-9][0-9]{2}|[5-9][0-9]{3}|[1-9][0-9]{4,})$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.16 Set Maximum Number of Incoming Connections - current tcp = 1024"
info : "This setting controls the maximum number of incoming connections that can be accepted on a TCP port.
Note that the value of 1024 is a minimum to establish a good security posture for this setting. In environments where connections numbers are high, such as a busy webserver, this value may need to be increased."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _conn_req_max_q=1024 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _conn_req_max_q -co current tcp"
regex : "^(102[4-9]|10[3-9][0-9]|1[1-9][0-9]{2}|[2-9][0-9]{3}|[1-9][0-9]{4,})$"
expect : "^(102[4-9]|10[3-9][0-9]|1[1-9][0-9]{2}|[2-9][0-9]{3}|[1-9][0-9]{4,})$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.16 Set Maximum Number of Incoming Connections - persistent tcp = 1024"
info : "This setting controls the maximum number of incoming connections that can be accepted on a TCP port.
Note that the value of 1024 is a minimum to establish a good security posture for this setting. In environments where connections numbers are high, such as a busy webserver, this value may need to be increased."
solution : "To enforce this setting, use the command:
# ipadm set-prop -p _conn_req_max_q=1024 tcp"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-4,Level|1S,800-53|AU-4,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/ipadm show-prop -p _conn_req_max_q -co persistent,default tcp | /usr/bin/sed -e 's/^\\([1-9][0-9]*\\):.*$/\\1/' -e 's/://'"
regex : "^(102[4-9]|10[3-9][0-9]|1[1-9][0-9]{2}|[2-9][0-9]{3}|[1-9][0-9]{4,})$"
expect : "^(102[4-9]|10[3-9][0-9]|1[1-9][0-9]{2}|[2-9][0-9]{3}|[1-9][0-9]{4,})$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv4-routing current = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv4-routing \""
expect : "current[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv4-forwarding current = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv4-forwarding \""
expect : "current[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv4-routing persistent = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv4-routing \""
expect : "persistent[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv4-forwarding persistent = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv4-forwarding \""
expect : "persistent[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv6-routing current = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv6-routing \""
expect : "current[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv6-forwarding current = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv6-forwarding \""
expect : "current[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv6-routing persistent = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv6-routing \""
expect : "persistent[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "3.17 Disable Network Routing - ipv6-forwarding persistent = disabled"
info : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts.
Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
solution : "To enforce this setting and disable IPv4 routing, use the command:
# routeadm -d ipv4-forwarding -d ipv4-routing
To enforce this setting and disable IPv6 routing, use the command:
# routeadm -d ipv6-forwarding -d ipv6-routing
To apply these changes to the running system, use the command:
# routeadm -u"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.DS-2,Level|1S,800-53|SC-5,PCI|2.2.4"
cmd : "/usr/sbin/routeadm -p | /usr/bin/grep \"^ipv6-forwarding \""
expect : "persistent[\\s]*=[\\s]*disabled"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.1 Create CIS Audit Class"
info : "To group a set of related audit events, the Solaris Audit service provides the ability for sites to define their own audit classes that contain just those events that the site wants to audit.
To simplify administration, a CIS specific audit class should be created."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file:
0x0100000000000000:cis:CIS Solaris Benchmark"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/bin/awk '{ print l; l=\$0 }' /etc/security/audit_class"
regex : "^0x0100000000000000:@CIS_AUDIT_CLASS@:"
expect : "^0x0100000000000000:@CIS_AUDIT_CLASS@:CIS[\\s]+Solaris[\\s]+Benchmark[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.2 Enable Auditing of Incoming Network Connections - AUE_ACCEPT : cis"
info : "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system.
This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service-specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_ACCEPT
AUE_CONNECT
AUE_SOCKACCEPT
AUE_SOCKCONNECT
AUE_inetd_connect"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_ACCEPT:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.2 Enable Auditing of Incoming Network Connections - AUE_CONNECT : cis"
info : "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system.
This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service-specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_ACCEPT
AUE_CONNECT
AUE_SOCKACCEPT
AUE_SOCKCONNECT
AUE_inetd_connect"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_CONNECT:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.2 Enable Auditing of Incoming Network Connections - AUE_SOCKACCEPT : cis"
info : "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system.
This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service-specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_ACCEPT
AUE_CONNECT
AUE_SOCKACCEPT
AUE_SOCKCONNECT
AUE_inetd_connect"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SOCKACCEPT:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.2 Enable Auditing of Incoming Network Connections - AUE_SOCKCONNECT : cis"
info : "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system.
This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service-specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_ACCEPT
AUE_CONNECT
AUE_SOCKACCEPT
AUE_SOCKCONNECT
AUE_inetd_connect"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SOCKCONNECT:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.2 Enable Auditing of Incoming Network Connections - AUE_inetd_connect : cis"
info : "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system.
This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service-specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_ACCEPT
AUE_CONNECT
AUE_SOCKACCEPT
AUE_SOCKCONNECT
AUE_inetd_connect"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_inetd_connect:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_CHMOD : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_CHMOD:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_CHOWN : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_CHOWN:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_FCHOWN : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_FCHOWN:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_FCHMOD : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_FCHMOD:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_LCHOWN : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_LCHOWN:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_ACLSET : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_ACLSET:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.3 Enable Auditing of File Metadata Modification Events - AUE_FACLSET : cis"
info : "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_FACLSET:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_CHROOT : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_CHROOT:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETREUID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETREUID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETREGID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETREGID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_FCHROOT : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_FCHROOT:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_PFEXEC : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_PFEXEC:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETUID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETUID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_NICE : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_NICE:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETGID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETGID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_PRIOCNTLSYS : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_PRIOCNTLSYS:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETEGID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETEGID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETEUID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETEUID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETPPRIV : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETPPRIV:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETSID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETSID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "4.4 Enable Auditing of Process and Privilege Events - AUE_SETPGID : cis"
info : "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).
This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events:
AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/security/audit_event"
regex : "^[\\s]*[0-9]+:AUE_SETPGID:"
expect : "[:,]@CIS_AUDIT_CLASS@(,.*+)*[\\s]*$"
string_required : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - audit condition = auditing"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getcond"
regex : "^[\\s]*audit[\\s]+condition[\\s]*="
expect : "^[\\s]*audit[\\s]+condition[\\s]*=[\\s]*auditing[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - configured audit policies = argv,cnt,zonename"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getpolicy | grep \"configured audit policies *=\""
expect : "^[\\s]*configured[\\s]+audit[\\s]+policies[\\s]*=[\\s]*argv,cnt,zonename[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - active audit policies = argv,cnt,zonename"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getpolicy | grep \"active audit policies *=\""
expect : "^[\\s]*active[\\s]+audit[\\s]+policies[\\s]*=[\\s]*argv,cnt,zonename[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - active user flags = cis,ex,aa,ua,as,ss,lo,ft"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getflags | grep \"active user default audit flags *=\""
expect : "^[\\s]*active[\\s]+user[\\s]+default[\\s]+audit[\\s]+flags[\\s]*=[\\s]*@CIS_AUDIT_CLASS@,ex,aa,ua,as,ss,lo,ft\\("
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - configured user flags = cis,ex,aa,ua,as,ss,lo,ft"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getflags | /usr/bin/grep \"configured user default audit flags *=\""
expect : "^[\\s]*configured[\\s]+user[\\s]+default[\\s]+audit[\\s]+flags[\\s]*=[\\s]*@CIS_AUDIT_CLASS@,ex,aa,ua,as,ss,lo,ft\\("
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - active non-attributable flags = lo"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getnaflags | /usr/bin/grep \"active non-attributable audit flags *=\""
expect : "^[\\s]*active[\\s]+non-attributable[\\s]+audit[\\s]+flags[\\s]*=[\\s]*lo\\("
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - configured non-attributable flags = lo"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-2,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getnaflags | /usr/bin/grep \"configured non-attributable audit flags *=\""
expect : "^[\\s]*configured[\\s]+non-attributable[\\s]+audit[\\s]+flags[\\s]*=[\\s]*lo\\("
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - audit_binfile (active)"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.PT-1,SANS-CSC|14-2,HIPAA|164.312(b),Level|1S,800-53|AU-4,PCI|10.2"
cmd : "/usr/sbin/auditconfig -getplugin audit_binfile"
regex : "^[\\s]*Plugin:"
expect : "^[\\s]*Plugin:[\\s]+audit_binfile[\\s]+\\(active\\)[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - audit_binfile attributes: p_minfree=1;"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
cmd : "/usr/sbin/auditconfig -getplugin audit_binfile | /usr/bin/grep \"Attributes:\""
expect : "[\\s;]p_minfree[\\s]*=[\\s]*[1-9][0-9]*[;\\s]*"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - audit_flags root = lo,ad,ft,ex,cis:no"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
info : "NOTE: Update the value of CIS_AUDIT_CLASS with the appropriate value for the local environment."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
cmd : "/usr/bin/userattr audit_flags root"
expect : "^[\\s]*lo,ad,ft,ex,@CIS_AUDIT_CLASS@:no[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "4.5 Configure Solaris Auditing - var/audit/*.not_terminated.*"
info : "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.
The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.
This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).
The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
solution : "To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root
# EDITOR=ed crontab -e root << END_CRON
$ a 0 * * * * /usr/sbin/audit -n .
w q
END_CRON
# chown root:root /var/audit
# chmod 750 /var/audit"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
cmd : "/usr/bin/ls -l /var/audit/*.not_terminated.* | awk '{ print } END { if (NR == 0) print \"none\" }'"
expect : "\.not_terminated\."
dont_echo_cmd : YES
system : "SunOS"
type : SVC_PROP
description : "5.1 Default Service File Creation Mask"
info : "The default system file creation mask applies to processes that are started by init - including most system services. To ensure that files are not created with write access to anyone other than their owner, the default file creation mask should be set to 022. Some sites with more stringent security requirements may prefer to set this value to 077 to eliminate all permissions for group and world. Note that changing this value from the Solaris default of 022 may negatively impact services that may not be able to operate with a stricter setting.
The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world."
solution : "Perform the following to implement the recommended state:
# svccfg -s svc:/system/environment:init \ setprop umask/umask = astring: \"022\""
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-6,PCI|7.2"
service : "/system/environment:init"
property : "umask/umask"
regex : "^022$"
-
system : "SunOS"
name : "find_world_writeable_directories"
description : "5.2 Set Sticky Bit on World Writable Directories"
info : "When the so-called sticky bit (set with chmod +t) is set on a directory, then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file).
Files in directories that have had the 'sticky bit' set, can only be deleted by users that have both write permissions for the directory in which the file resides, as well as ownership of the file or directory, or has sufficient privilege. As this prevents users from overwriting each other's files, whether it be accidental or malicious, it is generally appropriate for most world-writable directories (e.g., /tmp). However, consult appropriate vendor documentation before blindly applying the sticky bit to any world writable directories found, in order to avoid breaking any application dependencies on a given directory."
solution : "To set the sticky bit on a directory, run the following command:
# chmod +t [directory name]"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1NS,800-53|AC-6,PCI|2.2.4,PCI|7.2"
system : "SunOS"
type : SVC_PROP
description : "6.1 Disable login: Services on Serial Ports 'terma'"
info : "The svccfg command provides service administration for the lower level of the Service Access Facility hierarchy and can be used to disable the ability to login on a particular port.
Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port."
solution : "Perform the following to implement the recommended state:
# svcadm disable svc:/system/console-login:terma
# svcadm disable svc:/system/console-login:termb"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
service : "/system/console-login:terma"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : SVC_PROP
description : "6.1 Disable login: Services on Serial Ports 'termb'"
info : "The svccfg command provides service administration for the lower level of the Service Access Facility hierarchy and can be used to disable the ability to login on a particular port.
Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port."
solution : "Perform the following to implement the recommended state:
# svcadm disable svc:/system/console-login:terma
# svcadm disable svc:/system/console-login:termb"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
service : "/system/console-login:termb"
property : "restarter/state"
regex : "disabled"
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.2 Disable 'nobody' Access for RPC Encryption Key Storage Service"
info : "This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC.
If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/ENABLE_NOBODY_KEYS=/
{ $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS
# mv keyserv.CIS keyserv"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "/etc/default/keyserv"
regex : "^[\\s]*ENABLE_NOBODY_KEYS"
expect : "^[\\s]*ENABLE_NOBODY_KEYS[\\s]*=[\\s]*[nN][oO][\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.3 Disable X11 Forwarding for SSH - X11Forwarding = no"
info : "The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface.
As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs."
solution : "Perform the following to implement the recommended state:
# awk '/^X11Forwarding / { $2 = \"no\" } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS
# mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config
# svcadm restart svc:/network/ssh"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*X11Forwarding[\\s]"
expect : "^[\\s]*X11Forwarding[\\s]+[nN][oO][\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.4 Limit Consecutive Login Attempts for SSH - MaxAuthTries = 3"
info : "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits.
By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks."
solution : "Perform the following to implement the recommended state:
# awk '/^MaxAuthTries/ { $2 = \"3\" } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS
# mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config
# svcadm restart svc:/network/ssh"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,SANS-CSC|16-9,Level|1S,800-53|AC-7,800-53|AC-17,PCI|2.2.4,PCI|8.1.6"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*MaxAuthTries[\\s]"
expect : "^[\\s]*MaxAuthTries[\\s]+[1-3][\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.5 Disable Rhost-based Authentication for SSH - IgnoreRhosts = yes"
info : "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
Setting this parameter forces users to enter a password when authenticating with SSH."
solution : "Perform the following to implement the recommended state:
# awk '/^IgnoreRhosts/ { $2 = \"yes\" }
{ print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS
# mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config
# svcadm restart svc:/network/ssh
This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*IgnoreRhosts[\\s]"
expect : "^[\\s]*IgnoreRhosts[\\s]+[yY][eE][sS][\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.6 Disable root login for SSH - PermitRootLogin = no"
info : "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host.
By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user."
solution : "Perform the following to implement the recommended state:
# awk '/^PermitRootLogin/ { $2 = \"no\" } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,SANS-CSC|12-14,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*PermitRootLogin[\\s]"
expect : "^[\\s]*PermitRootLogin[\\s]+[nN][oO][\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.7 Blocking Authentication Using Empty/Null Passwords for SSH - PermitEmptyPasswords = no"
info : "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would.
Permitting login without a password is inherently risky."
solution : "Perform the following to implement the recommended state:
# awk '/^PermitEmptyPasswords/ { $2 = \"no\" } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS
# mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config
# svcadm restart svc:/network/ssh"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*PermitEmptyPasswords[\\s]"
expect : "^[\\s]*PermitEmptyPasswords[\\s]+[nN][oO][\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.8 Disable Host-based Authentication for Login-based Services - rlogin auth sufficient pam_rhosts_auth.so.1"
info : "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user.
The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default."
solution : "Perform the following to implement the recommended state:
# cd /etc
# cp pam.conf pam.conf.pre-CIS
# sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS
# mv pam.conf.CIS pam.conf"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.2"
file : "/etc/pam.conf"
regex : "^[\\s]*rlogin[\\s]+auth[\\s]+sufficient[\\s]"
expect : "^[\\s]*rlogin[\\s]+auth[\\s]+sufficient[\\s]+pam_rhosts_auth\\.so\\.1[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.8 Disable Host-based Authentication for Login-based Services - rsh auth sufficient pam_rhosts_auth.so.1"
info : "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user.
The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default."
solution : "Perform the following to implement the recommended state:
# cd /etc
# cp pam.conf pam.conf.pre-CIS
# sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS
# mv pam.conf.CIS pam.conf"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.2"
file : "/etc/pam.conf"
regex : "^[\\s]*rsh[\\s]+auth[\\s]+sufficient[\\s]"
expect : "^[\\s]*rsh[\\s]+auth[\\s]+sufficient[\\s]+pam_rhosts_auth\\.so\\.1[\\s]*$"
string_required : YES
system : "SunOS"
type : CMD_EXEC
description : "Check for FTP Service online"
cmd : "/usr/bin/svcs -Ho state svc:/network/ftp:default"
expect : "^online$"
system : "SunOS"
type : FILE_CHECK
description : "Check for /etc/ftpd/ftpusers"
file : "/etc/ftpd/ftpusers"
type : CMD_EXEC
description : "6.9 Restrict FTP Use"
info : "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP.
FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default."
solution : "Perform the following to implement the recommended state:
# cd /etc/ftpd
# for user in `logins -s | awk '{ print $1 }'` \ aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done
# sort -u ftpusers > ftpusers.CIS
# mv ftpusers.CIS ftpusers
If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command:
# getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers
This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11.1_Benchmark_v1.0.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.3"
cmd : "/usr/bin/logins -s | /usr/bin/awk '{ print $1 } END { print \"aiuser\\\
noaccess\\\
nobody\\\
nobody4\" }' | /usr/bin/egrep -vf /etc/ftpd/ftpusers | /usr/bin/awk '{ print } END { if (NR == 0) print \"none\" }'"
expect : "^none$"
dont_echo_cmd : YES
description : "6.9 Restrict FTP Use - /etc/ftpd/ftpusers file does not exist"
info : "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP.
FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11.1_Benchmark_v1.0.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.3"
description : "6.9 Restrict FTP Use - ftp service disabled"
info : "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP.
FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11.1_Benchmark_v1.0.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.3"
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.10 Set Delay between Failed Login Attempts to 4 - SLEEPTIME = 4"
info : "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the \"login incorrect\" message when a bad password is provided.
As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS
# mv login.CIS login"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-7,800-53|AC-17"
file : "/etc/default/login"
regex : "^[\\s]*SLEEPTIME[\\s]*="
expect : "^[\\s]*SLEEPTIME[\\s]*=[\\s]*[45][\\s]*$"
string_required : NO
system : "SunOS"
type : CMD_EXEC
description : "Gnome installed"
cmd : "/usr/bin/pkg list consolidation/desktop/gnome-incorporation"
regex : "^consolidation/desktop/gnome-incorporation"
expect : "^consolidation/desktop/gnome-incorporation"
system : "SunOS"
type : FILE_CONTENT_CHECK_NOT
description : "6.11 Remove Autologin Capabilities from the GNOME desktop"
info : "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password.
As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)."
solution : "Perform the following to implement the recommended state:
# cd /etc
# awk '/^gdm-autologin/ { $1=\"#gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS
# mv pam.conf.CIS pam.conf"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S"
file : "/etc/pam.conf"
regex : "^[\\s]*gdm-autologin[\\s]"
expect : "^[\\s]*gdm-autologin[\\s]"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.12 Set Default Screen Lock for GNOME Users - timeout = 15"
info : "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment.
As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user."
solution : "Perform the following to implement the recommended state:
# cd /usr/share/X11/app-defaults
# cp XScreenSaver XScreenSaver.orig
# awk '/^\*timeout:/ { $2 = \"0:10:00\" } /^\*lockTimeout:/ { $2 = \"0:00:00\" } /^\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS
# mv xScreenSaver.CIS xScreenSaver"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,SANS-CSC|16-6,Level|1S,800-53|AC-11"
file : "/usr/share/X11/app-defaults/XScreenSaver"
regex : "^[\\s]*\\*timeout[\\s]*:"
expect : "^[\\s]*\\*timeout[\\s]*:[\\s]*0:(5[0-9]|15):00[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.12 Set Default Screen Lock for GNOME Users - lockTimeout = 0"
info : "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment.
As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user."
solution : "Perform the following to implement the recommended state:
# cd /usr/share/X11/app-defaults
# cp XScreenSaver XScreenSaver.orig
# awk '/^\*timeout:/ { $2 = \"0:10:00\" } /^\*lockTimeout:/ { $2 = \"0:00:00\" } /^\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS
# mv xScreenSaver.CIS xScreenSaver"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,SANS-CSC|16-6,Level|1S,800-53|AC-11"
file : "/usr/share/X11/app-defaults/XScreenSaver"
regex : "^[\\s]*\\*lockTimeout[\\s]*:"
expect : "^[\\s]*\\*lockTimeout[\\s]*:[\\s]*0:15:00[\\s]*$"
string_required : YES
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.12 Set Default Screen Lock for GNOME Users - lock = true"
info : "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment.
As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user."
solution : "Perform the following to implement the recommended state:
# cd /usr/share/X11/app-defaults
# cp XScreenSaver XScreenSaver.orig
# awk '/^\*timeout:/ { $2 = \"0:10:00\" } /^\*lockTimeout:/ { $2 = \"0:00:00\" } /^\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS
# mv xScreenSaver.CIS xScreenSaver"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,SANS-CSC|16-6,Level|1S,800-53|AC-11"
file : "/usr/share/X11/app-defaults/XScreenSaver"
regex : "^[\\s]*\\*lock[\\s]*:"
expect : "^[\\s]*\\*lock[\\s]*:[\\s]*[tT][rR][uU][eE][\\s]*$"
string_required : YES
description : "6.11 Remove Autologin Capabilities from the GNOME desktop"
info : "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password.
As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)."
info : "NOTE: GNOME has not been identified as being installed on the target."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S"
description : "6.12 Set Default Screen Lock for GNOME Users"
info : "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment.
As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user."
info : "NOTE: GNOME has not been identified as being installed on the target."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S,800-53|AC-11"
type : FILE_CONTENT_CHECK
description : "6.14 Restrict root Login to System Console - CONSOLE = /dev/console"
info : "Privileged access to the system via root must be accountable to a particular user.
Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS
# mv login.CIS login"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,SANS-CSC|12-14,Level|1S,PCI|2.2.4"
file : "/etc/default/login"
regex : "^[\\s]*CONSOLE[\\s]*="
expect : "^[\\s]*CONSOLE[\\s]*=[\\s]*\\/dev\\/console[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "6.15 Set Retry Limit for Account Lockout - RETRIES = 3"
info : "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked.
The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name.
Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS
# mv login.CIS login
# cd /etc/security
# awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS
# mv policy.conf.CIS policy.conf
# svcadm restart svc:/system/name-service/cache
Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account:
# usermod -K lock_after_retries=no oracle
NOTE: The root role is configured in this manner by default to prevent accidental lock out."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|16-9,Level|1S,800-53|AC-2,800-53|AC-7,800-53|IA-5,PCI|8.1.6"
file : "/etc/default/login"
regex : "^[\\s]*RETRIES[\\s]*="
expect : "^[\\s]*RETRIES[\\s]*=[\\s]*[1-3][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "6.15 Set Retry Limit for Account Lockout - LOCK_AFTER_RETRIES = yes"
info : "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked.
The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name.
Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS
# mv login.CIS login
# cd /etc/security
# awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS
# mv policy.conf.CIS policy.conf
# svcadm restart svc:/system/name-service/cache
Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account:
# usermod -K lock_after_retries=no oracle
NOTE: The root role is configured in this manner by default to prevent accidental lock out."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|16-9,Level|1S,800-53|AC-2,800-53|AC-7,800-53|IA-5,PCI|8.1.6"
file : "/etc/security/policy.conf"
regex : "^[\\s]*LOCK_AFTER_RETRIES[\\s]*="
expect : "^[\\s]*LOCK_AFTER_RETRIES[\\s]*=[\\s]*[yY][eE][sS][\\s]*$"
string_required : YES
system : "SunOS"
type : CMD_EXEC
description : "SPARC"
cmd : "/usr/bin/uname -p"
regex : "sparc"
expect : "sparc"
system : "SunOS"
type : CMD_EXEC
description : "6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = command"
info : "Oracle SPARC systems support the use of a EEPROM password for the console.
Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy)."
solution : "Perform the following to implement the recommended state:
# eeprom security-mode=command
# eeprom security-#badlogins=0
After entering the last command above, the administrator will be prompted for a password. This password will be required to authorize any future command issued at boot-level on the system (the ok or > prompt) except for the normal multi-user boot command (i.e., the system will be able to reboot unattended). Write down the password and store it in a sealed envelope in a secure location (note that locked desk drawers are typically not secure). If the password is lost or forgotten, simply log into the system and run the command:
# eeprom security-mode=none
This will erase the forgotten password. If the password is lost or forgotten and this action cannot be completed, then the EEPROM must be replaced to gain access to the system. To set a new password, run the command:
# eeprom security-mode=command"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1NS,800-53|PE-5"
cmd : "/usr/sbin/eeprom security-mode"
expect : "^[\\s]*security-mode[\\s]*=[\\s]*([cC][oO][mM][mM][aA][nN][dD]|[fF][uU][lL][lL])[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0"
info : "Oracle SPARC systems support the use of a EEPROM password for the console.
Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy)."
solution : "Perform the following to implement the recommended state:
# eeprom security-mode=command
# eeprom security-#badlogins=0
After entering the last command above, the administrator will be prompted for a password. This password will be required to authorize any future command issued at boot-level on the system (the ok or > prompt) except for the normal multi-user boot command (i.e., the system will be able to reboot unattended). Write down the password and store it in a sealed envelope in a secure location (note that locked desk drawers are typically not secure). If the password is lost or forgotten, simply log into the system and run the command:
# eeprom security-mode=none
This will erase the forgotten password. If the password is lost or forgotten and this action cannot be completed, then the EEPROM must be replaced to gain access to the system. To set a new password, run the command:
# eeprom security-mode=command"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1NS,800-53|PE-5"
cmd : "/usr/sbin/eeprom security-#badlogins"
expect : "^[\\s]*security-#badlogins[\\s]*=[\\s]*0[\\s]*$"
dont_echo_cmd : YES
description : "6.16 Set EEPROM Security Mode and Log Failed Access (SPARC)"
info : "Oracle SPARC systems support the use of a EEPROM password for the console.
Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy)."
info : "NOTE: This check was not executed as the target platform was not identified as SPARC."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1NS,800-53|PE-5"
system : "SunOS"
type : CMD_EXEC
description : "Intel"
cmd : "/usr/bin/uname -p"
regex : "i386"
expect : "i386"
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.17 Secure the GRUB Menu (Intel) - password --md5"
info : "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console.
The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password."
solution : "Perform the following to implement the recommended state:
# /boot/grub/bin/grub
grub> md5crypt
Password: [enter desired boot loader password]
Encrypted: [enter md5 password string]
grub> [enter control-C (^C)]
The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user:
# chmod 600 /rpool/boot/grub/menu.lst
Next, add the following line to the menu.lst file above the entries added by bootadm:
password --md5 [enter md5 password string generated above]
Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect):
title Solaris failsafe
lock"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S,800-53|PE-5"
file : "/rpool/boot/grub/menu.lst"
regex : "^[\\s]*password[\\s]+--md5[\\s]+"
expect : "^[\\s]*password[\\s]+--md5[\\s]+.+"
string_required : YES
system : "SunOS"
type : FILE_CHECK
description : "6.17 Secure the GRUB Menu (Intel) - menu.lst perms"
info : "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console.
The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password."
solution : "Perform the following to implement the recommended state:
# /boot/grub/bin/grub
grub> md5crypt
Password: [enter desired boot loader password]
Encrypted: [enter md5 password string]
grub> [enter control-C (^C)]
The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user:
# chmod 600 /rpool/boot/grub/menu.lst
Next, add the following line to the menu.lst file above the entries added by bootadm:
password --md5 [enter md5 password string generated above]
Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect):
title Solaris failsafe
lock"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S,800-53|PE-5"
file : "/rpool/boot/grub/menu.lst"
mask : "177"
system : "SunOS"
type : FILE_CONTENT_CHECK
description : "6.17 Secure the GRUB Menu (Intel) - lock"
info : "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console.
The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password."
solution : "Perform the following to implement the recommended state:
# /boot/grub/bin/grub
grub> md5crypt
Password: [enter desired boot loader password]
Encrypted: [enter md5 password string]
grub> [enter control-C (^C)]
The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user:
# chmod 600 /rpool/boot/grub/menu.lst
Next, add the following line to the menu.lst file above the entries added by bootadm:
password --md5 [enter md5 password string generated above]
Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect):
title Solaris failsafe
lock"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S,800-53|PE-5"
file : "/rpool/boot/grub/menu.lst"
regex : "^[\\s]*lock[\\s]*$"
expect : "^[\\s]*lock[\\s]*$"
required : YES
description : "6.17 Secure the GRUB Menu (Intel)"
info : "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console.
The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password."
info : "NOTE: This check was not executed as the target platform was not identified as Intel."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-2,Level|1S,800-53|PE-5"
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - PASSLENGTH = 14"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=14\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*PASSLENGTH[\\s]*="
expect : "^[\\s]*PASSLENGTH[\\s]*=[\\s]*(1[4-9]|[2-9][0-9])[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - NAMECHECK = yes"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*NAMECHECK[\\s]*="
expect : "^[\\s]*NAMECHECK[\\s]*=[\\s]*[yY][eE][sS][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - HISTORY = 24"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
"
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-9,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.5"
file : "/etc/default/passwd"
regex : "^[\\s]*HISTORY[\\s]*="
expect : "^[\\s]*HISTORY[\\s]*=[\\s]*(2[4-9]|[3-9][0-9]|[1-9][0-9][0-9])+[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - MINDIFF = 3"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*MINDIFF[\\s]*="
expect : "^[\\s]*MINDIFF[\\s]*=[\\s]*[3-9][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - MINALPHA = 2"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*MINALPHA[\\s]*="
expect : "^[\\s]*MINALPHA[\\s]*=[\\s]*[2-9][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - MINUPPER = 1"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*MINUPPER[\\s]*="
expect : "^[\\s]*MINUPPER[\\s]*=[\\s]*[1-9][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - MINLOWER = 1"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*MINLOWER[\\s]*="
expect : "^[\\s]*MINLOWER[\\s]*=[\\s]*[1-9][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - MINNONALPHA = 1"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*MINNONALPHA[\\s]*="
expect : "^[\\s]*MINNONALPHA[\\s]*=[\\s]*[1-9][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - MAXREPEATS = 0"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*MAXREPEATS[\\s]*="
expect : "^[\\s]*MAXREPEATS[\\s]*=[\\s]*0[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - WHITESPACE = yes"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*WHITESPACE[\\s]*="
expect : "^[\\s]*WHITESPACE[\\s]*=[\\s]*[yY][eE][sS][\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - DICTIONDBDIR = /var/passwd"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*DICTIONDBDIR[\\s]*="
expect : "^[\\s]*DICTIONDBDIR[\\s]*=[\\s]*\\/var\\/passwd[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.2 Set Strong Password Creation Policies - DICTIONLIST = /usr/share/lib/dict/words"
info : "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.
Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=24\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=24\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ \ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11.1_Benchmark_v1.0.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-3,SANS-CSC|16-8,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.2.3"
file : "/etc/default/passwd"
regex : "^[\\s]*DICTIONLIST[\\s]*="
expect : "^[\\s]*DICTIONLIST[\\s]*=[\\s]*\\/usr\\/share\\/lib\\/dict\\/words[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.3 Set Default umask for users - UMASK = 027"
info : "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories.
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS
# mv login.CIS login"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-6,PCI|7.2"
file : "/etc/default/login"
regex : "^[\\s]*UMASK[\\s]*="
expect : "^[\\s]*UMASK[\\s]*=[\\s]*0[2367]7[\\s]*$"
string_required : YES
system : "SunOS"
type : CMD_EXEC
description : "Check for FTP Service online"
cmd : "/usr/bin/svcs -Ho state svc:/network/ftp:default"
expect : "^online$"
type : FILE_CONTENT_CHECK
description : "7.4 Set Default File Creation Mask for FTP Users"
info : "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server.
Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask."
solution : "Perform the following to implement the recommended state:
# cd /etc
# if [ \"`grep '^Umask' proftpd.conf`\" ]; then
awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS
mv proftpd.conf.CIS proftpd.conf
else
echo \"Umask 027\" >> proftpd.conf
fi"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-6,PCI|7.2"
file : "/etc/proftpd.conf"
regex : "^[\\s]*Umask[\\s]*="
expect : "^[\\s]*Umask[\\s]*=[\\s]*0[2-7]7[\\s]*$"
string_required : YES
description : "7.4 Set Default File Creation Mask for FTP Users"
info : "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server.
Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask."
info : "NOTE: This check was not executed as the FTP service identified as installed on the target."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-6,PCI|7.2"
type : FILE_CONTENT_CHECK
description : "7.5 Set 'mesg n' as Default for All Users - /etc/.login mesg = n"
info : "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device.
Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality."
solution : "Perform the following to implement the recommended state:
# cd /etc
# for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS; mv $file.CIS $file; else echo mesg n >> $file; fi; done"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/.login"
regex : "^[\\s]*mesg[\\s]"
expect : "^[\\s]*mesg[\\s]+n[\\s]*$"
string_required : YES
type : FILE_CONTENT_CHECK
description : "7.5 Set 'mesg n' as Default for All Users - /etc/profile mesg = n"
info : "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device.
Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality."
solution : "Perform the following to implement the recommended state:
# cd /etc
# for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS; mv $file.CIS $file; else echo mesg n >> $file; fi; done"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S"
file : "/etc/profile"
regex : "^[\\s]*mesg[\\s]"
expect : "^[\\s]*mesg[\\s]+n[\\s]*$"
string_required : YES
system : "SunOS"
type : CMD_EXEC
description : "7.6 Lock Inactive User Accounts - useradd -D, 120"
info : "Guidelines published by the U.S. Department of Defense specify that user accounts must be locked out after 120 days of inactivity. This number may vary based on the particular site's policy.
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
solution : "Perform the following to implement the recommended state:
# useradd -D -f 120
To set this policy on a user account, use the command(s):
# usermod -f 120 [name]
To set this policy on a role account, use the command(s):
# rolemod -f 120 [name]"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|16-7,Level|1S,800-53|AC-2,800-53|IA-5,PCI|8.1.4,PCI|8.5.5"
cmd : "/usr/sbin/useradd -D | /usr/bin/xargs -n 1 | /usr/bin/grep inactive | /usr/bin/awk -F= '{ print $2 }'"
regex : "^[\\s]*([1-9]|[1-9][0-9]|1[0-1][1-9]|120)[\\s]*$"
expect : "^[\\s]*([1-9]|[1-9][0-9]|1[0-1][1-9]|120)[\\s]*$"
dont_echo_cmd : YES
type : FILE_CONTENT_CHECK
description : "8.5 Check that the Banner Setting for telnet is Null - BANNER ="
info : "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system.
The warning banner provides information that can be used in reconnaissance for an attack.
By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell."
solution : "Perform the following to implement the recommended state:
# cd /etc/default
# awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS
# mv telnetd.CIS telnetd"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,800-53|AC-8"
file : "/etc/default/telnetd"
regex : "^[\\s]*BANNER[\\s]*="
expect : "^[\\s]*BANNER[\\s]*=[\\s]*$"
system : "SunOS"
type : CMD_EXEC
description : "9.1 Check for Remote Consoles"
info : "The consadm command can be used to select or display alternate console devices.
Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles have not been defined. The \"consadm -p\" command displays any alternate consoles that have been defined as auxiliary across reboots. If no remote consoles have been defined, there will be no output from this command."
solution : "Perform the following to implement the recommended state:
# /usr/sbin/consadm [-d device...]"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17"
cmd : "/usr/sbin/consadm -p | /usr/bin/awk '{ print } END { if(NR == 0) print \"none\" }'"
expect : "none"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "9.3 Verify System Account Default Passwords - locked"
info : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts.
System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled."
solution : "To lock a single account, use the command:
# passwd -d [username]
# passwd -l [username]
To configure a single account to be non-login, use the command:
# passwd -d [username]
# passwd -N [username]"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|16-3,Level|1S,800-53|AC-2,800-53|IA-5"
cmd : "/usr/bin/passwd -sa | /usr/bin/awk 'BEGIN { f=0; c=0 } \$1 ~ /^(aiuser|dhcpserv|dladm|ftp|gdm|netadm|netcfg|noaccess|nobody|nobody4|openldap|pkg5srv|svctag|unknown|webservd|xvm)/ && \$2 != \"LK\" { print \"Account \"\$1\" is not locked.\"; f++ } END { if (f==0) print \"none\" }'"
expect : "none"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "9.3 Verify System Account Default Passwords - non-login"
info : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts.
System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled."
solution : "To lock a single account, use the command:
# passwd -d [username]
# passwd -l [username]
To configure a single account to be non-login, use the command:
# passwd -d [username]
# passwd -N [username]"
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|16-3,Level|1S,800-53|AC-2,800-53|IA-5"
cmd : "/usr/bin/passwd -sa | /usr/bin/awk 'BEGIN { f=0; c=0 } \$1 ~ /^(adm|bin|daemon|lp|mysql|nuucp|postgres|smmsp|sys|upnp|uucp|zfssnap)/ && \$2 != \"NL\" { print \"Account \"\$1\" is not non-login.\"; f++ } END { if (f==0) print \"none\" }'"
expect : "none"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "9.4 Ensure Password Fields are Not Empty"
info : "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login).
All accounts must have passwords, be configured as \"Non-login,\" or be locked."
solution : "Use the passwd -l command to lock accounts that are not permitted to execute commands. Use the passwd -N command to set accounts to be non-login."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,800-53|IA-5,PCI|2.2.4,PCI|8.5.11"
cmd : "/usr/bin/logins -p | awk '{ print } END { if (NR == 0) print \"none\" }'"
expect : "none"
dont_echo_cmd : YES
-
name : "passwd_zero_uid"
description : "9.5 Verify No UID 0 Accounts Exist Other than root"
info : "Any account with UID 0 has superuser rights on the system.
This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC."
solution : "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|3-3,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,800-53|AC-6,PCI|2.2.4,PCI|8.1.1"
-
name : "dot_in_root_path_variable"
description : "9.6 Ensure root PATH Integrity - dot in path"
info : "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly.
Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program."
solution : "Correct or justify any items discovered in the Audit step."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,PCI|2.2.4"
-
name : "writeable_dirs_in_root_path_variable"
description : "9.6 Ensure root PATH Integrity - writeable dir in path"
info : "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly.
Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program."
solution : "Correct or justify any items discovered in the Audit step."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|SC-4,PCI|2.2.4"
system : "SunOS"
type : CMD_EXEC
description : "9.7 Check Permissions on User Home Directories"
info : "While the system administrator can establish secure permissions for users' home directories, the users can easily override these.
Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges."
solution : "Correct or justify any items discovered in the Audit step. Determine if any user directory permissions are world-readable, writable, or executable, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-6,PCI|2.2.4,PCI|7.2"
cmd : "/usr/bin/logins -ox | /usr/bin/awk -F: '($8 == \"PS\") { print $6 }' | while read dir; do /usr/bin/find ${dir} -type d -prune \\( -perm -g+w -o -perm -o+r -o -perm -o+w -o -perm -o+x \\) -ls; done | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "9.8 Check Permissions on User '.' (Hidden) Files"
info : "While the system administrator can establish secure permissions for users' \"dot\" files, the users can easily override these.
Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges."
solution : "Correct or justify any items discovered in the Audit step. Determine if any user hidden files are world-readable or writable, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-6,PCI|2.2.4,PCI|7.2"
mask : "026"
cmd : "/usr/bin/logins -ox | /usr/bin/awk -F: '($8 !~ /^(LK|NL)$/) { print $6 }' | while read dir; do /usr/bin/find ${dir}/.[A-Za-z0-9]* \\! -type l \\( -perm -20 -o -perm -02 \\) -ls; done | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : FILE_CHECK
description : "9.9 Check Permissions on User .netrc Files"
info : "While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these.
.netrc files may contain unencrypted passwords that can be used to attack other systems."
solution : "Correct or justify any items discovered in the Audit step. Determine if any user .netrc files are group- or world-readable or writable, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-6,800-53|AC-17,PCI|2.2.4,PCI|7.2"
file : "~/.netrc"
mask : "077"
system : "SunOS"
type : FILE_CHECK_NOT
description : "9.10 Check for Presence of User .rhosts Files"
info : "While no .rhosts files are shipped with Solaris, users can easily create them.
This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf.
Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems."
solution : "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "~/.rhosts"
-
name : "passwd_invalid_gid"
description : "9.11 Check Groups in passwd(4)"
info : "Over time, system administration errors and changes can lead to groups being defined in passwd(4) but not in group(4).
Groups defined in passwd(4) but not in group(4) file pose a threat to system security since group permissions are not properly managed."
solution : "Correct or justify any items discovered in the Audit step. Determine if any groups are in passwd(4)but not in group(4), and work with those users or group owners to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,PCI|2.2.4,PCI|8.1"
system : "SunOS"
type : CMD_EXEC
description : "9.12 Check That Users Are Assigned Home Directories"
info : "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set.
All users must be assigned a home directory in passwd(4)."
solution : "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,Level|1S,800-53|AC-2,PCI|2.2.4"
cmd : "/usr/bin/logins -ox | /usr/bin/awk -F: 'BEGIN { c=0 } $8 ~ /^(PS|UP|NP|UN)$/ && $6 == \"\" { print \"Home dir for \"$1\" is not defined.\"; c++ } END { if (c==0) print \"all user homes are defined\" }'"
expect : "^all user homes are defined[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "9.13 Check That Defined Home Directories Exist"
info : "Users can be defined to have a home directory in passwd(4), even if the directory does not actually exist.
If the user's home directory does not exist, the user will be placed in \"/\" and will not be able to write any files or have local environment variables set."
solution : "Correct or justify any items discovered in the Audit step. Determine if there exists any users whose home directories do not exist, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,PCI|2.2.4"
cmd : "/usr/bin/logins -ox | /usr/bin/awk -F: '$8 ~ /^(PS|UP|NP|UN)$/ { print $6 }' | while read dir; do /usr/bin/ls ${dir} >/dev/null 2>&1 || echo \"${dir} does not exsit.\"; done | /usr/bin/awk '{ print } END { if (NR==0) print \"all user directories exist\" }'"
expect : "^all user directories exist[\\s]*$"
dont_echo_cmd : YES
system : "SunOS"
type : CMD_EXEC
description : "9.14 Check User Home Directory Ownership"
info : "The user home directory is space defined for the particular user to set local environment variables and to store personal files.
Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory."
info : "NOTE: This check selects users that are not locked and are not non-login in order to reduce false positives."
solution : "Correct or justify any items discovered in the Audit step. Determine if there exists any users whose home directory is not properly owned, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1S,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|AC-16,PCI|2.2.4,PCI|7.2"
cmd : "/usr/bin/logins -ox | /usr/bin/awk -F: '($8 == \"PS\") { print }' | while read line; do user=`echo ${line} | /usr/bin/awk -F: '{ print $1 }'`; home=`echo ${line} | /usr/bin/awk -F: '{ print $6 }'`; /usr/bin/find ${home} -type d -prune \\! -user ${user} -ls; done | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none[\\s]*$"
dont_echo_cmd : YES
-
name : "passwd_duplicate_uid"
description : "9.15 Check for Duplicate UIDs"
info : "Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually modify passwd(4) and change the UID field.
Users must be assigned unique UIDs for accountability and to ensure appropriate access protections."
solution : "Correct or justify any items discovered in the Audit step. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,800-53|IA-2,PCI|2.2.4,PCI|8.1.1"
-
name : "group_duplicate_gid"
description : "9.16 Check for Duplicate GIDs"
info : "Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually modify group(4) and change the GID field.
User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections."
solution : "Correct or justify any items discovered in the Audit step. Determine if there exists any duplicate group identifiers, and work with each respective group owner to remediate this issue and ensure that the group ownership of their files are set to an appropriate value."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|12-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,800-53|IA-2,PCI|2.2.4,PCI|8.1.1"
system : "SunOS"
type : CMD_EXEC
description : "9.17 Check That Reserved UIDs Are Assigned to System Accounts"
info : "Traditionally, Unix systems have established \"reserved\" UIDs (0-99 range) intended for system accounts.
If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID."
solution : "Correct or justify any items discovered in the Audit step. Determine if there are any accounts using these reserved UIDs, and work with their owner to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,SANS-CSC|3-3,SANS-CSC|16-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-6,PCI|2.2.4,PCI|7.2,PCI|8.1.1"
cmd : "/usr/bin/logins -so | /usr/bin/awk -F: 'BEGIN { f=0 } \$1 !~ /^(adm|aiuser|bin|daemon|dhcpserv|dladm|ftp|gdm|listen|lp|mysql|netadm|netcfg|noaccess|nobody|nobody4|nuucp|openldap|pkg5srv|postgres|root|smmsp|svctag|sys|unknown|uucp|upnp|webservd|xvm|zfssnap)\$/ { print \"Invalid User with Reserved UID: \"\$1; f++ } END { if (f==0) print \"none\" }'"
expect : "none"
-
name : "passwd_duplicate_username"
description : "9.18 Check for Duplicate User Names"
info : "Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually modify passwd(4) and change the user name.
If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in passwd(4). For example, if \"test4\" has a UID of 1000 and a subsequent \"test4\" entry has a UID of 2000, logging in as \"test4\" will use UID 1000.
Effectively, the UID is shared, which is a potential security problem."
solution : "Correct or justify any items discovered in the Audit step. Determine if there are any duplicate user names, and work with their respective owners to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,800-53|IA-2,PCI|2.2.4,PCI|8.1.1"
-
name : "group_duplicate_name"
description : "9.19 Check for Duplicate Group Names"
info : "Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually modify group(4) and change the group name.
If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in group(4). Effectively, the GID is shared, which is a security risk."
solution : "Correct or justify any items discovered in the Audit step. Determine if there are any duplicate group names, and work with their respective owners to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-1,HIPAA|164.312(a)(2)(i),Level|1S,800-53|AC-2,800-53|IA-2,PCI|2.2.4,PCI|8.1.1"
system : "SunOS"
type : FILE_CHECK_NOT
description : "9.20 Check for Presence of User .netrc Files"
info : "The .netrc file contains data for logging into a remote host for file transfers via FTP.
The .netrc file presents a significant security risk since it stores passwords in unencrypted form."
solution : "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-3,Level|1S,800-53|AC-17,PCI|2.2.4"
file : "~/.netrc"
system : "SunOS"
type : FILE_CHECK_NOT
description : "9.21 Check for Presence of User .forward Files"
info : "The .forward file specifies an email address to which a user's mail is forwarded.
Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions."
solution : "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,PCI|2.2.4"
file : "~/.forward"
-
system : "SunOS"
name : "find_world_writeable_files"
description : "9.22 Find World Writable Files"
info : "Unix-based systems support variable settings to control access to files. World-writable files are the least secure. See the chmod(2) man page for more information.
Data in world-writable files can be read, modified, and potentially compromised by any user on the system. World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity."
solution : "Correct or justify any items discovered in the Audit step. Determine the existence of any \"write access\" given for the \"other\" category (chmod o-w ), and work with the owner to determine the best course of action in accordance with site policy."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1NS,800-53|AC-3,800-53|AC-6,800-53|SC-4,PCI|2.2.4,PCI|7.2"
ignore : "/system/*"
-
system : "SunOS"
name : "find_suid_sgid_files"
description : "9.23 Find SUID/SGID System Executables"
info : "The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID/SGID program is to enable users to perform functions (such as changing their password), which requires root privileges.
There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate."
solution : "Correct or justify any items discovered in the Audit step. Determine the existence of any set-UID programs that do not belong on the system, and work with the owner (or system administrator) to determine the best course of action in accordance with site policy. Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example:
# elfsign verify -e /usr/bin/su elfsign: verification of /usr/bin/su passed."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,SANS-CSC|12-1,Level|1NS,800-53|AC-3,800-53|AC-6,800-53|IA-2,800-53|IA-5,800-53|SC-4,PCI|2.2.4,PCI|7.2,PCI|10.4"
severity : MEDIUM
-
system : "SunOS"
name : "find_orphan_files"
description : "9.24 Find Un-owned Files and Directories"
info : "Sometimes when administrators delete users from the passwd file they neglect to remove all files owned by those users from the system.
A new user who is assigned the deleted user's user ID or group ID may then end up \"owning\" these files, and thus have more access on the system than was intended."
solution : "Correct or justify any items discovered in the Audit step. Determine the existence of any files that are not attributed to current users or groups on the system, and determine the best course of action in accordance with site policy. Note that the Solaris OS is shipped with all files appropriately owned."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "CSF|PR.AC-4,Level|1S,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|AC-16,PCI|2.2.4,PCI|7.2"
system : "SunOS"
type : CMD_EXEC
description : "9.25 Find Files and Directories with Extended Attributes"
info : "Extended attributes are implemented as files in a \"shadow\" file system that is not generally visible via normal administration commands without special arguments.
Attackers or malicious users could \"hide\" information, exploits, etc. in extended attribute areas. Since extended attributes are rarely used, it is important to find files with extended attributes set."
solution : "Correct or justify any items discovered in the Audit step. Determine the existence of any files having extended file attributes, and determine the best course of action in accordance with site policy. Note that the Solaris OS does not ship with files that have extended attributes."
see_also : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf"
reference : "Level|1S,800-53|SC-4"
cmd : "/usr/bin/find / \\( -fstype nfs -o -fstype cachefs -o -fstype autofs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \\) -prune -o -xattr -ls | /usr/bin/awk '{ print } END { if (NR == 0) print \"none\"; }'"
expect : "^none$"
description : "CIS Oracle Solaris 11 Benchmark v1.1.0 Level 1"
info : "https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_11_Benchmark_v1.1.0.pdf
This audit checks the testable Level 1 guidance in the CIS Oracle Solaris 11 Benchmark v1.1.0 document.
Target does not appear to have the correct benchmark.
NOTE : Please read the .audit header before running a compliance scan. Please review the header notes as some queries may not behave as anticipated due to unique environmental variables that may be present on your system(s).
Thank you.
Tenable Network Security, Inc."