PCI-DSS Security/Compliance benchmark for Oracle Solaris
with profile Solaris PCI-DSS Profile
Oracle Solaris security compliance benchmark for general purpose
operating system installations processing PCI-DSS (Payment Card
Industry – Data Security Standard) relevant data.
Evaluation Characteristics
| Evaluation target | test |
|---|---|
| Benchmark Title | PCI-DSS Security/Compliance benchmark for Oracle Solaris |
| Benchmark Version | 1.18882 |
| Benchmark Description | Oracle Solaris security compliance benchmark for general purpose operating system installations processing PCI-DSS (Payment Card Industry – Data Security Standard) relevant data. |
| Benchmark version | 1.18882 |
| Profile ID | Solaris_PCI-DSS |
| Started at | 2025-01-28T17:27:33+01:00 |
| Finished at | 2025-01-28T17:47:22+01:00 |
| Performed by | root |
| Test system | cpe:/a:redhat:openscap:1.3.9 |
CPE Platforms
- cpe:/o:oracle:solaris:11
Addresses
Compliance and Scoring
The target system did not satisfy the conditions of 31 rules!
Furthermore, the results of 1 rules were inconclusive.
Please review rule results and consider applying remediation.
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 77.041321 | 100.000000 |
Rule Overview
Result Details
The OS version is currentOSC-53005 medium
The OS version is current
| Rule ID | OSC-53005 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:27:37+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Systems should be kept up to date to ensure
that the latest security and operational updates are installed.
You can run ‘pkg update -n’ to check the current state of the system
against the configured repositories.
|
Package integrity is verifiedOSC-54005 high
Package integrity is verified
| Rule ID | OSC-54005 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:13+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
Run ‘pkg verify’ to check that
all installed Oracle Solaris software matches the packaging database
and that ownership, permissions and content are correct.
|
Package signature checking is globally activatedOSC-53505 medium
Package signature checking is globally activated
| Rule ID | OSC-53505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:14+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Package signature checking should be globally activated.
|
Booting the system should require a passwordOSC-04511 medium
Booting the system should require a password
| Rule ID | OSC-04511 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:14+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The GRUB menu, the BIOS, and the eeprom
should be password-protected to prevent
configuration by unauthorized users.
The BIOS protections prevent booting from an external device,
such as a USB flash drive.
|
Remediation description:
On an x86, create passwords for the BIOS and the GRUB menu.
On SPARC, protect the eeprom with a password.
| |
SCE stdout
SPARC EEPROM security-mode is not set.
To fix:
# /usr/sbin/eeprom security-mode=command
or
# /usr/sbin/eeprom security-mode=full
Address Space Layout Randomization (ASLR) is enabledOSC-01511 medium
Address Space Layout Randomization (ASLR) is enabled
| Rule ID | OSC-01511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Oracle Solaris tags many of its userland binaries
to enable Address Space Layout Randomization (ASLR).
ASLR randomizes the starting address of key parts of an address space.
This security defense mechanism can cause
Return Oriented Programming (ROP) attacks to fail
when they try to exploit software vulnerabilities.
See the sxadm(8) man page.
Zones inherit this randomized layout for their processes. Because the use of ASLR might not be optimal for all binaries, the use of ASLR is configurable at the zone level and at the binary level. |
Stacks are non-executableOSC-75511 medium
Stacks are non-executable
| Rule ID | OSC-75511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Programs read and write data on the stack.
Typically, they execute from read-only portions of memory
that are specifically designated for code.
Some attacks that cause buffers on the stack to overflow
try to insert new code on the stack and cause the program to execute it.
This security extension removes execute permission from the stack memory,
preventing these attacks from succeeding.
See the sxadm(8) man page.
Properly written programs function correctly without using executable stacks. |
Heaps are non-executableOSC-75521 medium
Heaps are non-executable
| Rule ID | OSC-75521 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Programs read and write data on the heap.
Typically, they execute from read-only portions of memory
that are specifically designated for code.
Some attacks that cause buffers on the heap to overflow
try to insert new code on the heap and cause the program to execute it.
Removing execute permission from the heap memory prevents
these attacks from succeeding.
Properly written programs may function correctly
without using executable heaps, but some older programs may
rely on heap execution. Setting model=tagged-files (or default)
ensures that unexpected heap execution attempts are prevented and
enabling the nxheap log ensures that such attempts are recorded.
|
ADI based protection for stacksOSC-75531 medium
ADI based protection for stacks
| Rule ID | OSC-75531 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
ADISTACK
Buffer overflow attacks to the stack target the register save area in order to affect the program execution flow. Protecting the register save area with ADI allows to detect and stop such attacks. Setting model=tagged-files (or default) ensures that unexpected stack execution attempts are prevented. This security extension is only available on SPARC systems that support ADI. See the sxadm(8) man page. |
ADI based protection for heapsOSC-75541 medium
ADI based protection for heaps
| Rule ID | OSC-75541 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
ADIHEAP
Buffer overflow (and other) attacks to heap allocated buffers rely on the ability to read/write past the buffer boundaries. Protecting each allocated buffer with ADI versions allows to detect and stop such attacks. Setting model=tagged-files (or default) ensures that unexpected heap execution attempts are prevented. This security extension is available only on SPARC systems that support ADI. See sxadm(8) man page. |
CVE-2018-3640 (Spectre v4): Speculative Store BypassOSC-75551 medium
CVE-2018-3640 (Spectre v4): Speculative Store Bypass
| Rule ID | OSC-75551 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Speculative Store Bypass Disable (SSBD) when enabled loads will not execute
speculatively until the address of all older stores are known. This ensures
that a load does not speculatively consume stale data due to bypassing an
older store on the same logical processor. When SSBD is enabled in sxadm,
binaries tagged with DT_SUNW_SX_SSBD will automatically run with the SSBD
mitigation enabled.
|
CVE-2017-5715 (Spectre): SPARC Hardware Branch Target Injection (HW_BTI) MitigationOSC-75561 medium
CVE-2017-5715 (Spectre): SPARC Hardware Branch Target Injection (HW_BTI) Mitigation
| Rule ID | OSC-75561 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
HW_BTI provides hardware-based mitigation for CVE-2017-5715
(Branch Target Injection, Spectre Variant 2). When enabled, some
applications might experience lower performance.
This security extension is only available on SPARC systems that support HW_BTI. See the sxadm(8) man page. |
CVE-2107-5754 (Meltdown): KPTI – Kernel Page Table IsolationOSC-75571 medium
CVE-2107-5754 (Meltdown): KPTI – Kernel Page Table Isolation
| Rule ID | OSC-75571 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
KPTI is a software workaround for CVE-2017-5754 for Intel CPUs. It
is enabled by default on systems where it is required and supported.
|
CVE-2017-5715 (Spectre): IBRS and IBPS MitgationsOSC-75581 medium
CVE-2017-5715 (Spectre): IBRS and IBPS Mitgations
| Rule ID | OSC-75581 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
IBRS and IBPS are mitigations for CVE-2017-5715 (Spectre) for Intel CPUs.
|
CVE-2018-3640 (Spectre v3a): L1 Data Cache FlushOSC-75591 medium
CVE-2018-3640 (Spectre v3a): L1 Data Cache Flush
| Rule ID | OSC-75591 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
L1 Data FLush (L1DF), this mitigation is used to flush sensitive data
specifically from the L1D cache on the physical core executing the flush
(instead of flushing data from all cache levels on the local processor).
This prevents an untrusted guest virtual machine from inferring the values
of data or memory from other guest virtual machines.
|
Return Stack Buffer mitigation (RSBS) is enabledOSC-75611 medium
Return Stack Buffer mitigation (RSBS) is enabled
| Rule ID | OSC-75611 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
RSBS is a mitigation for CVE-2018-15572. Enabled by default, it
restricts speculation based on the Return Stack Buffer state.
See the sxadm(8) man page.
|
Microarchitectural Data Sampling (MDS) is enabledOSC-75621 medium
Microarchitectural Data Sampling (MDS) is enabled
| Rule ID | OSC-75621 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
MD_CLEAR is a mitigation for the Microarchitectural Data Sampling (MDS)
series of vulnerabilities for Intel CPUs only. The vulnerabilities are
CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS),
CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS),
CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS),
CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory
(MDSUM). The mitigation overwrites the store and fill buffers on the
logical processors that are affected by MDS.
See the sxadm(8) man page.
|
Rogue Data Cache Avoidance MitigationOSC-75631 medium
Rogue Data Cache Avoidance Mitigation
| Rule ID | OSC-75631 |
| Result | unknown |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Rogue Data Cache Avoidance Mitigation (RDCL_NO) mitigates CVE-2017-5754,
CVE-2018-3646 and CVE-2018-12130. It prevents unauthorized disclosure of
information to an attacker with local user access through a side-channel
analysis of the data cache. RDCL_NO is read-only, and enabled by default
on systems where it is required and supported.
|
The umask(1) for SMF services is 022OSC-77500 medium
The umask(1) for SMF services is 022
| Rule ID | OSC-77500 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Files that the Service Management Facility (SMF) creates
should be created with 644 file permissions.
|
Service svc:/network/firewall is enabledOSC-27510 medium
Service svc:/network/firewall is enabled
| Rule ID | OSC-27510 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Packet Filter is a host-based firewall
that provides stateful packet filtering
and network address translation (NAT).
Packet filtering provides basic protection
against network-based attacks.
Packet Filter also includes stateless packet filtering
and can create and manage address pools.
See the pfctl(8) and pf.conf(7) man pages.
|
Remediation description: Enable the PF firewall service with SMF. Also, ensure that you have a reasonable rule set for the server in question. This check looks for at least one rule that starts with the «block» keyword, which should appear in most production rule sets. See the pfctl(8) and pf.conf(7) man pages for examples.
| |
The tcp_wrappers feature is enabledOSC-88011 medium
The tcp_wrappers feature is enabled
| Rule ID | OSC-88011 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
TCP wrappers provides a way
of implementing access controls by checking the address of a host
that is requesting a particular network service against an ACL.
Requests are granted or denied accordingly.
TCP wrappers also logs host requests for network services,
which is a useful monitoring function.
The ssh(1) and sendmail(8) services are configured
to use TCP wrappers.
Network services that might be placed under access control
include proftpd(8) and rpcbind(8).
See the tcpd(8) man page.
|
Remediation description:
For most TCP services, see the Network Administration Guide
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=NWIPA).
For FTP, see the Security Guidelines
(http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SYSADV7).
| |
All local filesystems are ZFSOSC-16005 medium
All local filesystems are ZFS
| Rule ID | OSC-16005 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
ZFS is the default filesystem for Oracle Solaris.
On most systems other filesystem types should not be mounted.
See the zfs(4FS) man page.
|
VARSHARE dataset properties are correctOSC-16010 medium
VARSHARE dataset properties are correct
| Rule ID | OSC-16010 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The VARSHARE dataset of the rpool pool must not allow exec, setuid
or xattr.
|
Mounting non Oracle filesystems in rpool/VARSHARE is not supportedOSC-16011 medium
Mounting non Oracle filesystems in rpool/VARSHARE is not supported
| Rule ID | OSC-16011 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
rpool/VARSHARE is reserved for use by Oracle Solaris. Creating datasets
under rpool/VARSHARE is not supported. See datasets(7).
|
Non-root ZFS filesystems are encryptedOSC-17000 medium
Non-root ZFS filesystems are encrypted
| Rule ID | OSC-17000 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
All ZFS file systems that are not the root file system
should be encrypted.
Encryption must be applied at filesystem creation.
You must remember the encryption passphrase.
Store it in a safe place.
See the zfs(8) and zfs_encrypt(8) man pages.
|
Remediation description:
| |
SCE stdout
ZFS encryption not set on the following non-root file systems:
rpool/export
rpool/export/home
rpool/export/home/ajcaballero
rpool/export/home/ebarcia
rpool/export/home/esarabia
rpool/export/home/fmgomez
rpool/export/home/jvargas
swap(8) is encryptedOSC-78000 medium
swap(8) is encrypted
| Rule ID | OSC-78000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Swap space on raw device should be encrypted
(ZFS volumes used as a swap device are always encrypted).
Encryption ensures that any sensitive data, such as user passwords,
are protected if the system needs to swap those pages out to disk.
See the swap(8) man page.
|
A size limit is set on tmpfs(4FS)OSC-16500 medium
A size limit is set on tmpfs(4FS)
| Rule ID | OSC-16500 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The size of the tmpfs file system is not limited by default.
To avoid a performance impact,
you can limit the size of each tmpfs mount.
See the mount_tmpfs(8) and vfstab(5) man pages.
|
Remediation description:
To edit the vfstab file, you must become an administrator
with the solaris.admin.edit/etc/vfstab authorization.
To restart the service, you must be assigned
the Service Configuration rights profile.
The root role has all of these rights.
Set a limit on the tmpfs file system in the /etc/vfstab file, then remount the /tmp file system. For more information, see the Security Guidelines (http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SCGDL). Determine the limit of the tmpfs file system according to the size of your disks.
# pfedit /etc/vfstab
...
swap - /tmp tmpfs - yes size=sz
# svcadm restart filesystem/local
| |
World-writable directories have sticky bit setOSC-14500 medium
World-writable directories have sticky bit set
| Rule ID | OSC-14500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:29:43+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The sticky bit on a directory prevents files
in a world-writable directory from being deleted
or moved by anyone except the owner of the file, or root.
This is useful in directories that are common to many users,
such as the /tmp directory.
|
coreadm(8) configuration is correctOSC-07500 medium
coreadm(8) configuration is correct
| Rule ID | OSC-07500 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:29:43+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Core dumps can contain sensitive data.
Protections can include file permissions and logging core dump events.
See the coreadm(8) and chmod(1) man pages.
|
Remediation description:
Locate the directory and protect the core dumps.
Protections include file permissions and logging.
Use the coreadm command to view and set the current configuration.
Ensure the coremon:default service is enabled.
Configure the core files and protect the core dump directory.
$ coreadm
global core file pattern: /var/cores/core.%z.%f.%u.%p
global core file content: default
kernel zone core file pattern: /var/cores/kzone.%z.%t
init core file pattern: core
init core file content: default
global core dumps: enabled
kernel zone core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
diagnostic core dumps: enabled
retention policy: summary
core diagnostic alert: enabled
To set the correct coreadm(8) configuration:
# coreadm -g default -k default \
-e global -e kzone -e process \
-e diagnostic -e alert -d global-setid \
-d process -d log -d proc-setid
To check the permissions:
# ls -ld /var/share/cores
drwx------ 2 root sys 2 Nov 2 2014 cores/
To set the permissions correctly on the directory:
# chmod 700 /var/share/cores
Check the core file monitoring service is online using the following command:
svcs -l svc:/system/coremon:default
and enable it as necessary using the svcadm(8) command. | |
SCE stdout
coreadm(8) it is advised to enable global core dumps
Permissions or ownership not correct on /var/share/cores
coreadm configuration is not correct.
Find and list world writable filesOSC-13000 medium
Find and list world writable files
| Rule ID | OSC-13000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:35:44+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
World-writable files are unprotected files.
Modification and removal of a file should be limited
to the owner of the file.
|
Find and list suid and sgid files other than those in standard Oracle Solaris packagesOSC-13500 high
Find and list suid and sgid files other than those in standard Oracle Solaris packages
| Rule ID | OSC-13500 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:12+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
Programs that set the UID and GID offer entry points
for malicious code.
|
Find and list all files with no known ownerOSC-14000 medium
Find and list all files with no known owner
| Rule ID | OSC-14000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:16+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Files with no owner should be removed from the system or be assigned
proper ownership. Additionally, accounts that are closed should be
archived and removed from the system.
|
Find and list files with extended attributesOSC-15000 medium
Find and list files with extended attributes
| Rule ID | OSC-15000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:18+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Oracle Solaris implements extended attributes as files
in an «extended attribute» name space visible
only by using extended attribute aware commands.
It is possible for attackers or malicious users
to hide information in the extended attribute name space.
Oracle Solaris currently does not ship any files
with extended attributes.
See the runat(1) and fsattr(7) man pages.
|
Directed broadcasts are not forwardedOSC-79510 medium
Directed broadcasts are not forwarded
| Rule ID | OSC-79510 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:18+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, Oracle Solaris forwards broadcast packets.
To reduce the possibility of broadcast flooding, change the default.
Note that you are also disabling broadcast pings.
|
Source-routed packets are not forwardedOSC-87010 medium
Source-routed packets are not forwarded
| Rule ID | OSC-87010 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:18+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
To prevent DOS attacks from spoofed packets,
ensure that source-routed packets are not forwarded.
The default is not to forward them.
|
TCP reverse source routing is disabledOSC-86010 medium
TCP reverse source routing is disabled
| Rule ID | OSC-86010 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:18+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The default value prevents packets
from bypassing network security measures.
Source-routed packets allow the source of the packet
to suggest a path different from the path configured on the router.
Note – This parameter might be set to 1 for diagnostic purposes.
After diagnosis is complete, return the value to 0.
|
ICMP redirects are disabledOSC-82010 medium
ICMP redirects are disabled
| Rule ID | OSC-82010 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:18+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Routers use ICMP redirect messages
to inform hosts of more direct routes to a destination.
An illicit ICMP redirect message could result
in a man-in-the-middle attack.
|
Remediation description:
ICMP redirects are managed using the ipadm command.
See the ipadm(8) man page.
| |
SCE stdout
The current values of _ignore_redirect for ipv4 are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 _ignore_redirect rw 0 -- 0 0,1
The current values of _ignore_redirect for ipv6 are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv6 _ignore_redirect rw 0 -- 0 0,1
Responses to echo requests on multicast addresses are disabledOSC-85510 medium
Responses to echo requests on multicast addresses are disabled
| Rule ID | OSC-85510 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
To prevent the dissemination of information
about the network topology, disable these responses.
|
Remediation description:
Responses to echo requests are managed using the ipadm command.
See the ipadm(8) man page.
| |
SCE stdout
The current values of _respond_to_echo_multicast for ipv4 are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 _respond_to_echo_multicast rw 1 -- 1 0,1
The current values of _respond_to_echo_multicast for ipv6 are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv6 _respond_to_echo_multicast rw 1 -- 1 0,1
Responses to ICMP broadcast timestamp requests are disabledOSC-81510 medium
Responses to ICMP broadcast timestamp requests are disabled
| Rule ID | OSC-81510 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
To prevent the dissemination of information
about the network topology, disable these responses
if they are currently enabled.
|
Responses to ICMP echo requests on broadcast addresses are disabledOSC-80510 medium
Responses to ICMP echo requests on broadcast addresses are disabled
| Rule ID | OSC-80510 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
To prevent the dissemination of information
about the network topology,
disable these responses if they are currently enabled.
|
Remediation description:
Responses to ICMP echo requests on broadcast addresses are managed
using the ipadm command.
See the ipadm(8) man page.
| |
SCE stdout
The current values for _respond_to_echo_broadcast are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ip _respond_to_echo_broadcast rw 1 -- 1 0,1
Responses to ICMP netmask requests are disabledOSC-81010 medium
Responses to ICMP netmask requests are disabled
| Rule ID | OSC-81010 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
To prevent the dissemination of information
about the network topology,
disable these responses if they are currently enabled.
|
Responses to ICMP timestamp requests are disabledOSC-82510 medium
Responses to ICMP timestamp requests are disabled
| Rule ID | OSC-82510 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The default value removes additional CPU demands on systems
and prevents the dissemination of information about the network.
|
Strict multihoming is enabledOSC-87500 medium
Strict multihoming is enabled
| Rule ID | OSC-87500 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
For systems that are gateways to other domains,
such as a firewall or a VPN node, strict multihoming must be enabled.
The hostmodel property controls the send and receive behavior
for IP packets on a multihomed system.
|
Remediation description:
Strict multihoming should be set to «1»
so that packets don’t get accepted on a different interface.
The default is «0»
| |
SCE stdout
The current values of _strict_dst_multihoming for ipv4 are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 _strict_dst_multihoming rw 0 -- 0 0-1
The current values of _strict_dst_multihoming for ipv6 are:
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv6 _strict_dst_multihoming rw 0 -- 0 0-1
Strong TCP packet sequence numberingOSC-83002 medium
Strong TCP packet sequence numbering
| Rule ID | OSC-83002 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Ensure that the TCP initial sequence number generation
parameter complies with RFC 6528
(http://www.ietf.org/rfc/rfc6528.txt).
|
The maximum number of half-open TCP connections is at least 4096
OSC-84000 medium
The maximum number of half-open TCP connections is at least 4096
| Rule ID | OSC-84000 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Setting the maximum half-open TCP connections
to 4096 per IP address per port helps
to defend against SYN flood denial of service attacks.
|
Remediation description:
The maximum number of half-open TCP connections is managed
using the ipadm command.
See the ipadm(8) man page.
| |
SCE stdout
The number of allowed half-open TCP connections is set to 1024
and should be at least 4096.
Service svc:/system/coreadm is enabledOSC-07011 medium
Service svc:/system/coreadm is enabled
| Rule ID | OSC-07011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The coreadm service manages the core files
that are produced by processes that terminate abnormally.
See the core(5) and coreadm(8) man pages.
|
Service svc:/system/cron is enabledOSC-08011 medium
Service svc:/system/cron is enabled
| Rule ID | OSC-08011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The cron service manages the cron(8) command,
which runs processes that execute commands
at specified dates and times.
See the at(1), crontab(1), and cron(8) man pages.
|
Service svc:/system/cryptosvc is enabledOSC-09011 medium
Service svc:/system/cryptosvc is enabled
| Rule ID | OSC-09011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The cryptosvc service manages the use of cryptographic mechanisms
from the Cryptographic Framework feature of Oracle Solaris.
|
Service svc:/system/dbus is enabledOSC-10011 medium
Service svc:/system/dbus is enabled
| Rule ID | OSC-10011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The dbus service manages the D-Bus message bus daemon.
Programs use the message bus daemon to exchange messages with
one another.
For example, the Hardware Abstraction Layer (HAL) uses dbus.
See the dbus-daemon(1) and hal(7) man pages.
|
Service svc:/system/filesystem/autofs:default is in enabled stateOSC-03511 medium
Service svc:/system/filesystem/autofs:default is in enabled state
| Rule ID | OSC-03511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The autofs service manages
the mount points for the automount(8) daemon.
This policy requires that the service be enabled. |
Service svc:/system/hal is enabled in global zoneOSC-21511 medium
Service svc:/system/hal is enabled in global zone
| Rule ID | OSC-21511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Hardware Abstraction Layer (HAL) service manages
dynamic hardware configuration changes.
See the hal(7) man page.
This service only runs in the global zone.
|
Service svc:/system/identity:domain is enabledOSC-22011 medium
Service svc:/system/identity:domain is enabled
| Rule ID | OSC-22011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The identity:domain service instance manages system identity.
See the domainname(8) man page.
|
Service svc:/system/intrd is enabled in global zoneOSC-27011 medium
Service svc:/system/intrd is enabled in global zone
| Rule ID | OSC-27011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The interrupt balancer (intrd) service monitors
the assignments between interrupts and CPUs
to ensure optimal performance.
See the intrd(8) man page.
This service only runs in the global zone.
|
Service svc:/system/keymap is enabled in global zoneOSC-28511 medium
Service svc:/system/keymap is enabled in global zone
| Rule ID | OSC-28511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The keymap service manages the default configuration of the keyboard.
See the kbd(1) man page.
This service only runs in the global zone.
|
Service svc:/system/name-service/cache is enabledOSC-35511 medium
Service svc:/system/name-service/cache is enabled
| Rule ID | OSC-35511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The name-service/cache service manages
the caching of name service information.
See the nscd(8) man page.
|
Service svc:/system/name-service/switch is enabledOSC-36011 medium
Service svc:/system/name-service/switch is enabled
| Rule ID | OSC-36011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The name-service/switch service manages
the databases that contain information
about hosts, users, and groups.
See the nsswitch.conf(5) man page.
|
Service svc:/system/picl is enabled in global zoneOSC-52511 medium
Service svc:/system/picl is enabled in global zone
| Rule ID | OSC-52511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The platform information and control (picl) service manages
the publishing of platform configuration information
that can respond to client requests for information
about the configuration.
See the picld(8) and prtpicl(8) man pages.
This service only runs in the global zone.
|
Service svc:/system/power management is enabled in global zoneOSC-54511 medium
Service svc:/system/power management is enabled in global zone
| Rule ID | OSC-54511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The system/power service manages
the power management configuration of an Oracle Solaris system.
See the poweradm(8) man page.
This service only runs in the global zone.
|
Service svc:/system/scheduler is enabled in global zoneOSC-67011 medium
Service svc:/system/scheduler is enabled in global zone
| Rule ID | OSC-67011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The system/scheduler service manages the process scheduler.
See the dispadmin(8) man page.
This service only runs in the global zone.
|
Service svc:/system/system-log is enabledOSC-78511 medium
Service svc:/system/system-log is enabled
| Rule ID | OSC-78511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The system-log service reads and forwards system messages
to the appropriate log files or users.
See the syslogd(8) and rsyslogd(8) man pages.
|
Service svc:/system/utmp is enabledOSC-95011 medium
Service svc:/system/utmp is enabled
| Rule ID | OSC-95011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The utmp service manages a table of processes,
detects when a process has terminated, and updates the table.
See the utmpd(8) man page.
|
Service svc:/system/zones is enabled in global zoneOSC-97511 medium
Service svc:/system/zones is enabled in global zone
| Rule ID | OSC-97511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The zones service manages the autoboot and graceful shutdown of zones.
See the zones(7) and zonecfg(8) man pages.
This service only runs in the global zone.
|
Service svc:/network/inetd is enabledOSC-26511 medium
Service svc:/network/inetd is enabled
| Rule ID | OSC-26511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The inetd service manages the restarting of inet services.
See the inetd(8) man page.
|
Service svc:/network/ntp is enabled and properly configured as a clientOSC-42011 medium
Service svc:/network/ntp is enabled and properly configured as a client
| Rule ID | OSC-42011 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Network Time Protocol daemon
should be enabled and properly configured as a client.
The /etc/inet/ntp.conf file must include at least one server definition.
The file should also contain the line «restrict default ignore»
to prevent the client from also acting as a server.
|
Remediation description:
The ntp service should be installed on all systems
where security and compliance is desired.
If it is not installed on your system,
install it using ‘pkg install service/network/ntp’.
Then configure the service properly as a client and enable the service.
As needed:
# pkg install service/network/ntp
# pfedit /etc/inet/ntp.conf
...
server <server IP address> iburst
restrict default ignore
...
# svcadm enable ntp
| |
Service svc:/network/rpc/bind is enabledOSC-62011 medium
Service svc:/network/rpc/bind is enabled
| Rule ID | OSC-62011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The rpc/bind service manages
the conversion of RPC program numbers to universal addresses.
See the rpcbind(8) man page.
|
Service svc:/network/rpc/gss is enabled if and only if Kerberos is configuredOSC-63005 medium
Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured
| Rule ID | OSC-63005 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The generic security service (gss) service manages
the generation and validation of
Generic Security Service Application Program Interface (GSS-API)
security tokens.
The gssd(8) daemon operates between the kernel rpc and the GSS-API.
Kerberos uses this service.
This policy requires that the svc:/network/rpc/gss service is only enabled if Kerberos is configured and in use. |
Remediation description:
To manually remediate this failure, disable the
svc:/network/rpc/gss service.
| |
Service svc:/network/sendmail-client is enabledOSC-68011 medium
Service svc:/network/sendmail-client is enabled
| Rule ID | OSC-68011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The sendmail-client service manages
email on a client.
The sendmail-client service needs to be running
to ensure delivery of mail to local accounts such as root.
See the sendmail(8) man page.
|
Service svc:/network/smtp:sendmail is enabledOSC-67511 medium
Service svc:/network/smtp:sendmail is enabled
| Rule ID | OSC-67511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The sendmail service should be running.
Otherwise, important system mail to root will not be delivered.
If receipt of remote mail is not required, sendmail should be
in local_only mode.
See check OSC-68505-sendmail-local-only to verify that sendmail
is running in local_only mode. See the sendmail(8) man page.
|
Service svc:/network/smtp:sendmail only listens on loopbackOSC-68505 medium
Service svc:/network/smtp:sendmail only listens on loopback
| Rule ID | OSC-68505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Check that sendmail listens in local_only mode.
This is also called listens on loopback.
See the sendmail(8) and svccfg(8) man pages
|
Service svc:/network/ssh:default is in enabled stateOSC-72011 medium
Service svc:/network/ssh:default is in enabled state
| Rule ID | OSC-72011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The ssh service manages the Secure Shell (ssh) daemon,
which provides secure encrypted communications
between two untrusted hosts over an insecure network.
By default, ssh is the only network service
that can send and receive network packets
on a newly-installed Oracle Solaris system.
See the sshd(8) man page.
This policy requires that the service be enabled. |
Service svc:/application/stosreg is enabled in global zoneOSC-77011 medium
Service svc:/application/stosreg is enabled in global zone
| Rule ID | OSC-77011 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The service tag OS registry inserter (stosreg) service manages
the service tag registry.
See the stclient(8) man page.
This service only runs in the global zone.
|
Service svc:/system/webui/server:default is in enabled stateOSC-98511 medium
Service svc:/system/webui/server:default is in enabled state
| Rule ID | OSC-98511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Solaris WebUI is a framework for delivering web
apps for Oracle Solaris. It provides a means of authenticating users
and allowing the user to navigate between various web apps that
are integrated with the WebUI. By default, it listens on ports 443
and 6787. See the webui-service(7) man pages.
This policy requires that the service be enabled. |
Service svc:/system/rad:remote is in enabled stateOSC-99011 medium
Service svc:/system/rad:remote is in enabled state
| Rule ID | OSC-99011 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
rad is a facility that securely exposes programmatic
system administrative and monitoring interfaces to consumers in a
variety of high-level languages. rad when run as a remote service,
authenticates remote users and the consumed APIs are run as the
authenticated user. It uses secure transport protocols. See the
rad(8) man page.
This policy requires that the service be enabled. |
Remediation description: To manually remediate this failure, set the service state to enabled using the appropriate command.
| |
The NIS client service is disabled or not installedOSC-40510 medium
The NIS client service is disabled or not installed
| Rule ID | OSC-40510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, NIS client software is not installed.
NIS is an RPC-based naming service
that does not conform to current security requirements,
so can be less secure than the LDAP naming service.
See the nis(7) and ypbind(8) man pages.
|
The NIS server service is disabled or not installedOSC-41010 medium
The NIS server service is disabled or not installed
| Rule ID | OSC-41010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, NIS server software is not installed.
NIS is an RPC-based naming service
that does not conform to current security requirements,
that can be less secure than the LDAP naming service.
See the nis(7) and ypserv(8) man pages.
|
The r-protocols services are disabled in PAMOSC-55010 medium
The r-protocols services are disabled in PAM
| Rule ID | OSC-55010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, legacy services such as the r-protocols,
rlogin(1) and rsh(1), are not installed.
|
mesg(1) prevents talk(1) and write(1) access to remote terminalsOSC-34510 medium
mesg(1) prevents talk(1) and write(1) access to remote terminals
| Rule ID | OSC-34510 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program controls whether users can send messages
by using write(1), talk(1) or other utilities to a terminal device.
See the mesg(1) man page.
|
Remediation description: Configure your system to deny remote users permission to send messages to the terminal. To manually remediate a failure on this check, run the following commands.
| |
Only approved ports are allowed to be bound to non-loopback addressesOSC-73505 medium
Only approved ports are allowed to be bound to non-loopback addresses
| Rule ID | OSC-73505 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The rule validates that only approved ports are allowed to be
bound on non-loopback addresses. Any other ports that are being used,
but have not been excluded will be reported as a failure.
By default, there are several network services that can send and receive network packets on a newly-installed Oracle Solaris system, including sshd(8), rpcbind(8), nfsd(8), webui-service(7), cups-lpd(8), and rad(8). These services can be excluded based on certain values set in other rules which includes the following: OSCV-72011 ssh service, which is currently set to enabled. OSCV-39510 nfs-server service, which is currently set to disabled. OSCV-98511 webui-server service, which is currently set to enabled. OSCV-99011 rad-remote service, which is currently set to enabled. OSCV-34010 lpd service, which is currently set to disabled. OSCV-324601 ldmd/xmpp_enabled property, which is currently set to true. OSCV-324602 ldmd/incoming_migration_enabled property, which is currently set to true. Other ports known to the user as being used by approved services can be excluded by tailoring OSCV-73505 which is currently set to none. Also, rpcbind, if it is online, should be configured to listen only for local connections. See the sshd(8), rpcbind(8), nfsd(8), webui-service(7), cups-lpd(8), and rad(8) man pages. |
Remediation description: Disable any unneeded services listening on the network.
# svcadm disable <FMRI for unneeded service>
Additionally, rpcbind should be set to local only mode so that it does not respond to remote requests, using:
# /usr/sbin/svccfg -s svc:/network/rpc/bind:default setprop config/local_only = boolean: true
# svcadm refresh svc:/network/rpc/bind:default
| |
SCE stdout
The following ports are open:
*.515 inetd
*.81 pkg.depotd
*.80 httpd
Service svc:/network/dhcp/server instances are in disabled stateOSC-10510 medium
Service svc:/network/dhcp/server instances are in disabled state
| Rule ID | OSC-10510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, the dhcp/server service is not installed.
If you are not using this system as a DHCP server,
you should not install or enable the service.
This policy requires that the service be disabled. Note that if we require ‘enabled’, then any dhcp/server instance being enabled will satisfy this test. If we require ‘disabled’, then all dhcp/server instances must be disabled. |
Service svc:/network/dhcp/relay instances are in disabled
stateOSC-10610 medium
Service svc:/network/dhcp/relay instances are in disabled state
| Rule ID | OSC-10610 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, the dhcp/relay service is not installed.
If you are not using this system as a DHCP relay,
you should not install or enable the service.
This policy requires that the service be disabled . Note that if we require ‘enabled’, then any dhcp/relay instance being enabled will satisfy this test. If we require ‘disabled’, then all dhcp/relay instances must be disabled. |
Service svc:/network/dns/multicast:default is in disabled stateOSC-80010 medium
Service svc:/network/dns/multicast:default is in disabled state
| Rule ID | OSC-80010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Multicast DNS (mDNS) implements DNS in a small network
where no conventional DNS server has been installed.
DNS Service Discovery (DNS-SD) extends multicast DNS
to also provide simple service discovery (network browsing).
This service is disabled by default,
because while it can ease finding hosts and servers,
it can also provide information about the network to malicious users.
See the named(8) and mdnsd(8) man pages.
This policy requires that the service be disabled. |
Service svc:/network/finger is disabled or not installedOSC-15510 medium
Service svc:/network/finger is disabled or not installed
| Rule ID | OSC-15510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service enables users to display information
about local and remote users.
By default, this service is not installed
as part of solaris-small-server.
It is however installed as part of solaris-large-server.
This service is almost never needed
and either should be removed or at least, disabled.
See the fingerd(8) and finger(1) man pages.
|
Service svc:/network/ftp:default is in disabled stateOSC-17510 high
Service svc:/network/ftp:default is in disabled state
| Rule ID | OSC-17510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
The FTP service provides unencrypted file transfer service
and uses plain text authentication.
The secure copy program (scp(1)) program should be used
instead of FTP as it provides encrypted authentication
and file transfer.
This policy requires that the service be disabled. |
Service svc:/network/http:apache22 is in disabled stateOSC-01010 medium
Service svc:/network/http:apache22 is in disabled state
| Rule ID | OSC-01010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program provides Apache web server services
by using the Apache hypertext transfer protocol (http).
See the httpd(8) man page.
This policy requires that the service be disabled. |
Service svc:/network/login:rlogin is disabled or not installedOSC-58010 high
Service svc:/network/login:rlogin is disabled or not installed
| Rule ID | OSC-58010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service enables users to log in remotely.
By default, this service is not installed
as part of solaris-small-server.
See the rlogind(8) and rlogin(1) man pages.
|
Service svc:/network/nfs/cbd:default is in disabled stateOSC-37010 low
Service svc:/network/nfs/cbd:default is in disabled state
| Rule ID | OSC-37010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The NFS cbd service manages communication endpoints
for the NFS Version 4 protocol.
The nfs4cbd(8) daemon runs on the NFS Version 4 client
and creates a listener port for callbacks.
If this system is not an NFS server, this service should be disabled or its package uninstalled. This policy requires that the service be disabled. |
Service svc:/network/nfs/client:default is in disabled stateOSC-37500 low
Service svc:/network/nfs/client:default is in disabled state
| Rule ID | OSC-37500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The NFS client service is needed only
if the system is mounting NFS file systems specified in /etc/vfstab.
If the system is not mounting file systems specified there, the service can be disabled or its package uninstalled. See the mount_nfs(8) man page. This policy requires that the service be disabled. |
Service svc:/network/nfs/mapid:default is in disabled stateOSC-38010 low
Service svc:/network/nfs/mapid:default is in disabled state
| Rule ID | OSC-38010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The NFS user and group ID mapping daemon service
maps to and from NFS version 4 owner and owner_group
identification attributes and local UID and GID numbers used by
both the NFS version 4 client and server.
See the nfsmapid(8) man page.
If this system is not an NFS server, this service should be disabled or its package uninstalled. This policy requires that the service be disabled. |
Service svc:/network/nfs/nlockmgr is disabled or not installedOSC-38510 low
Service svc:/network/nfs/nlockmgr is disabled or not installed
| Rule ID | OSC-38510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The NFS lock manager supports record locking operations
on NFS files in NFSv2 and NFSv3.
See the lockd(8) and sharectl(8) man pages.
|
Service svc:/network/nfs/rquota is disabled or not installedOSC-39010 low
Service svc:/network/nfs/rquota is disabled or not installed
| Rule ID | OSC-39010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The remote quota server returns quotas
for a user of a local file system which is mounted over NFS.
The results are used by quota(8) to display user quotas
for remote file systems.
The rquotad(8) daemon is normally invoked by inetd(8).
|
Service svc:/network/nfs/server:default is in disabled stateOSC-39510 low
Service svc:/network/nfs/server:default is in disabled state
| Rule ID | OSC-39510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The NFS Server service handles client file system
requests over NFS version 2, 3, and 4.
If this system is not an NFS server, this service should be disabled or its package uninstalled. See the nfsd(8) man page. This policy requires that the service be disabled. |
Service svc:/network/nfs/status is disabled or not installedOSC-40010 low
Service svc:/network/nfs/status is disabled or not installed
| Rule ID | OSC-40010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The NFS status monitor service interacts with lockd(8)
to provide the crash and recovery functions
for the locking services on NFS.
|
Service svc:/network/rarp:default is in disabled stateOSC-55510 medium
Service svc:/network/rarp:default is in disabled state
| Rule ID | OSC-55510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service responds
to DARPA reverse address resolution protocol (RARP) requests.
Historically, RARP was used by machines at boot time
to discover their Internet Protocol (IP) address.
By default, this service is not installed.
See the rarpd(8) and rarp(4PI) man pages.
This policy requires that the service be disabled. |
Service svc:/network/rexec is disabled or not installedOSC-57510 high
Service svc:/network/rexec is disabled or not installed
| Rule ID | OSC-57510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides remote execution facilities
with authentication based on user names and passwords.
See the in.rexecd(8) and rexec(3C) man pages.
|
Service svc:/network/stdiscover is disabled or not installedOSC-76010 medium
Service svc:/network/stdiscover is disabled or not installed
| Rule ID | OSC-76010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy program is used to locate the service tag listener.
For more information, see the in.stdiscover(8) man page.
|
Service svc:/network/stlisten is disabled or not installedOSC-76510 medium
Service svc:/network/stlisten is disabled or not installed
| Rule ID | OSC-76510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy program is used to listen for discovery probes.
See the in.stlisten(8) man page.
|
Service svc:/network/talk is disabled or not installedOSC-79010 high
Service svc:/network/talk is disabled or not installed
| Rule ID | OSC-79010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy program enables two-way,
screen-oriented communication.
For more information, see the talk(1) and mesg(1) man pages.
|
Service svc:/network/telnet is disabled or not installedOSC-88510 high
Service svc:/network/telnet is disabled or not installed
| Rule ID | OSC-88510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service supports
the DARPA standard TELNET virtual terminal protocol
to connect to a remote system over the TELNET port.
By default, this service is not installed.
See the telnetd(8) and telnet(1) man pages.
|
Service svc:/network/uucp is disabled or not installedOSC-95510 high
Service svc:/network/uucp is disabled or not installed
| Rule ID | OSC-95510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service, UNIX to UNIX copy, provides
a user interface for requesting file copy operations,
typically used when constant connectivity is not possible.
By default, this service is not installed.
This test is deprecated. It is included solely for compatibility with existing tailorings, and is planned to be removed in a future release. UUCP was completely removed from Solaris and there is no replacement for this test. |
Service svc:/network/security/kadmin:default is in disabled stateOSC-28010 medium
Service svc:/network/security/kadmin:default is in disabled state
| Rule ID | OSC-28010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Kerberos administration daemon service runs
on the master key distribution center (KDC),
which stores the principal and policy databases.
This service should not be run on a system that is not a KDC.
See the kadmind(8) man page.
This policy requires that the service be disabled. |
Service svc:/network/security/krb5_prop:default is in disabled stateOSC-30510 medium
Service svc:/network/security/krb5_prop:default is in disabled state
| Rule ID | OSC-30510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Kerberos propagation daemon runs on slave KDC servers
to update the database from the master KDC.
See the kpropd(8) man page.
This policy requires that the service be disabled. |
Service svc:/network/security/krb5kdc:default is in disabled stateOSC-31010 medium
Service svc:/network/security/krb5kdc:default is in disabled state
| Rule ID | OSC-31010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Kerberos key distribution center service manages
Kerberos tickets on the master and slave KDCs.
See the krb5kdc(8) man page.
This policy requires that the service be disabled. |
Service svc:/network/security/ktkt_warn is disabled or not installedOSC-32010 medium
Service svc:/network/security/ktkt_warn is disabled or not installed
| Rule ID | OSC-32010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Kerberos V5 warning messages daemon on Kerberos clients
can warn users when their Kerberos tickets are about to expire
and can renew the tickets before they expire.
By default, this service is disabled.
If the system is Kerberos client, then this service should be enabled.
See the ktkt_warnd(8) man page.
|
Service svc:/network/shell:default is disabled or not installedOSC-69510 medium
Service svc:/network/shell:default is disabled or not installed
| Rule ID | OSC-69510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The remote shell daemon provides remote execution facilities
with authentication based on privileged port numbers.
The Secure Shell service, svc:/network/ssh,
is the best choice for remote execution.
See the rshd(8) and sshd(8) man pages.
|
Service svc:/network/chargen:stream is disabled or not installedOSC-06020 high
Service svc:/network/chargen:stream is disabled or not installed
| Rule ID | OSC-06020 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Character Generator Protocol (RFC 864) for TCP.
See the in.chargend(8) man page.
|
Service svc:/network/chargen:dgram is disabled or not installedOSC-06010 high
Service svc:/network/chargen:dgram is disabled or not installed
| Rule ID | OSC-06010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Character Generator Protocol (RFC 864) for UDP.
See the in.chargend(8) man page.
|
Service svc:/network/daytime:stream is disabled or not installedOSC-09520 high
Service svc:/network/daytime:stream is disabled or not installed
| Rule ID | OSC-09520 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Daytime Protocol (RFC 867) for TCP.
See the in.daytimed(8) man page.
|
Service svc:/network/daytime:dgram is disabled or not installedOSC-09510 high
Service svc:/network/daytime:dgram is disabled or not installed
| Rule ID | OSC-09510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Daytime Protocol (RFC 867) for UDP.
See the in.daytimed(8) man page.
|
Service svc:/network/discard:stream is disabled or not installedOSC-11020 high
Service svc:/network/discard:stream is disabled or not installed
| Rule ID | OSC-11020 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Discard Protocol (RFC 863) for TCP.
See the in.discardd(8) man page.
|
Service svc:/network/discard:dgram is disabled or not installedOSC-11010 high
Service svc:/network/discard:dgram is disabled or not installed
| Rule ID | OSC-11010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Discard Protocol (RFC 863) for UDP.
See the in.discardd(8) man page.
|
Service svc:/network/echo:stream is disabled or not installedOSC-11520 high
Service svc:/network/echo:stream is disabled or not installed
| Rule ID | OSC-11520 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Echo Protocol (RFC 862) for TCP.
See the in.echod(8) man page.
|
Service svc:/network/echo:dgram is disabled or not installedOSC-11510 high
Service svc:/network/echo:dgram is disabled or not installed
| Rule ID | OSC-11510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Echo Protocol (RFC 862) for UDP.
See the in.echod(8) man page.
|
Service svc:/network/time:stream is disabled or not installedOSC-89520 high
Service svc:/network/time:stream is disabled or not installed
| Rule ID | OSC-89520 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Time Protocol (RFC 868) for TCP.
See the in.timed(8) man page.
|
Service svc:/network/time:dgram is disabled or not installedOSC-89510 high
Service svc:/network/time:dgram is disabled or not installed
| Rule ID | OSC-89510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
This legacy service provides the server side
of the Time Protocol (RFC 868) for UDP.
See the in.timed(8) man page.
|
Service svc:/network/rpc/keyserv is disabled or not installedOSC-29010 low
Service svc:/network/rpc/keyserv is disabled or not installed
| Rule ID | OSC-29010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
keyserv is a daemon that is used
for storing the private encryption keys of
each user logged into the system.
These encryption keys are used for accessing
secure network services such as secure NFS.
For more information, see the keyserv(8) man page.
|
Service svc:/network/rpc/keyserv should use the default keys for user nobodyOSC-29510 medium
Service svc:/network/rpc/keyserv should use the default keys for user nobody
| Rule ID | OSC-29510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The keyserv service should be configured to use the default
keys for user «nobody». This value for ENABLE_NOBODY_KEYS is
configured in /etc/default/keyserv and should be set to YES.
See the keyserv(8) man page. |
Service svc:/network/rpc/meta is disabled or not installedOSC-64010 medium
Service svc:/network/rpc/meta is disabled or not installed
| Rule ID | OSC-64010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service uses an rpc(5) daemon
to manage local copies of metadevice diskset information.
By default, this service is not installed.
See the rpc.metad(8) man page.
|
Service svc:/network/rpc/metamed is disabled or not installedOSC-64510 medium
Service svc:/network/rpc/metamed is disabled or not installed
| Rule ID | OSC-64510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service manages mediator information
for 2-string high availability configurations.
See the rpc.metamedd(8) man page.
|
Service svc:/network/rpc/metamh is disabled or not installedOSC-65010 medium
Service svc:/network/rpc/metamh is disabled or not installed
| Rule ID | OSC-65010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service uses an rpc(5) daemon
to manage multi-hosted disks.
By default, this service is not installed.
See the rpc.metamhd(8) man page.
|
Service svc:/network/rpc/rex is disabled or not installedOSC-57010 medium
Service svc:/network/rpc/rex is disabled or not installed
| Rule ID | OSC-57010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program is the Oracle Solaris RPC server
for remote program execution.
If this service is enabled, the daemon is started by inetd(8)
whenever a remote execution request is made.
See the rpc.rexd(8) man page.
This test is deprecated. It is included solely for compatibility with existing tailorings, and is planned to be removed in a future release. rpc.rexd was completely removed from Solaris and there is no replacement for this test. |
Service svc:/network/rpc/rstat is disabled or not installedOSC-66010 medium
Service svc:/network/rpc/rstat is disabled or not installed
| Rule ID | OSC-66010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service displays performance data from a remote system.
By default, this service is not installed.
See the rstatd(8) and rstat(3RPC) man pages.
|
Service svc:/network/rpc/rusers is disabled or not installedOSC-66510 medium
Service svc:/network/rpc/rusers is disabled or not installed
| Rule ID | OSC-66510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This legacy service displays information about users on a remote system.
By default, this service is not installed.
See the rusersd(8) and rusers(1) man pages.
|
Service svc:/network/rpc/smserver is disabled or not installedOSC-65510 medium
Service svc:/network/rpc/smserver is disabled or not installed
| Rule ID | OSC-65510 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program is used to access removable media devices.
See the rpc.smserverd(8) man page.
|
Remediation description:
Disable the smserver service.
| |
Service svc:/network/rpc/spray is disabled or not installedOSC-71510 medium
Service svc:/network/rpc/spray is disabled or not installed
| Rule ID | OSC-71510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program is a server that records the packets sent by spray(8).
See the rpc.sprayd(8) man page.
|
Service svc:/network/rpc/wall is disabled or not installedOSC-96510 medium
Service svc:/network/rpc/wall is disabled or not installed
| Rule ID | OSC-96510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program broadcasts messages to all logged-in users.
See the rpc.rwalld(8) and wall(8) man pages.
|
Service svc:/network/smb/client is disabled or not installedOSC-70510 medium
Service svc:/network/smb/client is disabled or not installed
| Rule ID | OSC-70510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The SMB/CIFS client allows an Oracle Solaris system
to natively mount file systems by means of SMB shares
from SMB enabled servers such as a Windows system.
See the mount_smbfs(8) man page.
|
Service svc:/system/avahi-bridge-dsd is disabled or not installedOSC-04010 medium
Service svc:/system/avahi-bridge-dsd is disabled or not installed
| Rule ID | OSC-04010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program provides an object-oriented interface to
DBUS-enabled applications.
See the avahi-daemon-bridge-dsd(1) man page.
|
Service svc:/system/filesystem/rmvolmgr is disabled or not installedOSC-58510 medium
Service svc:/system/filesystem/rmvolmgr is disabled or not installed
| Rule ID | OSC-58510 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The removable volume manager is a device volume manager that can
automatically mount and unmount removable media and hot-pluggable storage.
Users might import malicious programs, or transfer sensitive data
off the system.
See the rmvolmgr(8) man page.
This service only runs in the global zone.
|
Remediation description:
Disable the remote volume manager service.
| |
Service svc:/application/cups/in-lpd:default is in disabled stateOSC-34010 medium
Service svc:/application/cups/in-lpd:default is in disabled state
| Rule ID | OSC-34010 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This service supports the CUPS Line Printer Daemon (LPD)
for legacy client systems that use the LPD protocol.
By default, this service is not installed.
See the cups-lpd(8) man page.
This policy requires that the service be disabled. |
Remediation description: To manually remediate this failure, set the service state to disabled using the appropriate command.
| |
Service svc:/application/graphical-login/gdm:default is in disabled stateOSC-19500 medium
Service svc:/application/graphical-login/gdm:default is in disabled state
| Rule ID | OSC-19500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The GNOME Display Manager manages the displays on a system,
including the console display, attached displays, XDMCP displays,
and virtual terminals.
If a windowing display is not needed, this service should be disabled. If a windowing display is needed and installed, this service should be enabled. See the gdm(8) man page. This policy requires that the service be disabled. |
Service svc:/application/management/net-snmp:default is in disabled stateOSC-71010 medium
Service svc:/application/management/net-snmp:default is in disabled state
| Rule ID | OSC-71010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The Simple Network Management Protocol (SNMP)
is a widely used protocol for monitoring
the health and welfare of network equipment.
The net-snmp SNMP daemon processes requests
from SNMP management software.
See the snmpd(8) and snmp_config(7) man pages.
This policy requires that the service be disabled. |
Service svc:/application/x11/xfs is disabled or not installedOSC-97010 medium
Service svc:/application/x11/xfs is disabled or not installed
| Rule ID | OSC-97010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This program provides fonts
to X Window System display servers.
The server is usually run by inetd(8).
See the xfs(1) and fsadmin(1) man pages.
|
/etc/motd and /etc/issue contain appropriate policy textOSC-35000 medium
/etc/motd and /etc/issue contain appropriate policy text
| Rule ID | OSC-35000 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The /etc/issue and /etc/motd (message of the day) files
are designed to hold system and security information.
The contents of the /etc/issue file are displayed prior
to the login prompt on the console, or in a window
if the file is called from the GNOME Display Manager (gdm).
Several applications call this file, such as Secure Shell and FTP.
The /etc/motd contents are displayed after login.
By default, the /etc/motd file exists
while the /etc/issue file does not.
See the login(1), issue(5), gdm(8), and sshd_config(5) man pages.
|
Remediation description:
Edit the /etc/motd file and create and edit the /etc/issue file
to add the security policy text that your legal department supplies.
An administrator with the Administrator Message Edit rights profile
can edit these files.
| |
The ftp(1) banner shows a suitable security messageOSC-18000 medium
The ftp(1) banner shows a suitable security message
| Rule ID | OSC-18000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The banner informs users who are attempting
to access the system that the system is monitored.
Note that the pkg:/service/network/ftp package must be installed
for ftp to work.
|
The gdm(8) banner shows a suitable security messageOSC-20500 medium
The gdm(8) banner shows a suitable security message
| Rule ID | OSC-20500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The banner informs users who are attempting
to access the system that the system is monitored.
The banner uses the /etc/issue file.
See the issue(5) and gdm(8) man pages.
|
The ssh(1) banner shows a suitable security messageOSC-75000 medium
The ssh(1) banner shows a suitable security message
| Rule ID | OSC-75000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, the ssh(1) banner displays
the contents of the /etc/issue file.
See the issue(5) and sshd_config(5) man pages.
|
The telnet(1) banner shows a suitable security messageOSC-89000 medium
The telnet(1) banner shows a suitable security message
| Rule ID | OSC-89000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The telnetd(8) DARPA TELNET protocol server
is a legacy service that does not conform
to current security requirements.
By default, this service is not installed,
and systems use the ssh(1) protocol to communicate.
|
Use of the cron(8) and at(1) daemons is restrictedOSC-08505 medium
Use of the cron(8) and at(1) daemons is restricted
| Rule ID | OSC-08505 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The cron(8) and at(1) daemons execute commands
at specified dates and times.
Only qualified accounts should be allowed to run commands
at arbitrary times on the system.
|
Remediation description: In order to restrict cron(8) and at(1) properly, the file /etc/cron.d/cron.allow should exist and have only one entry for root. In addition, the file /etc/cron.d/at.allow should exist and be empty.To manually remediate failure on this check, run the following commands.
| |
SCE stdout
/etc/cron.d/cron.allow does not exist and should exist with one entry for root.
/etc/cron.d/at.allow does not exist and should exist and be empty.
WARNING cron(8) access is not restricted to root-only
Name services are set to all local (files) onlyOSC-36500 info
Name services are set to all local (files) only
| Rule ID | OSC-36500 |
| Result | informational |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | info |
| Identifiers and References | |
| Description |
The operating system uses a number of databases of information
about hosts, users (passwd(5), shadow(5), and
user_attr(5)), and groups. Data for these can come from a
variety of sources: hostnames and host addresses, for example,
can be found in /etc/hosts, NIS, LDAP, DNS, or Multicast DNS.
Systems in restricted environments may be more secure
if these entries are restricted to only local files, but such
restriction will vary per your circumstances.
See the nsswitch.conf(5) man page for more information.
|
Find and list remote consolesOSC-56505 medium
Find and list remote consoles
| Rule ID | OSC-56505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Remote consoles can be a source of unauthorized access.
A system console should be kept physically secure
and no unauthorized consoles should be defined.
The «consadm -p» command displays alternate consoles across reboots.
If none are defined, the command displays no output.
See the consadm(8) man page.
|
Remote serial logins are disabledOSC-69010 medium
Remote serial logins are disabled
| Rule ID | OSC-69010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Serial logins can be a source of unauthorized access.
Login services should not be enabled for serial ports
that are not required to support the purpose of the system.
|
Restrict root Login to System ConsoleOSC-59510 medium
Restrict root Login to System Console
| Rule ID | OSC-59510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The root account should not be able to log in remotely,
and its actions should be monitored.
See the login(1) man page.
|
ftp(1) is restricted to a specific set of usersOSC-19000 medium
ftp(1) is restricted to a specific set of users
| Rule ID | OSC-19000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
FTP file transfers should not be available to all users,
and must require qualified users to supply their names and password.
In general, system users should not be allowed to use FTP.
This check verifies that system accounts are included
in the /etc/ftpd/ftpusers file so that they are not allowed to use FTP.
See the ftp(1) man page.
|
Files written in ftp(1) sessions have a suitable umaskOSC-18500 medium
Files written in ftp(1) sessions have a suitable umask
| Rule ID | OSC-18500 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The FTP server does not necessarily use
the user’s system file creation mask.
Setting the FTP umask ensures that files transmitted over FTP
use a strong file creation umask.
See the umask(1) and proftpd(8) man pages.
|
Remediation description:
Set a strong default file creation mask for files
that are created by the FTP server.
# pfedit /etc/proftpd.conf
Umask 027
| |
The GNOME desktop has suitable screensaver settingsOSC-21000 medium
The GNOME desktop has suitable screensaver settings
| Rule ID | OSC-21000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The timeout parameter for the xscreensaver application
specifies the amount of time
that the keyboard and mouse can be inactive
before a password-protected screensaver appears.
See the xscreensaver(1) man page.
|
gdm(8) does not accept logins without passwordsOSC-20010 high
gdm(8) does not accept logins without passwords
| Rule ID | OSC-20010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
Automatic logins are a known security risk
for other than public kiosks.
By default, GNOME automatic login is disallowed,
so users must supply a password.
Automatic and Timed login is controlled by the
entries in /etc/gdm/custom.conf
See the gdm(8) man page.
|
ssh(1) requires passwordsOSC-73010 medium
ssh(1) requires passwords
| Rule ID | OSC-73010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Logins without a password put the system at risk.
In the default remote login service, Secure Shell (SSH),
the PermitEmptyPasswords parameter in the /etc/ssh/sshd_config file
should remain set to no.
See the sshd_config(5) man page. |
ssh(1) does not forward X11OSC-74510 medium
ssh(1) does not forward X11
| Rule ID | OSC-74510 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The X11Forwarding parameter
in the /etc/ssh/sshd_config file specifies
whether users can forward an X Window session
through an encrypted tunnel.
This parameter allows the remote user to display windows remotely
over Secure Shell.
See the sshd_config(7) and X(5) man pages.
|
Remediation description:
By default, X11Forwarding is set to yes.
X11Forwarding could permit a malicious user
to secretly open an X11 connection to a different client
and perform unobtrusive activities such as keystroke monitoring.
If the remote window display is not required, disable or restrict it,
then restart the ssh service.
# pfedit /etc/ssh/sshd_config
X11Forwarding no
# svcadm restart svc:/network/ssh
| |
Consecutive login attempts for ssh(1) are limitedOSC-72511 medium
Consecutive login attempts for ssh(1) are limited
| Rule ID | OSC-72511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, the MaxAuthTries parameter
in the /etc/ssh/sshd_config file is set to 6.
This parameter specifies the maximum number of authentication attempts
that the server permits before ending the connection.
By restricting the number of failed authentication attempts,
Secure Shell lessens the effectiveness of brute-force login attempts.
It is important to note that setting MaxAuthTries to 6
actually provides only 3 failed login attempts
because of the way SSH counts failures.
See the sshd_config(5) man page.
|
rhost-based authentication in ssh(1) is disabledOSC-74010 medium
rhost-based authentication in ssh(1) is disabled
| Rule ID | OSC-74010 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
rhost-based authentication in Secure Shell
allows users to remotely log in without supplying a password.
The IgnoreRhosts parameter specifies
whether .rhosts and .shosts files can be used rather than a password.
See the sshd_config(5) and hosts.equiv(5) man pages.
|
root login by using ssh(1) is disabledOSC-61510 medium
root login by using ssh(1) is disabled
| Rule ID | OSC-61510 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, remote root logins are not permitted
because root is a role and roles cannot log in.
If root has been changed to a user,
the default value of the PermitRootLogin parameter
in the /etc/ssh/sshd_config file prevents root from remotely logging in.
See the sshd_config(5) man page.
|
Service svc:/network/ldap/client:default is in disabled stateOSC-32400 low
Service svc:/network/ldap/client:default is in disabled state
| Rule ID | OSC-32400 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The ldap client service is required to connect
to an LDAP server. See the ldapclient(8) man page.
This policy requires that the service be disabled. Relationship to other Rules: This rule is related to the OSC-32410 LDAP client protocol rule. |
LDAP client transport configured to use a TLS based LDAP protocolOSC-32410 medium
LDAP client transport configured to use a TLS based LDAP protocol
| Rule ID | OSC-32410 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
This rule validates that the LDAP client transport is configured to
use a valid TLS based LDAP protocol. See the ldapclient(8) man page for
more information.
Some examples of TLS based LDAP protocols include:
The current value this policy is for validating that the LDAP protocol being used is: tls:any Relationship to other Rules: This rule is related to the OSC-32400 LDAP client rule and its associated value setting OSCV-32400. If the value for OSCV-32400 is set to disabled, then this rule will always pass, as the policy for your system is NOT to use LDAP. If the value for OSCV-32400 is set to enabled, this rule will pass if the LDAP client transport is configured to use a valid TLS based LDAP protocol. Tailoring: The policy that this rule checks for is tailorable using the compliance tailoring feature for the OSCV-32410 value. The default value is set to «tls:any», which will match any TLS-based LDAP protocol. When tailoring you can also select among values that are specific LDAP protcols, such as tls:simple or a number of tls:sasl protocols. |
Service svc:/ldoms/ldmd:default is in enabled stateOSC-32460 low
Service svc:/ldoms/ldmd:default is in enabled state
| Rule ID | OSC-32460 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | low |
| Identifiers and References | |
| Description |
The LDOMs services are required for the proper
operation of LDOMs primary domain and guest services.
This policy requires that the service be enabled and requires that the ldmd/xmpp_enabled SMF property is true, that the ldmd/incoming_migration_enabled SMF property is true and that the ldmd/outgoing_migration_enabled SMF property is true. |
The auditd(8) daemon is enabledOSC-02511 medium
The auditd(8) daemon is enabled
| Rule ID | OSC-02511 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:23+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Auditing is a service, svc:/system/auditd,
that is enabled by default and should not be disabled.
See the audit(8) man page.
|
Audit parameters are set to recommended valuesOSC-02001 medium
Audit parameters are set to recommended values
| Rule ID | OSC-02001 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
At minimum, events in the lo class are audited
and audit policy is set to argv,cnt.
Add audit classes and policy per your site’s security requirements.
See the auditconfig(8) man page.
|
Remediation description: An administrator with the Audit Configuration rights profile can get and set audit parameters. This check validates that auditing is enabled for a recommended set of audit flags and root audit flags. To manually remediate a failure on this check, you run the following commands:
| |
SCE stdout
root audit flags not set correctly
All roles are audited with the «cusa» audit classOSC-03000 medium
All roles are audited with the «cusa» audit class
| Rule ID | OSC-03000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The cusa audit class contains events that cover administrative actions
that could affect the system’s security posture.
See the audit_class(5), audit_event(5), rolemod(8), and userattr(1)
man pages.
|
Passwords are hashed with a secure algorithmOSC-44000 high
Passwords are hashed with a secure algorithm
| Rule ID | OSC-44000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
The hash used is determined by values of CRYPT_ALGORITHMS_ALLOW and
CRYPT_DEFAULT set in /etc/security/policy.conf file. The value for
SHA-256 is «5», and the value for SHA-512 is «6».
To confirm properly set, the second field in the /etc/shadow file
indicates the algorithm that was used to create the password hash.
If the algorithm is set to SHA-256, the entry begins with «$5$»
If the algorithm is set to SHA-512, the entry begins with «$6$»
See the crypt.conf(5) and policy.conf(5) man pages.
|
Password history logs the last ten passwordsOSC-44510 medium
Password history logs the last ten passwords
| Rule ID | OSC-44510 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
HISTORY in the /etc/default/passwd file prevents users
from using similar passwords within the HISTORY value.
If MINWEEKS is set to 3 and HISTORY is set to 10,
passwords are checked for reuse for ten months.
See the passwd(1) man page.
|
Remediation description:
In the /etc/default/passwd file, set the HISTORY variable to 10.
| |
Passwords allow repeat charactersOSC-45000 medium
Passwords allow repeat characters
| Rule ID | OSC-45000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
MAXREPEATS in the `/etc/default/passwd file allows users
to repeat characters in passwords.
The default is 0, which permits repeated characters.
Any other value indicates how many characters can be repeated.
See the passwd(1) man page.
|
Passwords allow whitespaceOSC-52000 medium
Passwords allow whitespace
| Rule ID | OSC-52000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
WHITESPACE in the /etc/default/login file indicates
whether passwords can include the space character.
The space character provides some protection
against dictionary-based password attacks.
The default is YES.
See the passwd(1) man page.
|
Passwords must have at least 2 alphabetic charactersOSC-46500 high
Passwords must have at least 2 alphabetic characters
| Rule ID | OSC-46500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINALPHA in the /etc/default/passwd file indicates
the minimum number of alphabetic characters that passwords must contain.
Alphabetic characters provide more values
than numeric or special characters, so allow for more variation.
The default value is 2.
The policy states the password must have a minimum of 2 alphabetic characters. See the passwd(1) man page. |
Passwords must differ by at least 3 charactersOSC-47000 high
Passwords must differ by at least 3 characters
| Rule ID | OSC-47000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINDIFF in the /etc/default/passwd file indicates
the minimum number of characters that a password
must differ from the previous value.
The policy states the password must be at least a minimum of 3 characters different. |
Passwords require at least 0 digitsOSC-47500 high
Passwords require at least 0 digits
| Rule ID | OSC-47500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINDIGIT in the /etc/default/passwd file indicates
the minimum number of digits that a password must contain.
Digits provide some protection against dictionary-based
password attacks.
The default is 0.
The policy states the password must have a minimum of 0 digits. See the passwd(1) man page. |
Passwords must have at least 1 lower-case charactersOSC-48000 high
Passwords must have at least 1 lower-case characters
| Rule ID | OSC-48000 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:24+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINLOWER in the /etc/default/passwd file indicates
the minimum number of lower-case characters that a password must have.
The policy states the password must have a minimum of 1 lower-case characters. |
Remediation description: Edit the /etc/default/passwd file, set the MINLOWER parameter to the policy minimum password lower-case character count, which is 1.
# pfedit /etc/default/passwd
MINLOWER=1
| |
Passwords require at least 1 non-alphabetic charactersOSC-48500 high
Passwords require at least 1 non-alphabetic characters
| Rule ID | OSC-48500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINNONALPHA in the /etc/default/passwd file indicates
the minimum number of non-alphabetic characters
that a password must contain.
Non-alphabetic characters provide
some protection against dictionary-based password attacks.
The default is 0.
The policy states the password must have a minimum of 1 non-alphabetic characters. See the passwd(1) man page. |
Passwords must have at least 1 special charactersOSC-49000 high
Passwords must have at least 1 special characters
| Rule ID | OSC-49000 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINSPECIAL in the /etc/default/passwd file indicates
the minimum number of special characters that a password must have.
The policy states the password must have a minimum of 1 special characters. |
Remediation description: Edit the /etc/default/passwd file, set the MINSPECIAL parameter to the policy minimum password special character count, which is 1.
# pfedit /etc/default/passwd
MINSPECIAL=1
| |
Passwords require at least 0 upper-case charactersOSC-49500 high
Passwords require at least 0 upper-case characters
| Rule ID | OSC-49500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINUPPER in the /etc/default/passwd file indicates
the minimum number of upper-case letters that a password must contain.
Upper-case letters provide some protection
against dictionary-based password attacks.
The default is 0.
The policy states the password must have a minimum of 0 upper-case characters. See the passwd(1) man page. |
Passwords must be at least 8 characters longOSC-46000 high
Passwords must be at least 8 characters long
| Rule ID | OSC-46000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
PASSLENGTH in the /etc/default/passwd file indicates
the minimum number of characters that a password must contain.
A longer password length plus a strong password hashing algorithm
provides some protection against password attacks.
The policy states the password must be at least a minimum of 8 characters long. |
The minimum weeks between password changes is 3
OSC-50000 high
The minimum weeks between password changes is 3
| Rule ID | OSC-50000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
MINWEEKS in the /etc/default/passwd file indicates
the minimum number of weeks before a password can be changed.
This value prevents users from reusing a password quickly.
The default is unspecified.
The policy states that the minimum number of weeks is 3. See the passwd(1) man page. |
Passwords must be changed at least every 13 weeksOSC-45513 medium
Passwords must be changed at least every 13 weeks
| Rule ID | OSC-45513 |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
MAXWEEKS in the /etc/default/passwd file indicates
the maximum number of weeks that a password can be used.
This value is a balance between users remembering a new password
and malicious users attacking long-term passwords.
The default is unspecified.
See the passwd(1) man page.
|
Remediation description:
In the /etc/default/passwd file, set the MAXWEEKS variable to 13.
| |
DICTIONBDIR is set to /var/passwdOSC-43500 medium
DICTIONBDIR is set to /var/passwd
| Rule ID | OSC-43500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
DICTIONBDIR in the /etc/default/passwd file points
to the /var/passwd dictionary by default.
A password dictionary can strengthen users’ password selection
by preventing the use of common words or letter combinations.
The passwd command performs dictionary lookups in the dictionary
that DICTIONBDIR indicates.
See the passwd(1) man page.
|
DISABLETIME for logins must be set to 20
OSC-32500 medium
DISABLETIME for logins must be set to 20
| Rule ID | OSC-32500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
DISABLETIME in the /etc/default/login file
is set to 20 by default.
Any value greater than zero indicates the seconds
before a login prompt appears after RETRIES failed login attempts.
This delay can mitigate rapid-fire, brute force attacks
on passwords.
See the login(1) man page.
The policy states that DISABLETIME must be set to 20. |
SLEEPTIME following an invalid login attempt must be set to 4
OSC-33500 medium
SLEEPTIME following an invalid login attempt must be set to 4
| Rule ID | OSC-33500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
SLEEPTIME in the /etc/default/login file
is set to 4 by default.
This number indicates the number of seconds that elapse
before the «login incorrect» message appears
after an incorrect password is typed.
The maximum number is 5.
This delay can mitigate rapid-fire, brute force attacks
on passwords.
See the login(1) man page.
The policy states that SLEEPTIME must be set to 4. |
NAMECHECK for passwords is set to YESOSC-50500 medium
NAMECHECK for passwords is set to YES
| Rule ID | OSC-50500 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:25+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
NAMECHECK in the /etc/default/passwd file indicates
whether login names are checked in the files naming service.
The default, YES, prevents malicious users
from using a login name that is not in a local file.
See the passwd(1) man page.
|
Logins require passwordsOSC-33000 medium
Logins require passwords
| Rule ID | OSC-33000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:46:26+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
PASSREQ in the /etc/default/login file indicates
whether logins require passwords.
Passwords are required for defense against computer attacks.
The default is YES.
See the login(1) man page.
|
System accounts are not changedOSC-26005 medium
System accounts are not changed
| Rule ID | OSC-26005 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Oracle Solaris is installed with correctly configured password
configuration for all system accounts. These accounts should not
have their password configuration changed from the configuration
specified in the packaging.
This rule validates, for all system accounts, that the password configuration in the /etc/shadow file matches the configuration in the packaging. Note: The «pkg verify» command also does this checking, so if your benchmark is already running the pkg verify rule (OSC-54005), this rule can be tailored to not run. |
Default system accounts are no-loginOSC-51505 medium
Default system accounts are no-login
| Rule ID | OSC-51505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:15+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Oracle Solaris is installed
with correctly configured system accounts.
These accounts should not be modified.
|
Only system accounts have UIDs less than 100 and all come from packagesOSC-25505 medium
Only system accounts have UIDs less than 100 and all come from packages
| Rule ID | OSC-25505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Only system accounts have uids less than 100 and all come from packages.
Users that are not system user accounts should not be assigned
UIDs less than 100.
This rule validates that all users that are not system user accounts defined in a package have UIDs greater than or equal to 100. |
root is a roleOSC-59000 medium
root is a role
| Rule ID | OSC-59000 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
By default, root is a role.
Roles cannot log in directly.
Rather, a user logs in and then assumes the root role,
thus providing an audit trail of who is operating as root.
See the roles(1), user_attr(5), and usermod(8) man pages.
|
Remediation description:
If the command «userattr type root» reports no output, then change
the account to a role account and assign the root role to an
appropriate set of users.
| |
SCE stdout
'userattr type root' reports that root is not of type 'role'
root is the only user with UID=0OSC-61001 medium
root is the only user with UID=0
| Rule ID | OSC-61001 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:19+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The UID of 0 has superuser privileges.
Only root should have those privileges.
|
Root passwords are hashed with a secure algorithmOSC-60000 high
Root passwords are hashed with a secure algorithm
| Rule ID | OSC-60000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:47:19+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
The second field in the /etc/shadow file indicates the algorithm that
was used to create the password hash.
If the entry begins with «$5$»,
then password is hashed with SHA-256 algorithm.
If the entry begins with «$6$»,
then password is hashed with SHA-512 algorithm.
See the crypt.conf(5) and policy.conf(5) man pages.
|
The root PATH variable is correctOSC-60505 medium
The root PATH variable is correct
| Rule ID | OSC-60505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The root PATH variable should not include
the current directory (.), or any paths not related to administration.
|
RBAC *_attr.d files are not group or world writableOSC-56000 medium
RBAC *_attr.d files are not group or world writable
| Rule ID | OSC-56000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Oracle Solaris ships with Role Based Access Control (RBAC).
This feature enables administrators to delegate
specific, limited, additional privileges and authorizations
to individual users to administer parts of the system
without giving them access to the root account.
The static *_attr files are validated by OSC-54005-pkg-verify.
This check verifies the packaged and unpackaged file contents in the
user_attr.d, auth_attr.d, exec_attr.d and prof_attr.d directories in
/etc and /etc/security are not group or world writable and are only owned
by ‘root’.
|
shadow(5) password fields are not emptyOSC-51005 high
shadow(5) password fields are not empty
| Rule ID | OSC-51005 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
The second field in the /etc/shadow file contains passwords.
When creating roles, you can easily forget to assign a password.
See the shadow(5) and passwd(1) man pages.
|
All groups specified in /etc/passwd are defined in /etc/groupOSC-24505 medium
All groups specified in /etc/passwd are defined in /etc/group
| Rule ID | OSC-24505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Users are assigned to at least one group
and can be assigned to secondary groups.
All groups must be defined in the /etc/group file.
|
Find and list duplicate GIDsOSC-22500 medium
Find and list duplicate GIDs
| Rule ID | OSC-22500 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Groups, like users, are unique.
Duplicate group IDs must be removed.
|
Find and list duplicate group namesOSC-23000 medium
Find and list duplicate group names
| Rule ID | OSC-23000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Groups, like users, are unique.
Duplicate group names must be removed.
|
Find and list duplicate UIDsOSC-23500 medium
Find and list duplicate UIDs
| Rule ID | OSC-23500 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Users are identified by IDs, which must be unique.
Duplicate user IDs must be removed.
|
Find and list duplicate usernamesOSC-24000 medium
Find and list duplicate usernames
| Rule ID | OSC-24000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:20+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Users log in by name, which must be unique.
Duplicate user names must be removed.
|
Inactive user accounts will be locked after 35 daysOSC-25000 medium
Inactive user accounts will be locked after 35 days
| Rule ID | OSC-25000 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Inactive user accounts can provide a back door into the system.
User accounts should be locked after a period of inactivity.
|
Remediation description:
Inactive user accounts can be locked in a number of ways.
MAXWEEKS can be set in the /etc/default/passwd file;
alternatively, defaults can be set using useradd.
See the useradd(8), passwd(1), and passwd(5) man pages.
To manually lock an account:
# passwd -l <username>
To set the default inactive time, change the value of MAXWEEKS in the /etc/default/passwd file:
# pfedit /etc/default/passwd
...
MAXWEEKS=5
or set the default with useradd:
# useradd -D -f 35
| |
SCE stdout
Inactive account lockout period is set to 0
The user UMASK is 022
OSC-94000 high
The user UMASK is 022
| Rule ID | OSC-94000 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2025-01-28T17:47:21+01:00 |
| Severity | high |
| Identifiers and References | |
| Description |
UMASK in the /etc/default/login file indicates
the permissions on user files at creation.
This value should not allow group or world write.
The default value is 022, which allows group and world
to read files owned by a user.
See the login(1) man page.
|
Local users are assigned home directoriesOSC-94501 medium
Local users are assigned home directories
| Rule ID | OSC-94501 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Users need a place to store and create files.
A home directory enables a user to place configuration files,
such as the .profile file, and ongoing work in a directory
that is owned by the user.
|
Home directories for all users existOSC-93505 medium
Home directories for all users exist
| Rule ID | OSC-93505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Users need a place to store and create files.
A home directory enables a user to place configuration files,
such as the .profile file, and ongoing work in a directory
that is owned by the user.
|
User home directories have appropriate permissionsOSC-93005 medium
User home directories have appropriate permissions
| Rule ID | OSC-93005 |
| Result | fail |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Home directories must be writable and searchable
by their owners.
Typically, other users do not have rights to modify those files
or add files to the user’s home directory.
|
Remediation description:
User home directories should have permissions of 750
to prevent other users
from having inappropriate access to their files.
See the chmod(1) man page.
| |
SCE stdout
drwxr-xr-x 2 ebarcia pelayo 7 Aug 1 2024 /export/home/ebarcia
drwxr-xr-x 2 ajcaballero pelayo 7 Aug 1 2024 /export/home/ajcaballero
drwxr-xr-x 2 jvargas pelayo 7 Aug 1 2024 /export/home/jvargas
drwxr-xr-x 2 fmgomez pelayo 7 Aug 1 2024 /export/home/fmgomez
drwxr-xr-x 2 esarabia cgi 8 Aug 1 2024 /export/home/esarabia
User home directory ownership is correctOSC-92505 medium
User home directory ownership is correct
| Rule ID | OSC-92505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:21+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The user must own the user’s home directory.
|
Find and list .rhosts filesOSC-91505 medium
Find and list .rhosts files
| Rule ID | OSC-91505 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:22+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
.rhosts files can provide easy access to remote hosts
by bypassing the password requirement.
These files should be removed.
|
Find and list .forward filesOSC-90000 medium
Find and list .forward files
| Rule ID | OSC-90000 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:22+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
.forward files can provide easy transport
of information outside the firewall
or outside the user’s home directory.
|
Find and list .netrc filesOSC-90500 medium
Find and list .netrc files
| Rule ID | OSC-90500 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:22+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The .netrc file contains data
for logging in to a remote host over the network
for file transfers by FTP.
|
Permissions on User .netrc Files are correctOSC-91005 medium
Permissions on User .netrc Files are correct
| Rule ID | OSC-91005 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:22+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
The .netrc file contains login credentials
to remote systems for file transfers by FTP.
The permissions should be set to disallow read access
by group and others.
See the chmod(1) man page.
|
Permissions on User «.» (Hidden) Files are correctOSC-92005 medium
Permissions on User «.» (Hidden) Files are correct
| Rule ID | OSC-92005 |
| Result | pass |
| Multi-check rule | no |
| Time | 2025-01-28T17:47:22+01:00 |
| Severity | medium |
| Identifiers and References | |
| Description |
Hidden files in a user’s home directory
should be owned by the user.
Directories should allow read-write-execute (rwx) permissions
to the user only.
Files should allow read-write (rw) permissions to the user only.
|