Package integrity is verifiedrule

Run 'pkg verify' to check that all installed Oracle Solaris software matches the packaging database and that ownership, permissions and content are correct.

    # pkg verify
    followed by
    # pkg fix <package-fmri>
      

The OS version is currentrule

Systems should be kept up to date to ensure that the latest security and operational updates are installed. You can run 'pkg update -n' to check the current state of the system against the configured repositories.

    # pkg update
      

Package signature checking is globally activatedrule

Package signature checking should be globally activated.

    #  pkg set-property signature-policy verify
      

All local filesystems are ZFSrule

ZFS is the default filesystem for Oracle Solaris. On most systems other filesystem types should not be mounted. See the zfs(7FS) man page.

    # umount <UFS-filesystem>
    # umount <HSFS-filesystem>>
      

Find and list files with extended attributesrule

Oracle Solaris implements extended attributes as files in an "extended attribute" name space visible only by using extended attribute aware commands. It is possible for attackers or malicious users to hide information in the extended attribute name space. Oracle Solaris currently does not ship any files with extended attributes. See the runat(1) and fsattr(5) man pages.

    # rm </path/to/filename>
    or
    # runat </path/to/filename> rm *
      

Find and list files with no known ownerrule

Files with no owner should be removed. Accounts that are closed should be archived and removed from the system.

    # rm <unowned-files>
      

Find and list .forward filesrule

.forward files can provide easy transport of information outside the firewall or outside the user's home directory.

    # rm </path/to/.forward>
      

Find and list .netrc filesrule

The .netrc file contains data for logging in to a remote host over the network for file transfers by FTP.

    # rm </path/to/.netrc>
      

Permissions on User .netrc Files are correctrule

The .netrc file contains login credentials to remote systems for file transfers by FTP. The permissions should be set to disallow read access by group and others. See the chmod(1) man page.

    # chmod 600 </path/to/.netrc>
      

Permissions on User "." (Hidden) Files are correctrule

Hidden files in a user's home directory should be owned by the user. Directories should allow read-write-execute (rwx) permissions to the user only. Files should allow read-write (rw) permissions to the user only.

    # chmod 600 </path/to/hidden-file>

    and

    # chmod 700 </path/to/hidden-directory/>
      

Find and list world writable filesrule

World-writable files are unprotected files. Modification and removal of a file should be limited to the owner of the file.

    # chmod 644 <world-writable-file>
      

Find and list suid and sgid files other than those in standard Oracle Solaris packagesrule

Programs that set the UID and GID offer entry points for malicious code.

    # rm <setid-file>

    or

    # chmod -s <setid-file>
      

Find and list .rhosts filesrule

.rhosts files can provide easy access to remote hosts by bypassing the password requirement. These files should be removed.

    # rm </path/to/.rhost>
      

swap(1M) is encryptedrule

Swap space, either a ZFS volume or raw device, should be encrypted. Encryption ensures that any sensitive data, such as user passwords, are protected if the system needs to swap those pages out to disk. See the swap(1M) man page.

    # pfedit /etc/vfstab
    ...
    /dev/zvol/dsk/rpool/swap     -       -      swap     - no    encrypted
      

Non-root ZFS filesystems are encryptedrule

All ZFS file systems that are not the root file system should be encrypted. Encryption must be applied at filesystem creation. You must remember the encryption passphrase. Store it in a safe place. See the zfs(1M) and zfs_encrypt(1M) man pages.

    # zfs create -o encryption=on  <ZFS-non-root-filesystem>
      

A size limit is set on tmpfs(7FS)rule

The size of the tmpfs file system is not limited by default. To avoid a performance impact, you can limit the size of each tmpfs mount. See the mount_tmpfs(1M) and vfstab(4) man pages.

    Determine the limit of the tmpfs file system according to the size
    of your disks.
    # pfedit /etc/vfstab
    ...
    swap  -  /tmp  tmpfs  -  yes  size=sz
    # reboot
      

World-writable directories have sticky bit setrule

The sticky bit on a directory prevents files in a world-writable directory from being deleted or moved by anyone except the owner of the file, or root. This is useful in directories that are common to many users, such as the /tmp directory.

    # chmod 1777 <world-writable-directory>
      

coreadm(1M) configuration is correctrule

Core dumps can contain sensitive data. Protections can include file permissions and logging core dump events. See the coreadm(1m) and chmod(1M) man pages.

    Use the coreadm command to view and set the current configuration.
    Configure the core files and protect the core dump directory. 

    $ coreadm
    global core file pattern: /var/share/cores/core.%f.%p
    global core file content: default
    init core file pattern: core
    init core file content: default
    global core dumps: enabled
    per-process core dumps: enabled
    global setid core dumps: disabled
    per-process setid core dumps: disabled
    global core dump logging: enabled

    To set the correct coreadm(1M) configuration:
    # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \
    -e log -e global -e global-setid \
    -d process -d proc-setid

    To check the permissions:
    # ls -ld /var/share/cores
    drwx------   2 root     sys           2 Nov  2  2014 cores/
    #

    To set the permissions correctly on the directory:
    # chmod 700 /var/share/cores
      

/etc/motd and /etc/issue contain appropriate policy textrule

The /etc/issue and /etc/motd (message of the day) files are designed to hold system and security information. The contents of the /etc/issue file are displayed prior to the login prompt on the console, or in a window if the file is called from the GNOME Display Manager (gdm). Several applications call this file, such as Secure Shell and FTP. The /etc/motd contents are displayed after login. By default, the /etc/motd file exists while the /etc/issue file does not. See the issue(4), gdm(1M), and sshd_config(4) man pages.

    # pfedit /etc/issue
    <legally-approved-text>
    # chown root:root /etc/issue
    # chmod 644 /etc/issue

    # pfedit /etc/motd
    <legally-approved-text>
      

Service svc:/system/coreadm is enabledrule

The coreadm service manages the core files that are produced by processes that terminate abnormally. See the core(4) and coreadm(1M) man pages.

    # svcadm enable coreadm
      

Service svc:/system/cron is enabledrule

The cron service manages the cron(1M) command, which runs processes that execute commands at specified dates and times. See the at(1), crontab(1), and cron(1M) man pages.

    # svcadm enable cron
      

Use of the cron(1M) and at(1) daemons is restrictedrule

The cron(1M) and at(1) daemons execute commands at specified dates and times. Only qualified accounts should be allowed to run commands at arbitrary times on the system.

    
    if [ -f /etc/cron.d/cron.allow ]; then
        /bin/mv /etc/cron.d/cron.allow /etc/cron.d/cron.allow.`date '+%FT%T'`
    fi    
    /bin/echo root > /etc/cron.d/cron.allow
    /bin/chmod 644 /etc/cron.d/cron.allow
    /bin/chgrp sys /etc/cron.d/cron.allow 
    if [ -f /etc/cron.d/at.allow ]; then
        /bin/mv /etc/cron.d/at.allow /etc/cron.d/at.allow.`date '+%FT%T'`
    fi
    /bin/touch /etc/cron.d/at.allow
    /bin/chmod 644 /etc/cron.d/at.allow
    /bin/chgrp sys /etc/cron.d/at.allow
      

Service svc:/system/cryptosvc is enabledrule

The cryptosvc service manages the use of cryptographic mechanisms from the Cryptographic Framework feature of Oracle Solaris. See the cryptoadm(1M) man page.

    # svcadm enable cryptosvc
      

Service svc:/system/dbus is enabledrule

The dbus service manages the D-Bus message bus daemon. Programs use the message bus daemon to exchange messages with one another. For example, the Hardware Abstraction Layer (HAL) uses dbus. See the dbus-daemon(1) and hal(5) man pages.

    # svcadm enable dbus
      

Service svc:/system/hal is enabled in global zonerule

The Hardware Abstraction Layer (HAL) service manages dynamic hardware configuration changes. See the hal(5) man page. This service only runs in the global zone.

    # svcadm enable hal
      

Service svc:/system/identity:domain is enabledrule

The identity:domain service instance manages system identity. See the domainname(1M) man page.

    # svcadm enable identity:domain
      

Service svc:/system/intrd is enabled in global zonerule

The interrupt balancer (intrd) service monitors the assignments between interrupts and CPUs to ensure optimal performance. See the intrd(1M) man page. This service only runs in the global zone.

    # svcadm enable intrd
      

Service svc:/system/keymap is enabled in global zonerule

The keymap service manages the default configuration of the keyboard. See the kbd(1) man page. This service only runs in the global zone.

    # svcadm enable keymap
      

Service svc:/system/picl is enabled in global zonerule

The platform information and control (picl) service manages the publishing of platform configuration information that can respond to client requests for information about the configuration. See the picld(1M) and prtcpicl(1M) man pages. This service only runs in the global zone.

    # svcadm enable picl
      

Service svc:/system/scheduler is enabled in global zonerule

The system/scheduler service manages the process scheduler. See the dispadmin(1M) man page. This service only runs in the global zone.

    # svcadm enable system/scheduler
      

Service svc:/system/system-log is enabledrule

The system-log service reads and forwards system messages to the appropriate log files or users. See the syslogd(1M) and rsyslogd(1M) man pages.

    # svcadm enable system/system-log:default 

    or

    # svcadm enable system/system-log:rsyslog
      

Service svc:/system/utmp is enabledrule

The utmp service manages a table of processes, detects when a process has terminated, and updates the table. See the utmpd(1M) man page.

    # svcadm enable system/utmp
      

Service svc:/system/zones is enabled in global zonerule

The zones service manages the autoboot and graceful shutdown of zones. See the zones(5) and zonecfg(1M) man pages. This service only runs in the global zone.

    # svcadm enable system/zones
      

Service svc:/system/zones-install is enabledrule

The zones-install service manages the auto-installation of zones.

    # svcadm enable system/zones-install
      

Service svc:/network/rpc/bind is enabledrule

The rpc/bind service manages the conversion of RPC program numbers to universal addresses. See the rpcbind(1M) man page.

    # svcadm enable rpc/bind
      

Service svc:/system/name-service/switch is enabledrule

The name-service/switch service manages the databases that contain information about hosts, users, and groups. See the nsswitch.conf(4) man page.

    # svcadm enable name-service/switch
      

Service svc:/system/name-service/cache is enabledrule

The name-service/cache service manages the caching of name service information. See the nscd(1M) man page.

    # svcadm enable name-service/cache
      

Service svc:/network/nfs/status is disabled or not installedrule

The NFS status monitor service interacts with lockd(1M) to provide the crash and recovery functions for the locking services on NFS.

    # svcadm disable svc:/network/nfs/status
      

Service svc:/network/nfs/nlockmgr is disabled or not installedrule

The NFS lock manager supports record locking operations on NFS files in NFSv2 and NFSv3. See the lockd(1M) and sharectl(1M) man pages.

    # svcadm disable svc:/network/nfs/nlockmgr
      

Service svc:/network/nfs/client:default is in disabled staterule

The NFS client service is needed only if the system is mounting NFS file systems specified in /etc/vfstab.

If the system is not mounting file systems specified there, the service can be disabled or its package uninstalled. See the mount_nfs(1M) man page.

This policy requires that the service be disabled.

    nfs_client_fmri=svc:/network/nfs/client:default
    policy_nfs_client=disabled
    if [ $policy_nfs_client == enabled ]; then
            svcadm enable -s $nfs_client_fmri
    else
            svcadm disable -s $nfs_client_fmri
    fi
      

Service svc:/network/nfs/server:default is in disabled staterule

The NFS Server service handles client file system requests over NFS version 2, 3, and 4.

If this system is not an NFS server, this service should be disabled or its package uninstalled. See the nfsd(1M) man page.

This policy requires that the service be disabled.

    nfs_server_fmri=svc:/network/nfs/server:default
    policy_nfs_server=disabled
    if [ $policy_nfs_server == enabled ]; then
            svcadm enable -s $nfs_server_fmri
    else
            svcadm disable -s $nfs_server_fmri
    fi
      

Service svc:/network/nfs/fedfs-client:default is in disabled staterule

The Federated Filesystem (FedFS) client service manages defaults and connection information for LDAP servers that store FedFS information.

If this system is not using FedFS for DNS SRV records or LDAP-based referrals, this service must be disabled or its package uninstalled. See the nsdbparams(1M) and fedfs(5) man pages.

This policy requires that the service be disabled.

    fedfs_client_fmri=svc:/network/nfs/fedfs-client:default
    policy_fedfs_client=disabled
    if [ $policy_fedfs_client == enabled ]; then
            svcadm enable -s $fedfs_client_fmri
    else
            svcadm disable -s $fedfs_client_fmri
    fi
      

Service svc:/network/nfs/rquota is disabled or not installedrule

The remote quota server returns quotas for a user of a local file system which is mounted over NFS. The results are used by quota(1M) to display user quotas for remote file systems. The rquotad(1M) daemon is normally invoked by inetd(1M).

    # svcadm disable svc:/network/nfs/rquota
      

Service svc:/network/nfs/cbd:default is in disabled staterule

The NFS cbd service manages communication endpoints for the NFS Version 4 protocol. The nfs4cbd(1M) daemon runs on the NFS Version 4 client and creates a listener port for callbacks.

If this system is not an NFS server, this service should be disabled or its package uninstalled.

This policy requires that the service be disabled.

    nfs_cbd_fmri=svc:/network/nfs/cbd:default
    policy_nfs_cbd=disabled
    if [ $policy_nfs_cbd == enabled ]; then
            svcadm enable -s $nfs_cbd_fmri
    else
            svcadm disable -s $nfs_cbd_fmri
    fi
      

Service svc:/network/nfs/mapid:default is in disabled staterule

The NFS user and group ID mapping daemon service maps to and from NFS version 4 owner and owner_group identification attributes and local UID and GID numbers used by both the NFS version 4 client and server. See the nfsmapid(1M) man page.

If this system is not an NFS server, this service should be disabled or its package uninstalled.

This policy requires that the service be disabled.

    nfs_mapid_fmri=svc:/network/nfs/mapid:default
    policy_nfs_mapid=disabled
    if [ $policy_nfs_mapid == enabled ]; then
            svcadm enable -s $nfs_mapid_fmri
    else
            svcadm disable -s $nfs_mapid_fmri
    fi
      

Service svc:/network/smb/client is disabled or not installedrule

The SMB/CIFS client allows an Oracle Solaris system to natively mount file systems by means of SMB shares from SMB enabled servers such as a Windows system. See the mount_smbfs(1M) man page.

    # pkg uninstall file-system/smb

    or

    # svcadm disable smb/client
      

Service svc:/network/ftp:default is in disabled staterule

The FTP service provides unencrypted file transfer service and uses plain text authentication. The secure copy program (scp(1)) program should be used instead of FTP as it provides encrypted authentication and file transfer.

This policy requires that the service be disabled.

    ftp_fmri=svc:/network/ftp:default
    policy_ftp=disabled
    if [ $policy_ftp == enabled ]; then
            svcadm enable -s $ftp_fmri
    else
            svcadm disable -s $ftp_fmri
    fi
      

Service svc:/network/ssh:default is in disabled staterule

The ssh service manages the Secure Shell (ssh) daemon, which provides secure encrypted communications between two untrusted hosts over an insecure network. By default, ssh is the only network service that can send and receive network packets on a newly-installed Oracle Solaris system. See the sshd(1M) man page.

This policy requires that the service be disabled.

    ssh_fmri=svc:/network/ssh:default
    policy_ssh=disabled
    if [ $policy_ssh == enabled ]; then
            svcadm enable -s $ssh_fmri
    else
            svcadm disable -s $ssh_fmri
    fi
      

Service svc:/network/smtp:sendmail is enabledrule

The sendmail service should be running. Otherwise, important system mail to root will not be delivered. If receipt of remote mail is not required, sendmail should be in local_only mode. See check OSC-68505-sendmail-local-only to verify that sendmail is running in local_only mode. See the sendmail(1M) man page.

    # svcadm enable smtp:sendmail
      

Service svc:/network/sendmail-client is enabledrule

The sendmail-client service manages email on a client. The sendmail-client service needs to be running to ensure delivery of mail to local accounts such as root. See the sendmail(1M) man page.

    # svcadm enable sendmail-client
      

Service svc:/network/inetd is enabledrule

The inetd service manages the restarting of inet services. See the inetd(1M) man page.

    # svcadm enable inetd
      

Service svc:/system/filesystem/autofs:default is in disabled staterule

The autofs service manages the mount points for the automount(1M) daemon.

This policy requires that the service be disabled.

    autofs_fmri=svc:/system/filesystem/autofs:default
    policy_autofs=disabled
    if [ $policy_autofs == enabled ]; then
            svcadm enable -s $autofs_fmri
    else
            svcadm disable -s $autofs_fmri
    fi
      

Service svc:/system/filesystem/rmvolmgr is disabled or not installedrule

The removable volume manager is a HAL-aware volume manager that can automatically mount and unmount removable media and hot-pluggable storage. Users might import malicious programs, or transfer sensitive data off the system. See the rmvolmgr(1M) man page. This service only runs in the global zone.

    # svcadm disable svc:/system/filesystem/rmvolmgr
      

Service svc:/system/filesystem/rmvolmgr is enabledrule

The removable volume manager is a HAL-aware volume manager that can automatically mount and unmount removable media and hot-pluggable storage. Users might import malicious programs, or transfer sensitive data off the system. See the rmvolmgr(1M) man page.

    # svcadm enable svc:/system/filesystem/rmvolmgr
      

Service svc:/system/power management is enabled in global zonerule

The system/power service manages the power management configuration of an Oracle Solaris system. See the poweradm(1M) man page. This service only runs in the global zone.

    # svcadm enable system/power
      

Service svc:/network/dns/multicast:default is in disabled staterule

Multicast DNS (mDNS) implements DNS in a small network where no conventional DNS server has been installed. DNS Service Discovery (DNS-SD) extends multicast DNS to also provide simple service discovery (network browsing). This service is disabled by default, because while it can ease finding hosts and servers, it can also provide information about the network to malicious users. See the named(1M) and mdnsd(1M) man pages.

This policy requires that the service be disabled.

    tcp_dns_multicast_fmri=svc:/network/dns/multicast:default
    policy_tcp_dns_multicast=disabled
    if [ $policy_tcp_dns_multicast == enabled ]; then
            svcadm enable -s $tcp_dns_multicast_fmri
    else
            svcadm disable -s $tcp_dns_multicast_fmri
    fi
      

Service svc:/network/dhcp-server:default is in disabled staterule

By default, the dhcp-server service is not installed. If you are not using this system as a DHCP server, you should not install or enable the service.

This policy requires that the service be disabled.

    dhcp_server_fmri=svc:/network/dhcp-server:default
    policy_dhcp_server=disabled
    if [ $policy_dhcp_server == enabled ]; then
            svcadm enable -s $dhcp_server_fmri
    else
            svcadm disable -s $dhcp_server_fmri
    fi
      

Service svc:/network/ntp is enabled and properly configured as a clientrule

The Network Time Protocol daemon should be enabled and properly configured as a client. The /etc/inet/ntp.conf file must include at least one server definition. The file should also contain the line "restrict default ignore" to prevent the client from also acting as a server.

    If needed
    # pkg install service/network/ntp
    then
    # vi /etc/inet/ntp.conf
    ...
    server <server IP address> iburst
    restrict default ignore
    ...
    # svcadm enable ntp
      

Service svc:/network/rarp:default is in disabled staterule

This legacy service responds to DARPA reverse address resolution protocol (RARP) requests. Historically, RARP was used by machines at boot time to discover their Internet Protocol (IP) address. By default, this service is not installed. See the rarpd(1M) and rarp(7P) man pages.

This policy requires that the service be disabled.

    rarp_fmri=svc:/network/rarp:default
    policy_rarp=disabled
    if [ $policy_rarp == enabled ]; then
            svcadm enable -s $rarp_fmri
    else
            svcadm disable -s $rarp_fmri
    fi
      

Service svc:/network/slp:default is in disabled staterule

This legacy service provides common server functionality for the Service Location Protocol (SLP) versions 1 and 2, as defined by IETF in RFC 2165 and RFC 2608. SLP discovers and selects network services. By default, this service is not enabled. See the slpd(1M), slp.conf(4), and slp(7P) man pages.

This policy requires that the service be disabled.

    slp_fmri=svc:/network/slp:default
    policy_slp=disabled
    if [ $policy_slp == enabled ]; then
            svcadm enable -s $slp_fmri
    else
            svcadm disable -s $slp_fmri
    fi
      

Service svc:/network/security/kadmin:default is in disabled staterule

The Kerberos administration daemon service runs on the master key distribution center (KDC), which stores the principal and policy databases. This service should not be run on a system that is not a KDC. See the kadmind(1M) man page.

This policy requires that the service be disabled.

    kadmin_fmri=svc:/network/security/kadmin:default
    policy_kadmin=disabled
    if [ $policy_kadmin == enabled ]; then
            svcadm enable -s $kadmin_fmri
    else
            svcadm disable -s $kadmin_fmri
    fi
      

Service svc:/network/security/krb5_prop:default is in disabled staterule

The Kerberos propagation daemon runs on slave KDC servers to update the database from the master KDC. See the kpropd(1M) man page.

This policy requires that the service be disabled.

    krb5_prop_fmri=svc:/network/security/krb5_prop:default
    policy_krb5_prop=disabled
    if [ $policy_krb5_prop == enabled ]; then
            svcadm enable -s $krb5_prop_fmri
    else
            svcadm disable -s $krb5_prop_fmri
    fi
      

Service svc:/network/security/krb5kdc:default is in disabled staterule

The Kerberos key distribution center service manages Kerberos tickets on the master and slave KDCs. See the krb5kdc(1M) man page.

This policy requires that the service be disabled.

    krb5kdc_fmri=svc:/network/security/krb5kdc:default
    policy_krb5kdc=disabled
    if [ $policy_krb5kdc == enabled ]; then
            svcadm enable -s $krb5kdc_fmri
    else
            svcadm disable -s $krb5kdc_fmri
    fi
      

Service svc:/application/management/net-snmp:default is in disabled staterule

The Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment. The net-snmp SNMP daemon processes requests from SNMP management software. See the snmpd(8) and snmp_config(5) man pages.

This policy requires that the service be disabled.

    snmp_fmri=svc:/application/management/net-snmp:default
    policy_snmp=disabled
    if [ $policy_snmp == enabled ]; then
            svcadm enable -s $snmp_fmri
    else
            svcadm disable -s $snmp_fmri
    fi
      

Service svc:/application/cups/in-lpd:default is in disabled staterule

This service supports the CUPS Line Printer Daemon (LPD) for legacy client systems that use the LPD protocol. By default, this service is not installed. See the cups-lpd(8) man page.

This policy requires that the service be disabled.

    lpd_fmri=svc:/application/cups/in-lpd:default
    policy_lpd=disabled
    if [ $policy_lpd == enabled ]; then
            svcadm enable -s $lpd_fmri
    else
            svcadm disable -s $lpd_fmri
    fi
      

Service svc:/application/stosreg is enabled in global zonerule

The service tag OS registry inserter (stosreg) service manages the service tag registry. See the stclient(1M) man page. This service only runs in the global zone.

    # svcadm enable stosreg
      

Service svc:/system/ocm is enabledrule

The Oracle Configuration Manager (ocm) service collects configuration information and uploads it to the Oracle repository. See the configCCR(1M) man page.

    # svcadm enable ocm
      

Service svc:/network/finger is disabled or not installedrule

This legacy service enables users to display information about local and remote users. By default, this service is not installed as part of solaris-small-server. It is however installed as part of solaris-large-server. This service is almost never needed and either should be removed or at least, disabled. See the fingerd(1M) and finger(1) man pages.

    # svcadm disable finger

    or

    # pkg uninstall pkg:/service/network/finger
    # pkg uninstall pkg:/network/finger
      

Service svc:/network/login:rlogin is disabled or not installedrule

This legacy service enables users to log in remotely. By default, this service is not installed as part of solaris-small-server. See the rlogind(1M) and rlogin(1) man pages.

    # svcadm disable network/login:rlogin

    or

    # pkg uninstall pkg:/service/network/legacy-remote-utilities
      

Service svc:/network/login:klogin is disabled or not installedrule

This service enables users to log in remotely with Kerberos authentication. By default, this service is not installed. See the rlogind(1M) and rlogin(1) man pages.

    # svcadm disable network/login:klogin
      

Service svc:/network/login:eklogin is disabled or not installedrule

This service enables users to log in remotely with Kerberos authentication over an encrypted line. By default, this service is not installed. See the rlogind(1M) and rlogin(1) man pages.

    # svcadm disable network/login:eklogin
      

Service svc:/network/shell:default is disabled or not installedrule

The remote shell daemon provides remote execution facilities with authentication based on Kerberos V5 or privileged port numbers. The Secure Shell service, svc:/network/ssh, is the best choice for remote execution. See the rshd(1M) and sshd(1M) man pages.

    # pkg uninstall legacy-remote-utilities

    or

    # svcadm disable svc:/network/shell:default
      

Service svc:/network/shell:kshell is disabled or not installedrule

The remote shell daemon provides remote execution facilities with authentication based on Kerberos V5 or privileged port numbers. The Secure Shell service, svc:/network/ssh, is the best choice for remote execution. See the rshd(1M) and sshd(1M) man pages.

    # pkg uninstall legacy-remote-utilities

    or

    # svcadm disable svc:/network/shell:kshell
      

Service svc:/network/telnet is disabled or not installedrule

This legacy service supports the DARPA standard TELNET virtual terminal protocol to connect to a remote system over the TELNET port. By default, this service is not installed. See the telnetd(1M) and telnet(1) man pages.

    # pkg uninstall pkg:/network/telnet
    # pkg uninstall pkg:/service/network/telnet

    or

    # svcadm disable telnet
      

Service svc:/network/uucp is disabled or not installedrule

This legacy service, UNIX to UNIX copy, provides a user interface for requesting file copy operations, typically used when constant connectivity is not possible. By default, this service is not installed. See the uucpd(1M) and uucp(1C) man pages.

    # pkg uninstall pkg:/service/network/uucp

    or

    # svcadm disable network/uucp
      

Service svc:/network/chargen:stream is disabled or not installedrule

This legacy service provides the server side of the Character Generator Protocol (RFC 864) for TCP. See the in.chargend(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/chargen:dgram is disabled or not installedrule

This legacy service provides the server side of the Character Generator Protocol (RFC 864) for UDP. See the in.chargend(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/daytime:stream is disabled or not installedrule

This legacy service provides the server side of the Daytime Protocol (RFC 867) for TCP. See the in.daytimed(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/daytime:dgram is disabled or not installedrule

This legacy service provides the server side of the Daytime Protocol (RFC 867) for UDP. See the in.daytimed(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/discard:stream is disabled or not installedrule

This legacy service provides the server side of the Discard Protocol (RFC 863) for TCP. See the in.discardd(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/discard:dgram is disabled or not installedrule

This legacy service provides the server side of the Discard Protocol (RFC 863) for UDP. See the in.discardd(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/echo:stream is disabled or not installedrule

This legacy service provides the server side of the Echo Protocol (RFC 862) for TCP. See the in.echod(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/echo:dgram is disabled or not installedrule

This legacy service provides the server side of the Echo Protocol (RFC 862) for UDP. See the in.echod(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/time:stream is disabled or not installedrule

This legacy service provides the server side of the Time Protocol (RFC 868) for TCP. See the in.timed(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/time:dgram is disabled or not installedrule

This legacy service provides the server side of the Time Protocol (RFC 868) for UDP. See the in.timed(1M) man page.

    # pkg uninstall legacy-network-services
      

Service svc:/network/comsat is disabled or not installedrule

This legacy service process listens for reports of incoming mail and notifies interested users. By default, this service is not installed as part of solaris-small-server. See the comsat(1M) man page.

    # pkg uninstall network/comsat

    or

    # svcadm disable comsat
      

Service svc:/network/rexec is disabled or not installedrule

This legacy service provides remote execution facilities with authentication based on user names and passwords. See the in.rexecd(1M) and rexec(3C) man pages.

    # pkg uninstall service/network/legacy-remote-utilities

    or

    # svcadm disable network/rexec:default
      

Service svc:/network/talk is disabled or not installedrule

This legacy program enables two-way, screen-oriented communication. For more information, see the talk(1) and mesg(1) man pages.

    # mesg -n
      

Service svc:/network/stdiscover is disabled or not installedrule

This legacy program is used to locate the service tag listener. For more information, see the in.stdiscover(1M) man page.

    # svcadm disable stdiscover:default
      

Service svc:/network/stlisten is disabled or not installedrule

This legacy program is used to listen for discovery probes. See the in.stlisten(1M) man page.

    # svcadm disable stlisten:default
      

Service svc:/network/rpc/gss is disabledrule

The generic security service (gss) service manages the generation and validation of Generic Security Service Application Program Interface (GSS-API) security tokens. The gssd(1M) daemon operates between the kernel rpc and the GSS-API.

    # svcadm disable rpc/gss
      

Service svc:/network/rpc/gss is enabledrule

The generic security service (gss) service manages the generation and validation of Generic Security Service Application Program Interface (GSS-API) security tokens. The gssd(1M) daemon operates between the kernel rpc and the GSS-API.

    # svcadm enable rpc/gss
      

Service svc:/network/rpc/gss is enabled if and only if Kerberos is configuredrule

The generic security service (gss) service manages the generation and validation of Generic Security Service Application Program Interface (GSS-API) security tokens. The gssd(1M) daemon operates between the kernel rpc and the GSS-API. Kerberos uses this service.

    # svcadm enable rpc/gss
      

Service svc:/network/rpc/mdcommd is disabled, or not installedrule

rpc.mdcommd is an rpc(4) daemon that functions as a server process. rpc.mdcommd manages communication among hosts participating in a multi-node disk set configuration. rpc.mdcommd is invoked by inetd(1M).

    # svcadm disable rpc/mdcomm:default
      

Service svc:/network/rpc/mdcommd is enabledrule

rpc.mdcommd(1M) is an rpc(4) daemon that functions as a server process. rpc.mdcommd(1M) manages communication among hosts participating in a multi-node disk set configuration. rpc.mdcommd is invoked by inetd(1M).

    # svcadm enable rpc/mdcomm:default
      

Service svc:/network/rpc/smserver is disabled or not installedrule

This program is used to access removable media devices. See the rpc.smserverd(1M) man page.

    # svcadm disable rpc/smserver:default
      

Service svc:/network/rpc/smserver is enabledrule

This program is used to access removable media devices. See the rpc.smserverd(1M) man page.

    # svcadm enable rpc/smserver:default
      

Service svc:/network/security/ktkt_warn is disabled or not installedrule

The Kerberos V5 warning messages daemon on Kerberos clients can warn users when their Kerberos tickets are about to expire and can renew the tickets before they expire. By default, this service is disabled. If the system is Kerberos client, then this service should be enabled. See the ktkt_warnd(1M) man page.

    # pkg uninstall pkg:/system/security/kerberos-5
    # pkg uninstall pkg:/service/security/kerberos-5

    or

    # svcadm disable svc:/network/security/ktkt_warn
      

Service svc:/network/security/ktkt_warn is enabledrule

The Kerberos V5 warning messages daemon on Kerberos clients can warn users when their Kerberos tickets are about to expire and can renew the tickets before they expire. By default, this service is disabled. See the ktkt_warnd(1M) man page.

    # svcadm enable svc:/network/security/ktkt_warn
      

Service svc:/network/rpc/rstat is disabled or not installedrule

This legacy service displays performance data from a remote system. By default, this service is not installed. See the rstatd(1M) and rstat(3RPC) man pages.

    # pkg uninstall legacy-remote-utilities

    or

    # svcadm disable rpc/rstat
      

Service svc:/network/rpc/rusers is disabled or not installedrule

This legacy service displays information about users on a remote system. By default, this service is not installed. See the rusersd(1M) and rusers(1) man pages.

    # pkg uninstall legacy-remote-utilities

    or

    # svcadm disable rpc/rusers
      

Service svc:/network/rpc/meta is disabled or not installedrule

This legacy service uses an rpc(4) daemon to manage local copies of metadevice diskset information. By default, this service is not installed. See the rpc.metad(1M) man page.

    # pkg uninstall storage/svm

    or

    # svcadm disable rpc/meta
      

Service svc:/network/rpc/metamed is disabled or not installedrule

This legacy service manages mediator information for 2-string high availability configurations. See the rpc.metamedd(1M) man page.

    # pkg uninstall storage/svm

    or

    # svcadm disable rpc/metamed
      

Service svc:/network/rpc/metamh is disabled or not installedrule

This legacy service uses an rpc(4) daemon to manage multi-hosted disks. By default, this service is not installed. See the rpc.metamhd(1M) man page.

    # pkg uninstall storage/svm

    or

    # svcadm disable rpc/metamh
      

Service svc:/network/rpc/rex is disabled or not installedrule

This program is the Oracle Solaris RPC server for remote program execution. If this service is enabled, the daemon is started by inetd(1M) whenever a remote execution request is made. See the rpc.rexd(1M) man page.

    # svcadm disable rpc/rex:default
      

Service svc:/network/rpc/spray is disabled or not installedrule

This program is a server that records the packets sent by spray(1M). See the rpc.sprayd(1M) man page.

    # pkg uninstall service/diagnostic/spray

    or

    # svcadm disable rpc/spray:default
      

Service svc:/network/rpc/wall is disabled or not installedrule

This program broadcasts messages to all logged-in users. See the rpc.rwalld(1M) and wall(1M) man pages.

    # pkg uninstall legacy-remote-utilities

    or

    # svcadm disable rpc/wall:default
      

Service svc:/system/avahi-bridge-dsd is disabled or not installedrule

This program provides an object-oriented interface to DBUS-enabled applications. See the avahi-daemon-bridge-dsd(1) man page.

    # svcadm disable system/avahi-bridge-dsd:default
      

Service cde-ttdbserver is enabled, or not installedrule

The rpc.ttdbserver service is part of the Common Desktop Environment (CDE) which predates the use of GNOME in Solaris. If you are running CDE, then you should enable its services. You should have good reasons to choose CDE over GNOME as your desktop environment.

    # svcadm enable rpc/ttdbserver
      

Service svc:/application/graphical-login/gdm:default is in disabled staterule

The GNOME Display Manager manages the displays on a system, including the console display, attached displays, XDMCP displays, and virtual terminals.

If a windowing display is not needed, this service should be disabled. If a windowing display is needed and installed, this service should be enabled. See the gdm(1M) man page.

This policy requires that the service be disabled.

    gdm_fmri=svc:/application/graphical-login/gdm:default
    policy_gdm=disabled
    if [ $policy_gdm == enabled ]; then
            svcadm enable -s $gdm_fmri
    else
            svcadm disable -s $gdm_fmri
    fi
      

Service cde-calendar-manager is enabled, or not installedrule

The cde-calendar-manager service is part of the Common Desktop Environment (CDE) which predates the use of GNOME in Solaris. If you are running CDE, then you should enable its services. You should have good reasons to choose CDE over GNOME as your desktop environment.

    # svcadm enable svc:/network/rpc/cde-calendar-manager:default
      

Service svc:/application/x11/xfs is disabled or not installedrule

This program provides fonts to X Window System display servers. The server is usually run by inetd(1M). See the xfs(1) and fsadmin(1) man pages.

    # svcadm disable svc:/application/x11/xfs:default
      

Service xvnc-inetd is enabled, or not installedrule

The xvnc-inetd service runs the X VNC server from inetd(1M). See the Xvnc(1) man page.

    # svcadm enable application/x11/xvnc-inetd
      

The GNOME desktop has suitable screensaver settingsrule

The timeout parameter for the xscreensaver application specifies the amount of time that the keyboard and mouse can be inactive before a password-protected screensaver appears. See the xscreensaver(1) man page.

    # cd /usr/share/X11/app-defaults
    # cp XScreenSaver XScreenSaver.orig
    # pfedit XScreenSaver
    *timeout:       0:10:00
    *lockTimeout:   0:00:00
    *lock:    True
      

The NIS client service is disabled or not installedrule

By default, NIS client software is not installed. NIS is an RPC-based naming service that does not conform to current security requirements, so can be less secure than the LDAP naming service. See the nis(5) and ypbind(1M) man pages.

    # svcadm disable svc:/network/nis/client
      

The NIS server service is disabled or not installedrule

By default, NIS server software is not installed. NIS is an RPC-based naming service that does not conform to current security requirements, that can be less secure than the LDAP naming service. See the nis(5) and ypserv(1M) man pages.

    # svcadm disable svc:/network/nis/server
      

The r-protocols services are disabled in PAMrule

By default, legacy services such as the r-protocols, rlogin(1) and rsh(1), are not installed. Their services, however, are defined in /etc/pam.d. See the pam.d(4) man page.

    # cd /etc/pam.d
    # cp rlogin rlogin.orig
    # pfedit rlogin
    auth definitive    pam_deny.so.1
    auth sufficient    pam_deny.so.1
    auth required    pam_deny.so.1
    # cp rsh rsh.orig
    # pfedit rsh
    auth definitive         pam_deny.so.1
    auth sufficient         pam_deny.so.1
    auth required           pam_deny.so.1
      

Service svc:/network/http:apache22 is in disabled staterule

This program provides Apache web server services by using the Apache hypertext transfer protocol (http). See the httpd(8) man page.

This policy requires that the service be disabled.

    apache_fmri=svc:/network/http:apache22
    policy_apache=disabled
    if [ $policy_apache == enabled ]; then
            svcadm enable -s $apache_fmri
    else
            svcadm disable -s $apache_fmri
    fi
      

Service svc:/network/rpc/keyserv is disabled or not installedrule

keyserv is a daemon that is used for storing the private encryption keys of each user logged into the system. These encryption keys are used for accessing secure network services such as secure NFS. For more information, see the keyserv(1M) man page.

    # svcadm disable network/rpc/keyserv:default
      

Service svc:/network/rpc/keyserv cannot use the nobody user keyrule

The value of ENABLE_NOBODY_KEYS is YES by default. See the keyserv(1M) man page.

    # pfedit /etc/default/keyserv
    ...
    ENABLE_NOBODY_KEYS=NO
      

ssh(1) is the only service binding a listener to non-loopback addressesrule

By default, ssh(1) is the only network service that can send and receive network packets on a newly-installed Oracle Solaris system. Of course, most useful servers will have some additional service such as a web server on port 80, etc. Also, rpcbind, if it is online, should be configured to listen only for local connections. See the sshd(1M) and rpcbind(1M) man pages.

        # svcadm disable <FMRI for unneeded service>
        

        # /usr/sbin/svccfg -s svc:/network/rpc/bind:default setprop config/local_only = boolean: true
        # svcadm refresh svc:/network/rpc/bind:default
        

ssh(1) requires passwordsrule

Logins without a password put the system at risk. In the default remote login service, Secure Shell, the PermitEmptyPasswords parameter in the /etc/ssh/sshd_config file should remain set to no. See the sshd_config(4) man page.

    # cd /etc/ssh
    # grep PermitEmpty sshd_config
    ...
    PermitEmptyPasswords no

    # svcadm restart svc:/network/ssh
      

rhost-based authentication in ssh(1) is disabledrule

rhost-based authentication in Secure Shell allows users to remotely log in without supplying a password. The IgnoreRhosts parameter specifies whether .rhosts and .shosts files can be used rather than a password. See the sshd_config(4) and hosts.equiv(4) man pages.

    # pfedit /etc/ssh/sshd_config
    IgnoreRhosts    yes

    # svcadm restart svc:/network/ssh
      

root login by using ssh(1) is disabledrule

By default, remote root logins are not permitted because root is a role and roles cannot log in. If root has been changed to a user, the default value of the PermitRootLogin parameter in the /etc/ssh/sshd_config file prevents root from remotely logging in. See the sshd_config(4) man page.

    # pfedit /etc/ssh/sshd_config
    PermitRootLogin no

    # svcadm restart svc:/network/ssh
      

Service svc:/network/smtp:sendmail only listens on loopbackrule

Check that sendmail listens in local_only mode. This is also called listens on loopback. See the sendmail(1M) and svccfg(1M) man pages

    #  svccfg -s svc:/network/smtp:sendmail setprop \
    config/local_only = astring: "true"
      

The umask(1) for SMF services is 022rule

Files that the Service Management Facility (SMF) creates should be created with 644 file permissions.

    # svccfg -s svc:/system/environment:init setprop umask/umask = astring: "022"
      

ssh(1) does not forward X11rule

The X11Forwarding parameter in the /etc/ssh/sshd_config file specifies whether users can forward an X Window session through an encrypted tunnel. This parameter allows the remote user to display windows remotely over Secure Shell. See the sshd_config(1M) and X(5) man pages.

    # pfedit /etc/ssh/sshd_config
    ...
    X11Forwarding no

    # svcadm restart svc:/network/ssh
      

Consecutive login attempts for ssh(1) are limitedrule

By default, the MaxAuthTries parameter in the /etc/ssh/sshd_config file is set to 6. This parameter specifies the maximum number of authentication attempts that the server permits before ending the connection. By restricting the number of failed authentication attempts, Secure Shell lessens the effectiveness of brute-force login attempts. It is important to note that setting MaxAuthTries to 6 actually provides only 3 failed login attempts because of the way SSH counts failures. See the sshd_config(4) man page.

    # pfedit /etc/ssh/sshd_config
    MaxAuthTries 6

    # svcadm restart svc:/network/ssh
      

gdm(1M) does not accept logins without passwordsrule

Automatic logins are a known security risk for other than public kiosks. By default, GNOME automatic login is disallowed, so users must supply a password. Automatic and Timed login is controlled by the entries in /etc/gdm/custom.conf See the gdm(1M) man page.

    # cd /etc/gdm
    # pfedit custom.conf
    ... ensure that that the following lines do not exist or are set to false
    AutomaticLoginEnable=true
    TimedLoginEnable=true
      

The ftp(1) banner shows a suitable security messagerule

The banner informs users who are attempting to access the system that the system is monitored. Note that the pkg:/service/network/ftp package must be installed for ftp to work.

    # echo "DisplayConnect /etc/issue" >> /etc/proftpd.conf
    # svcadm restart ftp
      

The gdm(1M) banner shows a suitable security messagerule

The banner informs users who are attempting to access the system that the system is monitored. The banner uses the /etc/issue file. See the issue(4) and gdm(1M) man pages.

    # pfedit /etc/gdm/Init/Default
    /usr/bin/zenity --text-info --width=800 --height=300 \
    --title="Security Message" --filename=/etc/issue
      

The ssh(1) banner shows a suitable security messagerule

By default, the ssh(1) banner displays the contents of the /etc/issue file. See the issue(4) and sshd_config(4) man pages.

    $ grep Banner /etc/ssh/sshd_config
    # Banner to be printed before authentication starts.
    Banner /etc/issue
      

The telnet(1) banner shows a suitable security messagerule

The telnetd(1M) DARPA TELNET protocol server is a legacy service that does not conform to current security requirements. By default, this service is not installed, and systems use the ssh(1M) protocol to communicate.

    # grep BANNER /etc/default/telnetd
    BANNER=""

    or

    # pkg uninstall pkg://solaris/service/network/telnet
      

ftp(1) is restricted to a specific set of usersrule

FTP file transfers should not be available to all users, and must require qualified users to supply their names and password. In general, system users should not be allowed to use FTP. This check verifies that system accounts are included in the /etc/ftpd/ftpusers file so that they are not allowed to use FTP. See the ftp(1) man page.

    # pfedit /etc/ftpd/ftpusers
    ....
    root
    daemon
    bin
    ...
      

The tcp_wrappers feature is enabledrule

TCP wrappers provides a way of implementing access controls by checking the address of a host that is requesting a particular network service against an ACL. Requests are granted or denied accordingly. TCP wrappers also logs host requests for network services, which is a useful monitoring function. The ssh(1) and sendmail(1M) services are configured to use TCP wrappers. Network services that might be placed under access control include proftpd(8) and rpcbind(1M). See the tcpd(1M) man page.

    1) Create an /etc/hosts.deny file containing the one line:
      ALL:ALL
    2) Create an /etc/hosts.allow file containing those connections which you
    want to allow. For detailed instructions, see the hosts_access(4),
    and tcpd(1M) man pages.
      

Files written in ftp(1) sessions have a suitable umaskrule

The FTP server does not necessarily use the user's system file creation mask. Setting the FTP umask ensures that files transmitted over FTP use a strong file creation umask. See the umask(1) and proftpd(8) man pages.

    # pfedit /etc/proftpd.conf
    Umask         027
      

Directed broadcasts are not forwardedrule

By default, Oracle Solaris forwards broadcast packets. To reduce the possibility of broadcast flooding, change the default. Note that you are also disabling broadcast pings.

    To fix
    # ipadm set-prop -p _forward_directed_broadcasts=0 ip
    or
    # ipadm reset-prop -p _forward_directed_broadcasts ip
      

Responses to ICMP netmask requests are disabledrule

To prevent the dissemination of information about the network topology, disable these responses if they are currently enabled.

    To fix, use
    # ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip
    or
    # ipadm set-prop -p _respond_to_address_mask_broadcast ip
      

Responses to ICMP broadcast timestamp requests are disabledrule

To prevent the dissemination of information about the network topology, disable these responses if they are currently enabled.

    To fix, use
    # ipadm set-prop -p _respond_to_timestamp_broadcast=o ip
    or
    # ipadm reset-prop -p _respond_to_timestamp_broadcast ip
      

Responses to ICMP timestamp requests are disabledrule

The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.

    To fix
    # ipadm set-prop -p _respond_to_timestamp=0 ip
    or
    # ipadm reset-prop -p _respond_to_timestamp ip
      

Source-routed packets are not forwardedrule

To prevent DOS attacks from spoofed packets, ensure that source-routed packets are not forwarded. The default is not to forward them.

    To fix, use
    # ipadm set-prop -p _forward_src_routed=0 ipv4
    and
    # ipadm set-prop -p _forward_src_routed=0 ipv6
      

TCP reverse source routing is disabledrule

The default value prevents packets from bypassing network security measures. Source-routed packets allow the source of the packet to suggest a path different from the path configured on the router. Note - This parameter might be set to 1 for diagnostic purposes. After diagnosis is complete, return the value to 0.

    To fix
    # ipadm set-prop -p _rev_src_routes=0 tcp
    or
    # ipadm reset-prop -p _rev_src_routes tcp
      

The maximum number of half-open TCP connections is set to the defaultrule

Setting the maximum half-open TCP connections to 4096 per IP address per port helps to defend against SYN flood denial of service attacks. 1024 is the default.

    To fix
    # ipadm set-prop -p _conn_req_max_q0=1024 tcp
      

The maximum number of waiting TCP connections is set to the defaultrule

Setting the maximun number of queued incoming connections TCP to at least 1024 can help prevent certain Distributed Denial of Service (DDoS) attacks. The default is 128.

    To fix
    # ipadm set-prop -p _conn_req_max_q=128 tcp
      

Responses to echo requests on multicast addresses are disabledrule

To prevent the dissemination of information about the network topology, disable these responses.

    To fix
    # ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
    and
    # ipadm set-prop -p _respond_to_echo_multicast=0 ipv6
      

Responses to ICMP echo requests on broadcast addresses are disabledrule

To prevent the dissemination of information about the network topology, disable these responses if they are currently enabled.

    To fix
    # ipadm set-prop -p _respond_to_echo_broadcast=0 ip
      

Strict multihoming is enabledrule

For systems that are gateways to other domains, such as a firewall or a VPN node, strict multihoming must be enabled. The hostmodel property controls the send and receive behavior for IP packets on a multihomed system.

    To fix
    # ipadm set-prop -p _strict_dst_multihoming=1 ipv4
    and
    # ipadm set-prop -p _strict_dst_multihoming=1 ipv6
      

ICMP redirects are disabledrule

Routers use ICMP redirect messages to inform hosts of more direct routes to a destination. An illicit ICMP redirect message could result in a man-in-the-middle attack.

    To fix
    # ipadm set-prop -p _ignore_redirect=1 ipv4
    and
    # ipadm set-prop -p _ignore_redirect=1 ipv6
      

Improved sequential generation for TCP packet sequence numberingrule

Ensure that the TCP initial sequence number generation parameter complies with RFC 6528 (http://www.ietf.org/rfc/rfc6528.txt).

    # pfedit /etc/default/inetinit
    ...
    TCP_STRONG_ISS=1
    or
    TCP_STRONG_ISS=2
    ...
      

Strong TCP packet sequence numberingrule

Ensure that the TCP initial sequence number generation parameter complies with RFC 6528 (http://www.ietf.org/rfc/rfc6528.txt).

    # pfedit /etc/default/inetinit
    ...
    TCP_STRONG_ISS=2
    ...
      

Routing daemons are disabledrule

Systems in a secure datacenter should not need automatic routing reconfiguration.

    # routeadm
    # svcadm disable <routing service FMRI>
      

The maximum number of half-open TCP connections is at least 4096rule

Setting the maximum half-open TCP connections to 4096 per IP address per port helps to defend against SYN flood denial of service attacks.

    To fix
    # ipadm set-prop -p _conn_req_max_q0=4096 tcp
      

The maximum number of waiting TCP connections is set to at least 1024rule

Setting the maximun number of queued incoming connections TCP to at least 1024 can help prevent certain Distributed Denial of Service (DDoS) attacks.

    To fix
    # ipadm set-prop -p _conn_req_max_q=1024 tcp
      

DICTIONBDIR is set to /var/passwdrule

DICTIONBDIR in the /etc/default/passwd file points to the /var/passwd dictionary by default. A password dictionary can strengthen users' password selection by preventing the use of common words or letter combinations. The passwd command performs dictionary lookups in the dictionary that DICTIONBDIR indicates. See the passwd(1) man page.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the PCI-DSS benchmark is /var/passwd
    #DICTIONBDIR=
    DICTIONBDIR=/var/passwd
    ...
      

Passwords are hashed with a secure algorithmrule

The hash used is determined by values of CRYPT_ALGORITHMS_ALLOW and CRYPT_DEFAULT set in /etc/security/policy.conf file. The value for SHA-256 is "5", and the value for SHA-512 is "6". To confirm properly set, the second field in the /etc/shadow file indicates the algorithm that was used to create the password hash. If the algorithm is set to SHA-256, the entry begins with "$5$" If the algorithm is set to SHA-512, the entry begins with "$6$" See the crypt.conf(4) and policy.conf(4) man pages.

    # cd /etc/security
    # cp policy.conf policy.conf.save
    # pfedit policy.conf
    CRYPT_ALGORITHMS_ALLOW=5
    CRYPT_DEFAULT=5

    # passwd <username>
    New Password: xxxxxxxx
    Re-enter new Password: xxxxxxxx

    # grep <username> /etc/shadow
    <username>:$5$xxxxx::::::10 xxxxx

    # cp policy.conf.save policy.conf
      

Password history does not log any passwordsrule

HISTORY in the /etc/default/passwd file prevents users from using similar passwords within the HISTORY value. The default value, 0, allows users to reuse passwords immediately.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the Baseline profile is 0 which is the default
    #HISTORY=0
    ...
      

Password history logs the last ten passwordsrule

HISTORY in the /etc/default/passwd file prevents users from using similar passwords within the HISTORY value. If MINWEEKS is set to 3 and HISTORY is set to 10, passwords are checked for reuse for ten months. See the passwd(1) man page.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the PCI-DSS benchmark is 10
    #HISTORY=0
    HISTORY=10
    ...
      

Passwords allow repeat charactersrule

MAXREPEATS in the `/etc/default/passwd file allows users to repeat characters in passwords. The default is 0, which permits repeated characters. Any other value indicates how many characters can be repeated. See the passwd(1) man page.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the PCI-DSS benchmark is 0 which is the default
    #MAXREPEATS=1   /** not default value **/
    MAXREPEATS=0
    ...
      

Passwords must have at least 2 alphabetic charactersrule

MINALPHA in the /etc/default/passwd file indicates the minimum number of alphabetic characters that passwords must contain. Alphabetic characters provide more values than numeric or special characters, so allow for more variation. The default value is 2.

The policy states the password must have a minimum of 2 alphabetic characters. See the passwd(1) man page.

      # pfedit /etc/default/passwd
      MINALPHA=2
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINALPHA=" $cfgfile`
    var_cnt=`grep -c "^ *MINALPHA=" $cfgfile`
    policy=2
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINALPHA=.*/MINALPHA='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINALPHA=.*/a\
MINALPHA='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINALPHA=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords must differ by at least 3 charactersrule

MINDIFF in the /etc/default/passwd file indicates the minimum number of characters that a password must differ from the previous value.

The policy states the password must be at least a minimum of 3 characters different.

      # pfedit /etc/default/passwd
      MINDIFF=3
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINDIFF=" $cfgfile`
    var_cnt=`grep -c "^ *MINDIFF=" $cfgfile`
    policy=3
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINDIFF=.*/MINDIFF='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINDIFF=.*/a\
MINDIFF='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINDIFF=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords require at least 0 digitsrule

MINDIGIT in the /etc/default/passwd file indicates the minimum number of digits that a password must contain. Digits provide some protection against dictionary-based password attacks. The default is 0.

The policy states the password must have a minimum of 0 digits. See the passwd(1) man page.

      # pfedit /etc/default/passwd
      MINDIGIT=0
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINDIGIT=" $cfgfile`
    var_cnt=`grep -c "^ *MINDIGIT=" $cfgfile`
    policy=0
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINDIGIT=.*/MINDIGIT='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINDIGIT=.*/a\
MINDIGIT='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINDIGIT=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords must have at least 0 lower-case charactersrule

MINLOWER in the /etc/default/passwd file indicates the minimum number of lower-case characters that a password must have.

The policy states the password must have a minimum of 0 lower-case characters.

      # pfedit /etc/default/passwd
      MINLOWER=0
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINLOWER=" $cfgfile`
    var_cnt=`grep -c "^ *MINLOWER=" $cfgfile`
    policy=0
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINLOWER=.*/MINLOWER='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINLOWER=.*/a\
MINLOWER='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINLOWER=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords require at least 1 non-alphabetic charactersrule

MINNONALPHA in the /etc/default/passwd file indicates the minimum number of non-alphabetic characters that a password must contain. Non-alphabetic characters provide some protection against dictionary-based password attacks. The default is 0.

The policy states the password must have a minimum of 1 non-alphabetic characters. See the passwd(1) man page.

      # pfedit /etc/default/passwd
      MINNONALPHA=1
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINNONALPHA=" $cfgfile`
    var_cnt=`grep -c "^ *MINNONALPHA=" $cfgfile`
    policy=1
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINNONALPHA=.*/MINNONALPHA='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINNONALPHA=.*/a\
MINNONALPHA='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINNONALPHA=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords must have at least 0 special charactersrule

MINSPECIAL in the /etc/default/passwd file indicates the minimum number of special characters that a password must have.

The policy states the password must have a minimum of 0 special characters.

      # pfedit /etc/default/passwd
      MINSPECIAL=0
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINSPECIAL=" $cfgfile`
    var_cnt=`grep -c "^ *MINSPECIAL=" $cfgfile`
    policy=0
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINSPECIAL=.*/MINSPECIAL='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINSPECIAL=.*/a\
MINSPECIAL='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINSPECIAL=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords require at least 0 upper-case charactersrule

MINUPPER in the /etc/default/passwd file indicates the minimum number of upper-case letters that a password must contain. Upper-case letters provide some protection against dictionary-based password attacks. The default is 0.

The policy states the password must have a minimum of 0 upper-case characters. See the passwd(1) man page.

      # pfedit /etc/default/passwd
      MINUPPER=0
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *MINUPPER=" $cfgfile`
    var_cnt=`grep -c "^ *MINUPPER=" $cfgfile`
    policy=0
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *MINUPPER=.*/MINUPPER='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *MINUPPER=.*/a\
MINUPPER='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "MINUPPER=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords cannot be changed for at least three weeksrule

MINWEEKS in the /etc/default/passwd file indicates the minimum number of weeks before a password can be changed. This value prevents users from reusing a password quickly. The default is unspecified. See the passwd(1) man page.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the PCI-DSS benchmark is 3
    #MINWEEKS=
    MINWEEKS=3
    ...
      

Passwords must be changed at least every 13 weeksrule

MAXWEEKS in the /etc/default/passwd file indicates the maximum number of weeks that a password can be used. This value is a balance between users remembering a new password and malicious users attacking long-term passwords. The default is unspecified. See the passwd(1) man page.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the PCI-DSS benchmark is 13
    #MAXWEEKS=
    MAXWEEKS=13
    ...
      

NAMECHECK for passwords is set to YESrule

NAMECHECK in the /etc/default/passwd file indicates whether login names are checked in the files naming service. The default, YES, prevents malicious users from using a login name that is not in a local file. See the passwd(1) man page.

    # pfedit /etc/default/passwd
    ...
    # Compliance to the PCI-DSS benchmark is YES which is the default
    #NAMECHECK=NO  /** not default value **/
    NAMECHECK=YES
    ...
      

Passwords must be at least 8 characters longrule

PASSLENGTH in the /etc/default/passwd file indicates the minimum number of characters that a password must contain. A longer password length plus a strong password hashing algorithm provides some protection against password attacks.

The policy states the password must be at least a minimum of 8 characters long.

      # pfedit /etc/default/passwd
      PASSLENGTH=8
        

    cfgfile=/etc/default/passwd
    cfgfile_tmp=`mktemp`
    var_c_cnt=`grep -c "^# *PASSLENGTH=" $cfgfile`
    var_cnt=`grep -c "^ *PASSLENGTH=" $cfgfile`
    policy=8
    if [ $var_cnt -ge 1 ];then
            sed -e 's/^ *PASSLENGTH=.*/PASSLENGTH='$policy'/' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    elif [ $var_c_cnt -ge 1 ];then
            sed '/^# *PASSLENGTH=.*/a\
PASSLENGTH='$policy'' $cfgfile > $cfgfile_tmp
            cp $cfgfile_tmp $cfgfile
    else
            echo "PASSLENGTH=$policy" >> $cfgfile
    fi
    rm -f $cfgfile_tmp
      

Passwords allow whitespacerule

WHITESPACE in the /etc/default/login file indicates whether passwords can include the space character. The space character provides some protection against dictionary-based password attacks. The default is YES. See the passwd(1) man page.

    # pfedit /etc/default/login
    ...
    # Compliance to the PCI-DSS benchmark is YES which is the default
    #WHITESPACE=NO   /** not default value **/
    WHITESPACE=YES
    ...
      

root is a rolerule

By default, root is a role. Roles cannot log in directly. Rather, a user logs in and then assumes the root role, thus providing an audit trail of who is operating as root. See the roles(1), user_attr(4), and usermod(1M) man pages.

    # usermod -K type=role root
    # userattr type root
    role

    Then, assign the role to a trusted user.
    # usermod -R root <trusted-user>
      

Role details are unchangedrule

Oracle Solaris ships with Role Based Access Control (RBAC). This feature enables administrators to delegate specific, limited, additional privileges and authorizations to individual users to administer parts of the system without giving them access to the root account. The provided rights databases should not be changed directly. To add rights to roles, use the roleadd and rolemod commands. These commands add entries to the /etc/user_attr file. See the profiles(1), auths(1), roles(1), rbac(5), roleadd(1M), rolemod(1M), and user_attr(4) man pages.

    # pkg revert /etc/user_attr.d/<changed file>

    Then

    # roleadd <role>
    # rolemod <role>
      

Logins require passwordsrule

PASSREQ in the /etc/default/login file indicates whether logins require passwords. Passwords are required for defense against computer attacks. The default is YES. See the login(1) man page.

    # pfedit /etc/default/login
    ...
    # Compliance to the PCI-DSS benchmark is YES which is the default
    #PASSREQ=NO   /** not default value **/
    PASSREQ=YES
    ...
      

shadow(4) password fields are not emptyrule

The second field in the /etc/shadow file contains passwords. When creating roles, you can easily forget to assign a password. See the shadow(4) and passwd(1) man pages.

    # userdel <account-with-no-password>

    or

    # passwd <account-with-no-password>>
    New Password: xxxxxxxx
    Re-enter new Password: xxxxxxxx
      

Local users are assigned home directoriesrule

Users need a place to store and create files. A home directory enables a user to place configuration files, such as the .profile file, and ongoing work in a directory that is owned by the user.

    # useradd -m <login>
      

root is the only user with UID=0rule

The UID of 0 has superuser privileges. Only root should have those privileges.

    # userdel <duplicate UID username>

    or

    # usermod -u <new UID> <login>
      

All groups specified in /etc/passwd are defined in /etc/grouprule

Users are assigned to at least one group and can be assigned to secondary groups. All groups must be defined in the /etc/group file.

    # groupadd <missing-group>
      

Home directories for all users existrule

Users need a place to store and create files. A home directory enables a user to place configuration files, such as the .profile file, and ongoing work in a directory that is owned by the user.

    # useradd -m <login>
      

Reserved system accounts remain unusedrule

Accounts whose ID is 100 or less are system accounts. These accounts should not be replaced or reconfigured.

    # usermod <options> <username>
      

User home directories have appropriate permissionsrule

Home directories must be writable and searchable by their owners. Typically, other users do not have rights to modify those files or add files to the user's home directory.

    # chmod 750 <user-home-dir>
      

User home directory ownership is correctrule

The user must own the user's home directory.

    # chown <username> </path/to/home-dir/username>
      

Find and list duplicate GIDsrule

Groups, like users, are unique. Duplicate group IDs must be removed.

    # groupmod -<options> <group>
      

Find and list duplicate group namesrule

Groups, like users, are unique. Duplicate group names must be removed.

    # groupmod -<options> <group>
      

Find and list duplicate UIDsrule

Users are identified by IDs, which must be unique. Duplicate user IDs must be removed.

    # usermod -<options> <username>
      

Find and list duplicate usernamesrule

Users log in by name, which must be unique. Duplicate user names must be removed.

    # usermod -<options> <username>
      

Default system accounts are lockedrule

Oracle Solaris is installed with correctly configured system accounts. These accounts should not be modified.

    # passwd -l <username>
      

Default system accounts are no-loginrule

Oracle Solaris is installed with correctly configured system accounts. These accounts should not be modified.

    # passwd -N <username>
      

Root passwords are hashed with a secure algorithmrule

The second field in the /etc/shadow file indicates the algorithm that was used to create the password hash. If the entry begins with "$5$", then password is hashed with SHA-256 algorithm. If the entry begins with "$6$", then password is hashed with SHA-512 algorithm. See the crypt.conf(4) and policy.conf(4) man pages.

    # cd /etc/security
    # cp policy.conf policy.conf.save
    # pfedit policy.conf
    CRYPT_ALGORITHMS_ALLOW=5,6
    CRYPT_DEFAULT=5

    # passwd root
    New Password: xxxxxxxx
    Re-enter new Password: xxxxxxxx

    # grep root /etc/shadow
    root:$5$xxxxx::::::14 xxxxx

    # cp policy.conf.save policy.conf
      

The root PATH variable is correctrule

The root PATH variable should not include the current directory (.), or any paths not related to administration.

    # PATH=/usr/bin:/usr/sbin
      

Service svc:/network/ipfilter is enabledrule

IP Filter is a host-based firewall that provides stateful packet filtering and network address translation (NAT). Packet filtering provides basic protection against network-based attacks. IP Filter also includes stateless packet filtering and can create and manage address pools. See the ipf(1M) and ipfilter(5) man pages.

    svcadm enable svc:/network/ipfilter:default
      

Service svc:/network/firewall is enabledrule

Packet Filter is a host-based firewall that provides stateful packet filtering and network address translation (NAT). Packet filtering provides basic protection against network-based attacks. Packet Filter also includes stateless packet filtering and can create and manage address pools. See the pfctl(1M) and pf.conf(5) man pages.

    svcadm enable svc:/network/firewall:default
      

mesg(1) prevents talk(1) and write(1) access to remote terminalsrule

This program controls whether users can send messages by using write(1), talk(1) or other utilities to a terminal device. See the mesg(1) man page.

    if ! /bin/grep -q "^mesg -*n" /etc/.login
    then
        /bin/cp /etc/.login /etc/.login.`date '+%FT%T'`
        /bin/echo "mesg -n" >> /etc/.login
    fi
    if ! /bin/grep -q "^mesg -*n" /etc/profile
    then
        /bin/cp /etc/profile /etc/profile.`date '+%FT%T'`
        /bin/echo "mesg -n" >> /etc/profile
    fi
      

Inactive user accounts will be locked after 35 daysrule

Inactive user accounts can provide a back door into the system. User accounts should be locked after a period of inactivity.

    To manually lock an account
    # passwd -l <username>

    To set the default inactive time, change the value of MAXWEEKS in the /etc/default/passwd file.
    # pfedit /etc/default/passwd
    ...
    MAXWEEKS=5

    or
    set the default with useradd
    # useradd -D -f 35
      

The default user UMASK is 022rule

UMASK in the /etc/default/login file indicates the permissions on user files at creation. This value should not allow group or world write. The default value is 022, which allows group and world to read files owned by a user. See the login(1) man page.

    # pfedit /etc/default/login
    ...
    # Compliance to the PCI-DSS benchmark is 022 which is the default
    #UMASK=077   /** not default value **/
    UMASK=022
    ...
      

Find and list remote consolesrule

Remote consoles can be a source of unauthorized access. A system console should be kept physically secure and no unauthorized consoles should be defined. The "consadm -p" command displays alternate consoles across reboots. If none are defined, the command displays no output. See the consadm(1M) man page.

    # svcs console-login
    STATE    STIME    FMRI
    disabled       12:52:29 svc:/system/console-login:terma
    online   12:53:50 svc:/system/console-login:termb
    online   12:53:10 svc:/system/console-login:default
    online   12:53:11 svc:/system/console-login:vt2
    # svcadm disable svc:/system/console-login:termb
      

root access is console-onlyrule

The root account should not be able to log in remotely, and its actions should be monitored. See the login(1) man page.

    # If CONSOLE is set, root can only log in on that device.
    # grep CONSOLE /etc/default/login
    CONSOLE=/dev/console
      

DISABLETIME is set for loginsrule

DISABLETIME in the /etc/default/login file is set to 20 by default. Any value greater than zero indicates the seconds before a login prompt appears after RETRIES failed login attempts. This delay can mitigate rapid-fire, brute force attacks on passwords. See the login(1) man page.

    # pfedit /etc/default/login
    ...
    # Compliance to the PCI-DSS benchmark is 20 which is the default
    #DISABLETIME=6   /** not default value **/
    DISABLETIME=20
    ...
      

SLEEPTIME following an invalid login attempt is set to 4rule

SLEEPTIME in the /etc/default/login file is set to 4 by default. This number indicates the number of seconds that elapse before the "login incorrect" message appears after an incorrect password is typed. The maximum number is 5. This delay can mitigate rapid-fire, brute force attacks on passwords. See the login(1) man page.

    # pfedit /etc/default/login
    ...
    # Compliance to the PCI-DSS benchmark is 4 which is the default
    #SLEEPTIME=1 /**not default value**/
    SLEEPTIME=4
    ...
      

Name services are set to all local (files) onlyrule

The operating system uses a number of databases of information about hosts, users (passwd(4), shadow(4), and user_attr(4)), and groups. Data for these can come from a variety of sources: hostnames and host addresses, for example, can be found in /etc/hosts, NIS, LDAP, DNS, or Multicast DNS. Systems in restricted environments may be more secure if these entries are restricted to only local files, but such restriction will vary per your circumstances. See the nsswitch.conf(4) man page for more information.

      # svccfg -s name-service/switch setprop config/default = string: "files"
      # svccfg -s name-service/switch setprop config/host = string: "files"
      # svccfg -s name-service/switch setprop config/passwd = string: "files"
      # svccfg -s name-service/switch setprop config/group = string: "files"
      # svccfg -s name-service/switch:default refresh
        

Address Space Layout Randomization (ASLR) is enabledrule

Oracle Solaris tags many of its userland binaries to enable Address Space Layout Randomization (ASLR). ASLR randomizes the starting address of key parts of an address space. This security defense mechanism can cause Return Oriented Programming (ROP) attacks to fail when they try to exploit software vulnerabilities. See the sxadm(1M) man page.
Zones inherit this randomized layout for their processes. Because the use of ASLR might not be optimal for all binaries, the use of ASLR is configurable at the zone level and at the binary level.

    svcadm enable -s svc:/system/security/security-extensions:default
    sxadm delcust aslr
    sxadm enable aslr
      

Booting the system should require a passwordrule

The GRUB menu, the BIOS, and the eeprom should be password-protected to prevent configuration by unauthorized users. The BIOS protections prevent booting from an external device, such as a USB flash drive.

    1. x86 BIOS Fix:
      Consult the hardware vendor's documentation to determine how to start
      the system and access the BIOS controls.
      Access the system's BIOS or system controller. Set an administrator
      password if one has not been set. Disable a user-level password
      if one has been set.
    2. x86 GRUB Fix:
      2a. Get the GRUB hash of your password
        # /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
        Enter password: xxxxxxxx
        Reenter password: xxxxxxxx
        PBKDF2 hash of your password is <grub.xxxxxxxx.sha512.hash>
      2b. Create the GRUB password file:
        /usr/lib/grub2/bios/etc/grub.d/01_password

        The contents of that file is:
          #!/bin/sh
          /usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF
          #
          # GRUB password
          #
          set superusers="root"
          password_pbkdf2 root <grub.xxxxxxxx.sha512.hash>
          EOF
          /usr/bin/chmod 600 /rpool/boot/grub/password.cfg
          /usr/bin/echo 'source /@/boot/grub/password.cfg'
        When GRUB2 runs its "rc" files, it executes grub.d/01_password
        which creates /rpool/boot/grub/passwd.cfg mode 600
      2c. Protect the file:
        # /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password
      2d. Move the contents to the password.cfg file:
        # /usr/bin/cat > /usr/lib/grub2/bios/etc/grub.d/01_password <<BAT
        #!/bin/sh
        /usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF
        #
        # GRUB password
        #
        set superusers="root"
        password_pbkdf2 root <grub.pbkdf2.sha512 hash>
        EOF
        /usr/bin/chmod 600 /rpool/boot/grub/password.cfg
        /usr/bin/echo 'source /@/boot/grub/password.cfg'
        BAT
      2e. Set a timeout for the menu:
        # /usr/sbin/bootadm set-menu timeout=30
        If the site has changed the timeout, use the value
        returned by /usr/sbin/bootadm list-menu.
      2f. Verify the result:
        # /usr/bin/grep "password.cfg" /rpool/boot/grub/grub.cfg
        source /@/boot/grub/password.cfg
    3. SPARC eeprom fix: The security mode should be command or full:
      # eeprom security-mode=command

      Changing PROM password:
      New password: xxxxxxxx
      Retype new password: xxxxxxxx
      

Stacks are non-executablerule

Programs read and write data on the stack. Typically, they execute from read-only portions of memory that are specifically designated for code. Some attacks that cause buffers on the stack to overflow try to insert new code on the stack and cause the program to execute it. This security extension removes execute permission from the stack memory, preventing these attacks from succeeding. See the sxadm(1M) man page.
Properly written programs function correctly without using executable stacks.

    svcadm enable -s svc:/system/security/security-extensions:default
    sxadm delcust nxstack
    sxadm enable nxstack
      

Heaps are non-executablerule

Programs read and write data on the heap. Typically, they execute from read-only portions of memory that are specifically designated for code. Some attacks that cause buffers on the heap to overflow try to insert new code on the heap and cause the program to execute it. Removing execute permission from the heap memory prevents these attacks from succeeding. Properly written programs may function correctly without using executable heaps, but some older programs may rely on heap execution. Setting model=tagged-files (or default) ensures that unexpected heap execution attempts are prevented and enabling the nxheap log ensures that such attempts are recorded.

    svcadm enable -s svc:/system/security/security-extensions:default
    sxadm delcust nxheap
    sxadm enable nxheap
      

Remote serial logins are disabledrule

Serial logins can be a source of unauthorized access. Login services should not be enabled for serial ports that are not required to support the purpose of the system.

    # svcs console-login
    STATE    STIME    FMRI
    disabled       12:52:29 svc:/system/console-login:terma
    online   12:53:50 svc:/system/console-login:termb
    online   12:53:10 svc:/system/console-login:default
    online   12:53:11 svc:/system/console-login:vt2
    # svcadm disable svc:/system/console-login:termb
      

Service svc:/network/ldap/client:default is in disabled staterule

The ldap client service is required to connect to an LDAP server. See ldapclient(1M)

This policy requires that the service be disabled.

    ldap_client_fmri=svc:/network/ldap/client:default
    policy_ldap_client=disabled
    if [ $policy_ldap_client == enabled ]; then
            svcadm enable -s $ldap_client_fmri
    else
            svcadm disable -s $ldap_client_fmri
    fi
      

ldap client transport uses tls:any protocolrule

The ldap client transport should use tls:any protocol.

Check all default audit propertiesrule

Check all default audit properties

The auditd(1M) daemon is enabledrule

Auditing is a service, svc:/system/auditd, that is enabled by default and should not be disabled. See the audit(1M) man page.

    # audit -s
      

Audit parameters are set to recommended valuesrule

At minimum, events in the lo class are audited and audit policy is set to argv,cnt. Add audit classes and policy per your site's security requirements. See the auditconfig(1M) man page.

    /usr/sbin/auditconfig -setpolicy argv,cnt
    /usr/sbin/auditconfig -setflags lo
    /usr/sbin/auditconfig -setnaflags lo
    /usr/sbin/auditconfig -setplugin audit_binfile active
    if [ "`/usr/bin/userattr type root`" = "role" ]; then
        /usr/sbin/rolemod -K audit_flags=cusa:no root
    else
        /usr/sbin/usermod -K audit_flags=cusa:no root
    fi
    /usr/sbin/audit -s
      

All roles are audited with the "cusa" audit classrule

The cusa audit class contains events that cover administrative actions that could affect the system's security posture. See the audit_class(4), audit_event(4), rolemod(1M), and userattr(1) man pages.

    # logins -r
    ...list of roles ...
    For each role, check the assigned audit flags:
    # userattr audit_flags <rolename>

    If no output, set the cusa audit flag and verify:
    # rolemod -K audit_flags=cusa:no <rolename>>
    # userattr audit_flags <rolename>>
    cusa:no