STIGQter STIGQter: STIG Summary:

Solaris 11 SPARC Security Technical Implementation Guide

Version: 2

Release: 3 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-216246r603267_ruleThe audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.
SV-216249r603267_ruleThe operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
SV-216251r603267_ruleThe operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
SV-216253r603267_ruleAudit records must include what type of events occurred.
SV-216254r603267_ruleAudit records must include when (date and time) the events occurred.
SV-216255r603267_ruleAudit records must include where the events occurred.
SV-216256r603267_ruleAudit records must include the sources of the events that occurred.
SV-216257r603267_ruleAudit records must include the outcome (success or failure) of the events that occurred.
SV-216258r603267_ruleThe audit system must be configured to audit file deletions.
SV-216259r603267_ruleThe audit system must be configured to audit account creation.
SV-216260r603267_ruleThe audit system must be configured to audit account modification.
SV-216261r603267_ruleThe operating system must automatically audit account disabling actions.
SV-216262r603267_ruleThe operating system must automatically audit account termination.
SV-216263r603267_ruleThe operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
SV-216264r603267_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-216265r603267_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-216268r603267_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-216269r603267_ruleThe operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
SV-216270r603267_ruleThe auditing system must not define a different auditing level for specific users.
SV-216273r603267_ruleThe operating system must alert designated organizational officials in the event of an audit processing failure.
SV-216276r603267_ruleThe operating system must shut down by default upon audit failure (unless availability is an overriding concern).
SV-216277r603267_ruleThe operating system must protect audit information from unauthorized access.
SV-216280r603267_ruleThe System packages must be up to date with the most recent vendor updates and security fixes.
SV-216282r603267_ruleThe operating system must protect audit tools from unauthorized access.
SV-216283r603267_ruleThe operating system must protect audit tools from unauthorized modification.
SV-216284r603267_ruleThe operating system must protect audit tools from unauthorized deletion.
SV-216285r603267_ruleSystem packages must be configured with the vendor-provided files, permissions, and ownerships.
SV-216286r603267_ruleThe finger daemon package must not be installed.
SV-216287r603267_ruleThe legacy remote network access utilities daemons must not be installed.
SV-216288r603267_ruleThe NIS package must not be installed.
SV-216289r603267_ruleThe pidgin IM client package must not be installed.
SV-216290r603267_ruleThe FTP daemon must not be installed unless required.
SV-216291r603267_ruleThe TFTP service daemon must not be installed unless required.
SV-216292r603267_ruleThe telnet service daemon must not be installed unless required.
SV-216293r603267_ruleThe UUCP service daemon must not be installed unless required.
SV-216294r603267_ruleThe rpcbind service must be configured for local only services unless organizationally defined.
SV-216295r603267_ruleThe VNC server package must not be installed unless required.
SV-216297r603267_ruleThe operating system must be configured to provide essential capabilities.
SV-216299r603267_ruleAll run control scripts must have mode 0755 or less permissive.
SV-216300r603267_ruleAll run control scripts must have no extended ACLs.
SV-216301r603267_ruleRun control scripts executable search paths must contain only authorized paths.
SV-216302r603267_ruleRun control scripts library search paths must contain only authorized paths.
SV-216303r603267_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-216304r603267_ruleRun control scripts must not execute world writable programs or scripts.
SV-216305r603267_ruleAll system start-up files must be owned by root.
SV-216306r603267_ruleAll system start-up files must be group-owned by root, sys, or bin.
SV-216307r603267_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-216308r603267_ruleAny X Windows host must write .Xauthority files.
SV-216309r603267_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-216310r603267_ruleThe .Xauthority files must not have extended ACLs.
SV-216311r603267_ruleX displays must not be exported to the world.
SV-216312r603857_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-216313r603267_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-216314r603267_ruleX Window System connections that are not required must be disabled.
SV-216315r603267_ruleThe graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
SV-216316r603267_ruleGeneric Security Services (GSS) must be disabled.
SV-216317r603267_ruleSystems services that are not required must be disabled.
SV-216318r603267_ruleTCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
SV-216321r646926_ruleUser passwords must be changed at least every 60 days.
SV-216322r603267_ruleThe operating system must automatically terminate temporary accounts within 72 hours.
SV-216323r603863_ruleThe operating system must enforce minimum password lifetime restrictions.
SV-216324r603267_ruleUser passwords must be at least 15 characters in length.
SV-216325r603267_ruleUsers must not reuse the last 5 passwords.
SV-216326r603267_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-216327r603267_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-216328r603267_ruleThe operating system must enforce password complexity requiring that at least one lowercase character is used.
SV-216329r603267_ruleThe system must require passwords to contain at least one numeric character.
SV-216330r603267_ruleThe system must require passwords to contain at least one special character.
SV-216331r603267_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-216332r603267_ruleThe system must not have accounts configured with blank or null passwords.
SV-216333r603267_ruleSystems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
SV-216334r603267_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-216335r603267_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-216336r603267_ruleThe system must require users to re-authenticate to unlock a graphical desktop environment.
SV-216337r603267_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.
SV-216338r603267_ruleThe system must prevent the use of dictionary words for passwords.
SV-216340r603267_ruleThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
SV-216341r603267_ruleThe default umask for system and users must be 077.
SV-216342r603267_ruleThe default umask for FTP users must be 077.
SV-216343r603267_ruleThe value mesg n must be configured as the default setting for all users.
SV-216344r603267_ruleUser accounts must be locked after 35 days of inactivity.
SV-216347r603267_ruleLogin services for serial ports must be disabled.
SV-216348r603267_ruleAccess to a domain console via telnet must be restricted to the local host.
SV-216349r603267_ruleAccess to a logical domain console must be restricted to authorized users.
SV-216350r603267_ruleThe nobody access for RPC encryption key storage service must be disabled.
SV-216351r603267_ruleX11 forwarding for SSH must be disabled.
SV-216352r603267_ruleConsecutive login attempts for SSH must be limited to 3.
SV-216353r603267_ruleThe rhost-based authentication for SSH must be disabled.
SV-216354r603267_ruleDirect root account login must not be permitted for SSH access.
SV-216355r603267_ruleLogin must not be permitted with empty/null passwords for SSH.
SV-216356r603267_ruleThe operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity.
SV-216357r603267_ruleHost-based authentication for login-based services must be disabled.
SV-216358r603267_ruleThe use of FTP must be restricted.
SV-216359r603267_ruleThe system must not allow autologin capabilities from the GNOME desktop.
SV-216360r603267_ruleUnauthorized use of the at or cron capabilities must not be permitted.
SV-216361r603267_ruleLogins to the root account must be restricted to the system console only.
SV-216362r603267_ruleThe operating system, upon successful logon, must display to the user the date and time of the last logon (access).
SV-216363r603267_ruleThe operating system must provide the capability for users to directly initiate session lock mechanisms.
SV-216364r603267_ruleThe operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
SV-216365r603267_ruleThe operating system must not allow logins for users with blank passwords.
SV-216366r603267_ruleThe operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
SV-216367r603267_ruleThe operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
SV-216368r603267_ruleThe system must disable directed broadcast packet forwarding.
SV-216369r603267_ruleThe system must not respond to ICMP timestamp requests.
SV-216370r603267_ruleThe system must not respond to ICMP broadcast timestamp requests.
SV-216371r603267_ruleThe system must not respond to ICMP broadcast netmask requests.
SV-216372r603267_ruleThe system must not respond to broadcast ICMP echo requests.
SV-216373r603267_ruleThe system must not respond to multicast echo requests.
SV-216374r603267_ruleThe system must ignore ICMP redirect messages.
SV-216375r603267_ruleThe system must set strict multihoming.
SV-216376r603267_ruleThe system must disable ICMP redirect messages.
SV-216377r603267_ruleThe system must disable TCP reverse IP source routing.
SV-216378r603267_ruleThe system must set maximum number of half-open TCP connections to 4096.
SV-216379r603267_ruleThe system must set maximum number of incoming connections to 1024.
SV-216380r603267_ruleThe system must disable network routing unless required.
SV-216381r603267_ruleThe system must implement TCP Wrappers.
SV-216387r646929_ruleThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
SV-216394r603267_ruleThe system must prevent local applications from generating source-routed packets.
SV-216395r603267_ruleThe operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.
SV-216396r603267_ruleThe operating system must display the DoD approved system use notification message or banner for SSH connections.
SV-216397r603267_ruleThe GNOME service must display the DoD approved system use notification message or banner before granting access to the system.
SV-216398r603267_ruleThe FTP service must display the DoD approved system use notification message or banner before granting access to the system.
SV-216399r603267_ruleThe operating system must terminate all sessions and network connections when non-local maintenance is completed.
SV-216400r603267_ruleThe operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
SV-216401r603267_ruleWireless network adapters must be disabled.
SV-216402r603267_ruleThe operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
SV-216410r603866_ruleThe operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
SV-216411r603267_ruleThe operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
SV-216413r603267_ruleThe operating system must protect the confidentiality and integrity of information at rest.
SV-216415r603267_ruleThe operating system must use cryptographic mechanisms to protect the integrity of audit information.
SV-216417r603267_ruleThe sticky bit must be set on all world writable directories.
SV-216418r603267_rulePermissions on user home directories must be 750 or less permissive.
SV-216419r603267_rulePermissions on user . (hidden) files must be 750 or less permissive.
SV-216420r603267_rulePermissions on user .netrc files must be 750 or less permissive.
SV-216421r603267_ruleThere must be no user .rhosts files.
SV-216422r603267_ruleGroups assigned to users must exist in the /etc/group file.
SV-216423r603267_ruleUsers must have a valid home directory assignment.
SV-216424r603267_ruleAll user accounts must be configured to use a home directory that exists.
SV-216425r603267_ruleAll home directories must be owned by the respective user assigned to it in /etc/passwd.
SV-216426r603267_ruleDuplicate User IDs (UIDs) must not exist for users within the organization.
SV-216427r603267_ruleDuplicate UIDs must not exist for multiple non-organizational users.
SV-216428r603267_ruleDuplicate Group IDs (GIDs) must not exist for multiple groups.
SV-216429r603267_ruleReserved UIDs 0-99 must only be used by system accounts.
SV-216430r603267_ruleDuplicate user names must not exist.
SV-216431r603868_ruleDuplicate group names must not exist.
SV-216432r603267_ruleUser .netrc files must not exist.
SV-216433r603267_ruleThe system must not allow users to configure .forward files.
SV-216434r603267_ruleWorld-writable files must not exist.
SV-216435r603267_ruleAll valid SUID/SGID files must be documented.
SV-216436r603267_ruleThe operating system must have no unowned files.
SV-216437r603267_ruleThe operating system must have no files with extended attributes.
SV-216438r603267_ruleThe root account must be the only account with GID of 0.
SV-216439r603267_ruleThe operating system must reveal error messages only to authorized personnel.
SV-216441r603267_ruleThe operator must document all file system objects that have non-standard access control list settings.
SV-216442r603267_ruleThe operating system must be a supported release.
SV-216443r603267_ruleThe system must implement non-executable program stacks.
SV-216444r603267_ruleAddress Space Layout Randomization (ASLR) must be enabled.
SV-216445r603267_ruleProcess core dumps must be disabled unless needed.
SV-216446r603267_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.
SV-216447r605566_ruleThe centralized process core dump data directory must be owned by root.
SV-216448r603267_ruleThe centralized process core dump data directory must be group-owned by root, bin, or sys.
SV-216449r603267_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-216450r603267_ruleKernel core dumps must be disabled unless needed.
SV-216451r603267_ruleThe kernel core dump data directory must be owned by root.
SV-216452r603267_ruleThe kernel core dump data directory must be group-owned by root.
SV-216453r603267_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-216454r603267_ruleThe system must require passwords to change the boot device settings. (SPARC)
SV-216455r603267_ruleThe operating system must implement transaction recovery for transaction-based systems.
SV-216456r603267_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-216457r603267_ruleA file integrity baseline must be created, maintained, and reviewed on at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
SV-216459r603267_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-216460r603267_ruleThe system must not have any unnecessary accounts.
SV-216461r603267_ruleThe operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
SV-216462r603267_ruleThe operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
SV-216463r603267_ruleThe operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
SV-216464r603267_ruleThe operating system must prevent the execution of prohibited mobile code.
SV-216465r603267_ruleThe operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
SV-216467r603267_ruleThe operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
SV-216468r603267_ruleThe operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
SV-216469r603267_ruleThe operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-216470r603267_ruleAll manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
SV-216473r603267_ruleThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
SV-216474r603267_ruleThe /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
SV-216475r603267_ruleThe limitpriv zone option must be set to the vendor default or less permissive.
SV-216476r603267_ruleThe systems physical devices must not be assigned to non-global zones.
SV-216477r603267_ruleThe audit system must identify in which zone an event occurred.
SV-216478r603267_ruleThe audit system must maintain a central audit trail for all zones.
SV-216479r603267_ruleThe operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
SV-219959r603267_ruleThe audit system must support an audit reduction capability.
SV-219960r603267_ruleThe audit system records must be able to be used by a report generation capability.
SV-219961r603267_ruleThe audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
SV-219962r603267_ruleThe operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
SV-219963r603267_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-219964r603267_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-219965r603267_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-219966r603267_ruleThe audit system must alert the System Administrator (SA) if there is any type of audit failure.
SV-219967r603267_ruleThe operating system must allocate audit record storage capacity.
SV-219968r603267_ruleThe operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
SV-219969r603267_ruleThe system must verify that package updates are digitally signed.
SV-219970r603267_ruleThe operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
SV-219971r603267_ruleThe operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
SV-219972r603267_ruleThe operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
SV-219973r603267_ruleThe system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.
SV-219975r603267_ruleThe operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
SV-219976r603267_ruleThe operating system must protect the integrity of transmitted information.
SV-219977r603267_ruleThe operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
SV-219978r603267_ruleThe operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
SV-219979r603267_ruleThe operating system must protect the confidentiality of transmitted information.
SV-219980r603267_ruleThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
SV-219981r603267_ruleThe operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
SV-219982r603267_ruleThe operating system must employ cryptographic mechanisms to protect information in storage.
SV-219983r603267_ruleThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
SV-219984r603267_ruleThe operating system must protect the integrity of transmitted information.
SV-219985r603267_ruleThe operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
SV-219986r603267_ruleThe operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
SV-219987r603267_ruleThe operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
SV-224670r603267_ruleThe operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
SV-224671r603267_ruleThe operating system must identify potentially security-relevant error conditions.
SV-233300r603280_ruleThe sshd server must bind the X11 forwarding server to the loopback address.