################################################################################
DOCUMENT         : Solaris_11_SPARC_STIG
VERSION          : 003.003.012
CHECKSUM         : d5c26f94522801b12ab97294ac6406b8df5ed1e5fa5575ec195e2f1b9343102a
MANUAL QUESTIONS : 148

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 148
TITLE            : CAT I, V-216288, SV-216288r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:5901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:5901
RULE             : The NIS package must not be installed.
QUESTION_TEXT    : Determine if the NIS package is installed.

# pkg list service/network/nis

If an installed package named "service/network/nis" is listed, this is a finding.

References:
SV-60777
V-47905
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 148
TITLE            : CAT I, V-216290, SV-216290r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:6301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:6301
RULE             : The FTP daemon must not be installed unless required.
QUESTION_TEXT    : Determine if the FTP package is installed.

# pkg list service/network/ftp

If an installed package named "service/network/ftp" is listed and not required for operations, this is a finding.

References:
SV-60783
V-47911
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 148
TITLE            : CAT I, V-216291, SV-216291r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:6501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:6501
RULE             : The TFTP service daemon must not be installed unless required.
QUESTION_TEXT    : Determine if the TFTP package is installed.

# pkg list service/network/tftp

If an installed package named "/service/network/tftp" is listed and not required for operations, this is a finding.

References:
SV-60785
V-47913
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 148
TITLE            : CAT I, V-216292, SV-216292r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:6701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:6701
RULE             : The telnet service daemon must not be installed unless required.
QUESTION_TEXT    : Determine if the telnet daemon package in installed.

# pkg list service/network/telnet

If an installed package named "service/network/telnet" is listed and vntsd is not in use for LDoms, this is a finding.

References:
SV-60787
V-47915
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 148
TITLE            : CAT I, V-216311, SV-216311r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10101
RULE             : X displays must not be exported to the world.
QUESTION_TEXT    : If X Windows is not used on the system, this is not applicable.

Check the output of the xhost command from an X terminal.

Procedure:
$ xhost
If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

NOTE: It may be necessary to define the display if the command reports it cannot open the display. 

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

References:
SV-75493
V-61025
CCI-000225
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 148
TITLE            : CAT I, V-216456, SV-216456r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33501
RULE             : SNMP communities, users, and passphrases must be changed from the default.
QUESTION_TEXT    : The root role is required.

Check the SNMP configuration for default passwords.
Locate and examine the SNMP configuration.

Procedure:

Find any occurrences of the snmpd.conf file delivered with Solaris packages:

# pkg search -l -Ho path snmpd.conf | awk '{ print "/"$1 }'

# more [filename]

Identify any community names or user password configurations. If any community name or password is set to a default value, such as public, private, snmp-trap, or password, this is a finding.

References:
V-47995
SV-60867
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 148
TITLE            : CAT I, V-219968, SV-219968r958752, SRG-OS-000341
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:39101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:39101
RULE             : The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check the status of the audit system. It must be auditing.

# pfexec auditconfig -getplugin 

If the output of this command does not contain:

p_fsize=4M

this is a finding.

References:
V-49621
SV-62545
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 148
TITLE            : CAT II, V-216258, SV-216258r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:1701
RULE             : The audit system must be configured to audit file deletions.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the OS version you are currently securing.
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active |cut -f2 -d=

If "fd" audit flag is not included in output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "fd" audit flag is not included in output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
SV-60681
V-47805
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 148
TITLE            : CAT II, V-216259, SV-216259r958368, SRG-OS-000004
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:1901
RULE             : The audit system must be configured to audit account creation.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "ps" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
V-47807
SV-60683
CCI-000018
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 148
TITLE            : CAT II, V-216260, SV-216260r958590, SRG-OS-000239
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:2101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:2101
RULE             : The audit system must be configured to audit account modification.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "ps" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
SV-60685
V-47809
CCI-001403
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 148
TITLE            : CAT II, V-216261, SV-216261r958592, SRG-OS-000240
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:2301
RULE             : The operating system must automatically audit account disabling actions.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "ps" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
SV-60687
V-47811
CCI-001404
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 148
TITLE            : CAT II, V-216262, SV-216262r958594, SRG-OS-000241
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:2501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:2501
RULE             : The operating system must automatically audit account termination.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "ps" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
SV-60689
V-47813
CCI-001405
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 148
TITLE            : CAT II, V-216263, SV-216263r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:2701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:2701
RULE             : The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "as" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
V-47815
SV-60691
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 148
TITLE            : CAT II, V-216264, SV-216264r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:2901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:2901
RULE             : The audit system must be configured to audit all administrative, privileged, and security actions.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "as" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
V-47817
SV-60693
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 148
TITLE            : CAT II, V-216276, SV-216276r1038966, SRG-OS-000047
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:4101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:4101
RULE             : The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

# pfexec auditconfig -getpolicy | grep ahlt

If the output does not include "ahlt" as an active audit policy, this is a finding.

# pfexec auditconfig -getpolicy | grep active | grep cnt

If the output includes "cnt" as an active audit policy, this is a finding.

References:
V-47863
SV-60737
CCI-000140
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 148
TITLE            : CAT II, V-216277, SV-216277r958434, SRG-OS-000057
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:4301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:4301
RULE             : The operating system must protect audit information from unauthorized access.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the directory storing the audit files is owned by root and has permissions 750 or less.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit

Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.

References:
V-47869
SV-60741
CCI-000162
CCI-000163
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 148
TITLE            : CAT II, V-216280, SV-216280r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:4501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:4501
RULE             : The System packages must be up to date with the most recent vendor updates and security fixes.
QUESTION_TEXT    : The Software Installation Profile is required.

An up-to-date Solaris repository must be accessible to the system. Enter the command:

# pkg publisher

to determine the current repository publisher. If a repository is not accessible, it may need to be locally installed and configured.

Check for Solaris software package updates:

# pfexec pkg update -n

If the command does not report "No updates available for this image," this is a finding.

References:
V-47881
SV-60753
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 148
TITLE            : CAT II, V-216282, SV-216282r958610, SRG-OS-000256
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:4701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:4701
RULE             : The operating system must protect audit tools from unauthorized access.
QUESTION_TEXT    : The Software Installation Profile is required.

Determine what the signature policy is for pkg publishers:

# pkg property | grep signature-policy

Check that output produces:

signature-policy verify

If the output does not confirm that signature-policy verify is active, this is a finding.

Check that package permissions are configured and signed per vendor requirements.

# pkg verify

If the command produces any output unrelated to STIG changes, this is a finding.

There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

References:
SV-60757
V-47885
CCI-001493
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 148
TITLE            : CAT II, V-216283, SV-216283r958612, SRG-OS-000257
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:4901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:4901
RULE             : The operating system must protect audit tools from unauthorized modification.
QUESTION_TEXT    : The Software Installation Profile is required.

Determine what the signature policy is for pkg publishers:

# pkg property | grep signature-policy

Check that output produces:

signature-policy verify

If the output does not confirm that signature-policy verify is active, this is a finding.

Check that package permissions are configured and signed per vendor requirements.

# pkg verify

If the command produces any output unrelated to STIG changes, this is a finding.

There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

References:
SV-60759
V-47887
CCI-001494
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 148
TITLE            : CAT II, V-216284, SV-216284r958614, SRG-OS-000258
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:5101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:5101
RULE             : The operating system must protect audit tools from unauthorized deletion.
QUESTION_TEXT    : The Software Installation Profile is required.

Determine what the signature policy is for pkg publishers:

# pkg property | grep signature-policy

Check that output produces:

signature-policy verify

If the output does not confirm that signature-policy verify is active, this is a finding.

Check that package permissions are configured and signed per vendor requirements.

# pkg verify

If the command produces any output unrelated to STIG changes, this is a finding.

There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

References:
V-47889
SV-60761
CCI-001495
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 148
TITLE            : CAT II, V-216285, SV-216285r958634, SRG-OS-000278
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:5301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:5301
RULE             : System packages must be configured with the vendor-provided files, permissions, and ownerships.
QUESTION_TEXT    : The Software Installation Profile is required.

Determine what the signature policy is for pkg publishers:

# pkg property | grep signature-policy

Check that output produces:

signature-policy verify

If the output does not confirm that signature-policy verify is active, this is a finding.

Check that package permissions are configured and signed per vendor requirements.

# pkg verify

If the command produces any output unrelated to STIG changes, this is a finding.

There is currently a Solaris 11 bug 16267888 which reports pkg verify errors for a variety of python packages. These can be ignored.

References:
SV-60763
V-47891
CCI-001496
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 148
TITLE            : CAT II, V-216287, SV-216287r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:5701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:5701
RULE             : The legacy remote network access utilities daemons must not be installed.
QUESTION_TEXT    : Determine if the legacy remote access package is installed.

# pkg list service/network/legacy-remote-utilities

If an installed package named service/network/legacy-remote-utilities is listed, this is a finding.

References:
SV-60773
V-47901
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 148
TITLE            : CAT II, V-216294, SV-216294r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:7101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:7101
RULE             : The rpcbind service must be configured for local only services unless organizationally defined.
QUESTION_TEXT    : Check the status of the rpcbind service local_only property.
# svcprop -p config/local_only network/rpc/bind

If the state is not "true", this is a finding, unless it is required for system operations, then this is not a finding.

References:
SV-60791
V-47919
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 148
TITLE            : CAT II, V-216295, SV-216295r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:7301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:7301
RULE             : The VNC server package must not be installed unless required.
QUESTION_TEXT    : Determine if the VNC server package is installed.

# pkg list x11/server/xvnc

If an installed package named "x11/server/xvnc is listed" is listed, this is a finding.

References:
SV-60793
V-47921
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 148
TITLE            : CAT II, V-216297, SV-216297r958478, SRG-OS-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:7501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:7501
RULE             : The operating system must be configured to provide essential capabilities.
QUESTION_TEXT    : Identify the packages installed on the system. 

# pkg list

Any unauthorized software packages listed in the output are a finding.

References:
V-47925
SV-60797
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 148
TITLE            : CAT II, V-216300, SV-216300r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:7901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:7901
RULE             : All run control scripts must have no extended ACLs.
QUESTION_TEXT    : Verify run control scripts have no extended ACLs.

# ls -lL /etc/rc* /etc/init.d

If the permissions include a "+", the file has an extended ACL and this is a finding.

References:
V-59829
SV-74259
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 148
TITLE            : CAT II, V-216302, SV-216302r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:8301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:8301
RULE             : Run control scripts library search paths must contain only authorized paths.
QUESTION_TEXT    : Verify run control scripts' library search paths. 

# find /etc/rc* /etc/init.d -type f -print | xargs grep LD_LIBRARY_PATH

This variable is formatted as a colon-separated list of directories.

If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. 

If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.


References:
V-59833
SV-74263
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 148
TITLE            : CAT II, V-216303, SV-216303r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:8501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:8501
RULE             : Run control scripts lists of preloaded libraries must contain only authorized paths.
QUESTION_TEXT    : Verify run control scripts' library preload list. 

Procedure:

# find /etc/rc* /etc/init.d -type f -print | xargs grep LD_PRELOAD

This variable is formatted as a colon-separated list of paths.

If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. 

If an entry begins with a character other than a slash (/), or has not been documented with the ISSO, this is a finding.


References:
SV-74265
V-59835
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 148
TITLE            : CAT II, V-216304, SV-216304r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:8701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:8701
RULE             : Run control scripts must not execute world writable programs or scripts.
QUESTION_TEXT    : Check the permissions on the files or scripts executed from system startup scripts to see if they are world writable.

Create a list of all potential run command level scripts.

# ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "

Create a list of world writable files.

# find / -perm -002 -type f >> WorldWritableFileList

Determine if any of the world writeable files in "WorldWritableFileList" are called from the run command level scripts.

Note: Depending upon the number of scripts vs. world writable files, it may be easier to inspect the scripts manually.

# more `ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "`

If any system startup script executes any file or script that is world writable, this is a finding.

References:
SV-74267
V-59837
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 148
TITLE            : CAT II, V-216307, SV-216307r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:9301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:9301
RULE             : System start-up files must only execute programs owned by a privileged UID or an application.
QUESTION_TEXT    : Determine the programs executed by system start-up files.  Determine the ownership of the executed programs. 

# cat /etc/rc* /etc/init.d/* | more

Check the ownership of every program executed by the system start-up files.

# ls -l <executed program>

If any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.

References:
V-59843
SV-74273
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 148
TITLE            : CAT II, V-216308, SV-216308r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:9501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:9501
RULE             : Any X Windows host must write .Xauthority files.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running.
Procedure:
# ps -ef | grep xdm

If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running.
Procedure:
# ps -ef | grep xdm

Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X.

Procedure:
# cd ~someuser
# ls -la .Xauthority

If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

References:
SV-75471
V-61003
CCI-000297
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 148
TITLE            : CAT II, V-216310, SV-216310r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:9901
RULE             : The .Xauthority files must not have extended ACLs.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running. 

Procedure:
# ps -ef | grep xdm

Check the file permissions for the .Xauthority files. 
# ls -lL .Xauthority

If the permissions include a "+", the file has an extended ACL and this is a finding.

References:
V-61023
SV-75491
CCI-000225
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 148
TITLE            : CAT II, V-216312, SV-216312r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10301
RULE             : .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running. 

Procedure:
# ps -ef | grep xdm

Determine if xauth is being used. 

Procedure:
# xauth 
xauth> list

If the above command sequence does not show any host other than the localhost, then xauth is not being used.

Search the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. 

If no files are found, X*.hosts files are not being used. 

If the X*.hosts files contain any unauthorized hosts, this is a finding.

If both xauth and X*.hosts files are not being used, this is a finding.

References:
SV-75495
V-61027
CCI-000297
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 148
TITLE            : CAT II, V-216313, SV-216313r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10501
RULE             : The .Xauthority utility must only permit access to authorized hosts.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running. 

Procedure:
# ps -ef | grep xdm

Check the X Window system access is limited to authorized clients. 

Procedure:
# xauth 
xauth> list

Ask the SA if the clients listed are authorized. 

If any are not, this is a finding. 

References:
SV-75497
V-61029
CCI-000366
CCI-000225
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 148
TITLE            : CAT II, V-216314, SV-216314r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10701
RULE             : X Window System connections that are not required must be disabled.
QUESTION_TEXT    : Determine if the X Window system is running.

Procedure:
# ps -ef |grep X

Ask the SA if the X Window system is an operational requirement. If it is not, this is a finding.

References:
SV-75499
V-61031
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 148
TITLE            : CAT II, V-216315, SV-216315r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10901
RULE             : The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
QUESTION_TEXT    : Determine if the X11 server system is providing remote services on the network.

# svcprop -p options/tcp_listen svc:/application/x11/x11-server

If the output of the command is "true" and network access to graphical user login is not required, this is a finding.

References:
SV-60801
V-47929
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 148
TITLE            : CAT II, V-216318, SV-216318r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11501
RULE             : TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.
QUESTION_TEXT    : Check that TCP Wrappers are enabled and the host.deny and host.allow files exist.

# inetadm -p | grep tcp_wrappers

If the output of this command is "tcp_wrappers=FALSE", this is a finding.

# ls /etc/hosts.deny
/etc/hosts.deny
# ls /etc/hosts.allow
/etc/hosts.allow

If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.

References:
SV-60807
V-47935
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 148
TITLE            : CAT II, V-216321, SV-216321r1038967, SRG-OS-000076
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11701
RULE             : User passwords must be changed at least every 60 days.
QUESTION_TEXT    : The root role is required.

Determine if user passwords are properly configured to be changed every 60 days.

Determine the OS version to be secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every eight weeks or less.

# grep "^MAXWEEKS=" /etc/default/passwd 

If the command does not report MAXWEEKS=8 or less, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 60 days or less.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MAXDAYS=" /etc/default/passwd 

If the command does not report MAXDAYS=60 or less, this is a finding.

# grep "^MAXWEEKS=" /etc/default/passwd 

If output is returned, this is a finding.

References:
SV-60815
V-47943
CCI-004066
CCI-000199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 148
TITLE            : CAT II, V-216323, SV-216323r1016269, SRG-OS-000075
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:12101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:12101
RULE             : The operating system must enforce minimum password lifetime restrictions.
QUESTION_TEXT    : The root role is required.

Check whether the minimum time period between password changes for each user account is 1 day or greater. 

Determine the OS version to be secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of one week.

# grep "^MINWEEKS=" /etc/default/passwd 

If the command does not report MINWEEKS=1 or more, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 day.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MINDAYS=" /etc/default/passwd 

If the command does not report MINDAYS=1 or more, this is a finding.

# grep "^MINWEEKS=" /etc/default/passwd 

If output is returned, this is a finding.

References:
SV-60825
V-47953
CCI-004066
CCI-000198
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 148
TITLE            : CAT II, V-216344, SV-216344r1016278, SRG-OS-000003
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:15901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:15901
RULE             : User accounts must be locked after 35 days of inactivity.
QUESTION_TEXT    : Determine whether the 35-day inactivity lock is configured properly.

# useradd -D | xargs -n 1 | grep inactive |\
awk -F= '{ print $2 }'

If the command returns a result other than 35, this is a finding.

The root role is required for the "logins" command.

For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.

# logins -axo -l [username] | awk -F: '{ print $13 }'


If these commands provide output other than 35, this is a finding.

References:
V-48079
SV-60951
CCI-000017
CCI-003627
CCI-003628
CCI-000795
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 148
TITLE            : CAT II, V-216348, SV-216348r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:16301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:16301
RULE             : Access to a domain console via telnet must be restricted to the local host.
QUESTION_TEXT    : This action applies only to the control domain. 

Determine the domain that you are currently securing.

# virtinfo 
Domain role: LDoms control I/O service root
The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.

If the current domain is not the control domain, this check does not apply.

Determine if vnsd is in use.

# svcs vntsd
STATE          STIME    FMRI
online         Oct_08   svc:/ldoms/vntsd:default

If the state is not "online", this is not applicable.

Determine if a role has been created for domain console access.

# cat /etc/user_attr | grep solaris.vntsd.consoles
rolename::::type=role;auths=solaris.vntsd.consoles;profiles=All;roleauth=role

If a role for "vntsd.consoles" is not established, this is a finding.

References:
V-71495
SV-86119
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 148
TITLE            : CAT II, V-216349, SV-216349r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:16501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:16501
RULE             : Access to a logical domain console must be restricted to authorized users.
QUESTION_TEXT    : The root role is required. This action applies only to the control domain. 

Determine the domain that you are currently securing.

# virtinfo 
Domain role: LDoms control I/O service root
The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.

If the current domain is not the control domain, this check does not apply.

Determine if the vntsd service is online.

# pfexec svcs vntsd

If the service is not "online", this is not applicable.

Check the status of the vntsd authorization property.

# svcprop -p vntsd/authorization vntsd

If the state is not true, this is a finding.

References:
SV-86121
V-71497
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 148
TITLE            : CAT II, V-216360, SV-216360r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:18701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:18701
RULE             : Unauthorized use of the at or cron capabilities must not be permitted.
QUESTION_TEXT    : Check that "at" and "cron" users are configured correctly.

# ls /etc/cron.d/cron.deny

If cron.deny exists, this is a finding.

# ls /etc/cron.d/at.deny

If at.deny exists, this is a finding.

# cat /etc/cron.d/cron.allow

cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC.  
 
If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding.

# wc -l /etc/cron.d/at.allow | awk '{ print $1 }'

If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.

References:
SV-60997
V-48125
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 148
TITLE            : CAT II, V-216363, SV-216363r1016279, SRG-OS-000030
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:19301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:19301
RULE             : The operating system must provide the capability for users to directly initiate session lock mechanisms.
QUESTION_TEXT    : Determine whether the lock screen function works correctly.

For Solaris 11, 11.1, 11.2, and 11.3:
In the GNOME 2 desktop System >> Lock Screen.

For Solaris 11.4 or newer:
In the GNOME 3 desktop Status Menu (top right corner) >> Lock Icon, check that the screen locks and displays the "password" prompt.

Check that "Disable Screensaver" is not selected in the GNOME Screensaver preferences. 

If the screen does not lock or the "Disable Screensaver" option is selected, this is a finding.

References:
V-48135
SV-61007
CCI-000057
CCI-000058
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 148
TITLE            : CAT II, V-216366, SV-216366r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:19901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:19901
RULE             : The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
QUESTION_TEXT    : Determine if the "RestrictOutbound" profile is configured properly:

# profiles -p RestrictOutbound info

If the output is not:
name=RestrictOutbound
desc=Restrict Outbound Connections
limitpriv=zone,!net_access

this is a finding.


For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile.

# profiles -l [username]

If the output does not include:

[username]:
RestrictOutbound

this is a finding.

References:
SV-61019
V-48147
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 148
TITLE            : CAT II, V-216372, SV-216372r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:21101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:21101
RULE             : The system must not respond to broadcast ICMP echo requests.
QUESTION_TEXT    : Determine if ICMP echo requests response is disabled.

# ipadm show-prop -p _respond_to_echo_broadcast -co current ip

If the output of this command is not "0", this is a finding.

References:
SV-61053
V-48181
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

QUESTION         : 47 of 148
TITLE            : CAT II, V-216375, SV-216375r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:21701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:21701
RULE             : The system must set strict multihoming.
QUESTION_TEXT    : Determine if strict multihoming is configured.

# ipadm show-prop -p _strict_dst_multihoming -co current ipv4
# ipadm show-prop -p _strict_dst_multihoming -co current ipv6

If the output of all commands is not "1", this is a finding.

References:
V-48193
SV-61065
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 47 *******************************

QUESTION         : 48 of 148
TITLE            : CAT II, V-216378, SV-216378r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:22301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:22301
RULE             : The system must set maximum number of half-open TCP connections to 4096.
QUESTION_TEXT    : Determine if the number of half open TCP connections is set to 4096.

# ipadm show-prop -p _conn_req_max_q0 -co current tcp

If the value of "4096" is not returned, this is a finding.

References:
V-48207
SV-61079
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 48 *******************************

QUESTION         : 49 of 148
TITLE            : CAT II, V-216380, SV-216380r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:22701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:22701
RULE             : The system must disable network routing unless required.
QUESTION_TEXT    : Determine if routing is disabled. 

# routeadm -p | egrep "routing |forwarding" | grep enabled

If the command output includes "persistent=enabled" or "current=enabled", this is a finding.

References:
V-48217
SV-61089
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 49 *******************************

QUESTION         : 50 of 148
TITLE            : CAT II, V-216387, SV-216387r1045450, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23101
RULE             : The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
QUESTION_TEXT    : Ensure that either the IP Filter or Packet Filter Firewall is installed correctly.

Determine the OS version to be secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, the IP Filter Management profile is required.

Check that the IP Filter firewall is enabled and configured so that only authorized sessions are allowed.

# svcs ipfilter

If ipfilter is not listed with a state of online, this is a finding.

The IP Filter Management profile is required.

Check that the filters are configured properly.

# ipfstat -io

If the output of this command does not include the following lines, this is a finding.

block out log all keep state keep frags
block in log all
block in log from any to 255.255.255.255/32
block in log from any to 127.0.0.1/32

Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding.

For Solaris 11.3 or newer, that use Packet Filter, the Network Firewall Management rights profile is required.

Check that the Packet Filter firewall is enabled and configured so that only authorized sessions are allowed.
# svcs firewall:default

If firewall is not listed with a state of "online", this is a finding.

The Network Firewall Management rights profile is required.
Check that the filters are configured properly.
# pfctl -s rules

If the output of this command does not include a line to block and log all traffic as in the following line, this is a finding (does not have to be exactly like the example).

block drop log (to pflog0) all

Check that the Packet Filter firewall logging daemon is enabled.
svcs firewall/pflog:default

If pflog is not listed with a state of "online", this is a finding.

References:
SV-61107
V-48235
CCI-000197
CCI-000366
CCI-000877
CCI-000382
CCI-001453
CCI-001941
CCI-002890
CCI-001942
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 50 *******************************

QUESTION         : 51 of 148
TITLE            : CAT II, V-216400, SV-216400r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24501
RULE             : The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
QUESTION_TEXT    : Determine the zone that you are currently securing.

# zonename

If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require inspection. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require inspection.

Identify if this system has physical interfaces. 

# dladm show-link -Z | grep -v vnic 
LINK                ZONE      CLASS     MTU    STATE    OVER
net0                global    phys      1500   unknown  --
e1000g0             global    phys      1500   up       --
e1000g1             global    phys      1500   up       --
zoneD/net2          zoneD     iptun     65515  up       --

If "phys" appears in the third column, then the interface is physical.   

For each physical interface, determine if the network interface is Ethernet or InfiniBand:

# dladm show-phys [interface name]
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
[name]            Ethernet             unknown    0      half      dnet0

The second column indicates either "Ethernet" or "Infiniband".

For each physical interface, determine if the host is using ip-forwarding:

# ipadm show-ifprop [interface name] | grep forwarding
[name]      forwarding      ipv4  rw   off        --         off        on,off
[name]      forwarding      ipv6  rw   off        --         off        on,off

If "on" appears in the fifth column, then the interface is using ip-forwarding.

For each interface, determine if the host is using SR-IOV’s Virtual Function (VF) driver:

# dladm show-phys [interface name] | grep vf

If the sixth column includes 'vf' in its name, it is using SR-IOV (ex: ixgbevf0).

For each physical and SR-IOV interface, determine if network link protection capabilities are enabled.

# dladm show-linkprop -p protection
LINK    PROPERTY    PERM   VALUE         DEFAULT   POSSIBLE
net0    protection  rw     mac-nospoof,  --        mac-nospoof,
                           restricted,             restricted,
                           ip-nospoof,             ip-nospoof,
                           dhcp-nospoof            dhcp-nospoof

If the interface uses Infiniband and if restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

If the interface uses ip-forwarding and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

If the interface uses SR-IOV and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

If the interface uses Ethernet without IP forwarding and if mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

References:
V-48191
SV-61063
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 51 *******************************

QUESTION         : 52 of 148
TITLE            : CAT II, V-216401, SV-216401r958358, SRG-OS-000481
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24701
RULE             : Wireless network adapters must be disabled.
QUESTION_TEXT    : This is N/A for systems that do not have wireless network adapters.

Verify that there are no wireless interfaces configured on the system:

# ifconfig -a


eth0      Link encap:Ethernet  HWaddr b8:ac:6f:65:31:e5  
          inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2159382827 (2.0 GiB)  TX bytes:1389552776 (1.2 GiB)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2849 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2778290 (2.6 MiB)  TX bytes:2778290 (2.6 MiB)


If a wireless interface is configured, it must be documented and approved by the local Authorizing Official.

If a wireless interface is configured and has not been documented and approved, this is a finding.


References:
V-72827
SV-87479
CCI-002418
CCI-001443
CCI-001444
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 52 *******************************

QUESTION         : 53 of 148
TITLE            : CAT II, V-216402, SV-216402r958358, SRG-OS-000481
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24901
RULE             : The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

The Crypto Management profile is required to execute this command.

Check to ensure that FIPS-140 encryption mode is enabled.

# cryptoadm list fips-140| grep -c "is disabled"

If the output of this command is not "0", this is a finding.

References:
V-48187
SV-61059
CCI-000803
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 53 *******************************

QUESTION         : 54 of 148
TITLE            : CAT II, V-216410, SV-216410r958408, SRG-OS-000033
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25101
RULE             : The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
QUESTION_TEXT    : Check the SSH daemon configuration for allowed ciphers.
 
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#’ 
Ciphers  aes256-ctr,aes192-ctr,aes128-ctr 
 
If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.

References:
V-48159
SV-61031
CCI-000068
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 54 *******************************

QUESTION         : 55 of 148
TITLE            : CAT II, V-216411, SV-216411r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25301
RULE             : The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the logical node of all attached removable media:

# rmformat

This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0

Determine which zpool is mapped to the device:

# zpool status

Determine the file system names of the portable digital media:

# zfs list | grep [poolname]

Using the file system name, determine if the removal media is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
V-48157
SV-61029
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 55 *******************************

QUESTION         : 56 of 148
TITLE            : CAT II, V-216417, SV-216417r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25901
RULE             : The sticky bit must be set on all world writable directories.
QUESTION_TEXT    : The root role is required.

Identify all world-writable directories without the "sticky bit" set.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
   -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
   -o -fstype proc \) -prune -o -type d \( -perm -0002 \
   -a ! -perm -1000 \) -ls

Output of this command identifies world-writable directories without the "sticky bit" set.  If output is created, this is a finding.

References:
V-48137
SV-61009
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 56 *******************************

QUESTION         : 57 of 148
TITLE            : CAT II, V-216419, SV-216419r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:26301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:26301
RULE             : Permissions on user . (hidden) files must be 750 or less permissive.
QUESTION_TEXT    : The root role is required.

Ensure that the permissions on user "." files are 750 or less permissive.

# for dir in \
`logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do
find ${dir}/.[A-Za-z0-9]* \! -type l \
\( -perm -0001 -o -perm -0002 -o -perm -0004 -o -perm -0020 \) -ls
done

If output is produced, this is a finding.

References:
SV-61001
V-48129
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 57 *******************************

QUESTION         : 58 of 148
TITLE            : CAT II, V-216425, SV-216425r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:27501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:27501
RULE             : All home directories must be owned by the respective user assigned to it in /etc/passwd.
QUESTION_TEXT    : The root role is required.

Check that home directories are owned by the correct user.

# export IFS=":"; logins -uxo | while read user uid group gid gecos home rest; do result=$(find ${home} -type d -prune \! -user $user -print 2>/dev/null); 
if [ ! -z "${result}" ]; then 
echo "User: ${user}\tOwner: $(ls -ld $home | awk '{ print $3 }')";
fi;
done

If any output is produced, this is a finding.

References:
V-48097
SV-60969
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 58 *******************************

QUESTION         : 59 of 148
TITLE            : CAT II, V-216426, SV-216426r958482, SRG-OS-000104
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:27701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:27701
RULE             : Duplicate User IDs (UIDs) must not exist for users within the organization.
QUESTION_TEXT    : The root role is required.

Check that there are no duplicate UIDs.

# logins -d

If output is produced, this is a finding.

References:
V-48095
SV-60967
CCI-000764
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 59 *******************************

QUESTION         : 60 of 148
TITLE            : CAT II, V-216427, SV-216427r958504, SRG-OS-000121
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:27901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:27901
RULE             : Duplicate UIDs must not exist for multiple non-organizational users.
QUESTION_TEXT    : The root role is required.

Check that there are no duplicate UIDs.

# logins -d

If output is produced, this is a finding.

References:
V-48091
SV-60963
CCI-000804
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 60 *******************************

QUESTION         : 61 of 148
TITLE            : CAT II, V-216428, SV-216428r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:28101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:28101
RULE             : Duplicate Group IDs (GIDs) must not exist for multiple groups.
QUESTION_TEXT    : The root role is required.

Check that group IDs are unique.

# getent group | cut -f3 -d":" | sort -n | uniq -c |\
while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
grps=`getent group | nawk -F: '($3 == n) { print $1
}' n=$2 | xargs`
echo "Duplicate GID ($2): ${grps}"
fi
done

If output is produced, this is a finding.

References:
SV-60953
V-48081
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 61 *******************************

QUESTION         : 62 of 148
TITLE            : CAT II, V-216430, SV-216430r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:28501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:28501
RULE             : Duplicate user names must not exist.
QUESTION_TEXT    : The root role is required.

Identify any duplicate user names.

# getent passwd | awk -F: '{print $1}' | uniq -d

If output is produced, this is a finding.

References:
V-48073
SV-60945
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 62 *******************************

QUESTION         : 63 of 148
TITLE            : CAT II, V-216431, SV-216431r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:28701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:28701
RULE             : Duplicate group names must not exist.
QUESTION_TEXT    : The root role is required.

Check for duplicate group names.

# getent group | cut -f1 -d":" | sort -n | uniq -d

If output is produced, this is a finding.

References:
SV-60941
V-48069
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 63 *******************************

QUESTION         : 64 of 148
TITLE            : CAT II, V-216434, SV-216434r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:29301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:29301
RULE             : World-writable files must not exist.
QUESTION_TEXT    : The root role is required.

Check for the existence of world-writable files.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -type f -perm -0002 -print
If output is produced, this is a finding.

References:
SV-60935
V-48063
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 64 *******************************

QUESTION         : 65 of 148
TITLE            : CAT II, V-216436, SV-216436r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:29701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:29701
RULE             : The operating system must have no unowned files.
QUESTION_TEXT    : The root role is required.

Identify all files that are owned by a user or group not listed in /etc/passwd or /etc/group

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune \( -nouser -o -nogroup \) -ls

If output is produced, this is a finding.

References:
V-48039
SV-60911
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 65 *******************************

QUESTION         : 66 of 148
TITLE            : CAT II, V-216441, SV-216441r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:30501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:30501
RULE             : The operator must document all file system objects that have non-standard access control list settings.
QUESTION_TEXT    : The root role is required.

Identify all file system objects that have non-standard access control lists enabled.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -acl -ls

This command should return no output. If output is created, this is a finding.

If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.

References:
V-48029
SV-60901
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 66 *******************************

QUESTION         : 67 of 148
TITLE            : CAT II, V-216443, SV-216443r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:30901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:30901
RULE             : The system must implement non-executable program stacks.
QUESTION_TEXT    : Determine the OS version you are currently securing.

# uname –v

If the OS version is 11.3 or newer, this check applies to all zones and relies on the "sxadm" command. Determine if the system implements non-executable program stacks.

# sxadm status -p nxstack | cut -d: -f2
enabled.all

If the command output is not "enabled.all", this is a finding.

For Solaris 11, 11.1, and 11.2, this check applies to the global zone only and the "/etc/system" file is inspected. Determine the zone that you are currently securing.

# zonename

If the command output is "global", determine if the system implements non-executable program stacks. 

# grep noexec_user_stack /etc/system

If the noexec_user_stack is not set to 1, this is a finding.

References:
SV-60897
V-48025
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 67 *******************************

QUESTION         : 68 of 148
TITLE            : CAT II, V-216445, SV-216445r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31301
RULE             : Process core dumps must be disabled unless needed.
QUESTION_TEXT    : Check the process core dump configuration.
# coreadm | grep enabled

If any lines are returned by coreadm other than "logging", this is a finding.

References:
SV-60893
V-48021
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 68 *******************************

QUESTION         : 69 of 148
TITLE            : CAT II, V-216446, SV-216446r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31501
RULE             : The system must be configured to store any process core dumps in a specific, centralized directory.
QUESTION_TEXT    : Check the defined directory for process core dumps:

# coreadm | grep "global core file pattern"

If the parameter is not set, or is not an absolute path (does not start with a slash [/]), this is a finding.


References:
V-95717
SV-104855
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 69 *******************************

QUESTION         : 70 of 148
TITLE            : CAT II, V-216447, SV-216447r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31701
RULE             : The centralized process core dump data directory must be owned by root.
QUESTION_TEXT    : Check the defined directory for process core dumps.
# coreadm | grep "global core file pattern"

Check the ownership of the directory.
# ls -lLd [core file directory]

If the directory is not owned by root, this is a finding.

References:
V-48019
SV-60891
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 70 *******************************

QUESTION         : 71 of 148
TITLE            : CAT II, V-216448, SV-216448r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31901
RULE             : The centralized process core dump data directory must be group-owned by root, bin, or sys.
QUESTION_TEXT    : Check the defined directory for process core dumps.
# coreadm | grep "global core file pattern"

Check the group ownership of the directory.
# ls -lLd [core file directory]

If the directory is not group-owned by root, bin, or sys, this is a finding.

References:
SV-60889
V-48017
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 71 *******************************

QUESTION         : 72 of 148
TITLE            : CAT II, V-216449, SV-216449r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32101
RULE             : The centralized process core dump data directory must have mode 0700 or less permissive.
QUESTION_TEXT    : Check the defined directory for process core dumps.
# coreadm | grep "global core file pattern"

Check the permissions of the directory.

# ls -lLd [core file directory]

If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.

References:
SV-60887
V-48015
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 72 *******************************

QUESTION         : 73 of 148
TITLE            : CAT II, V-216450, SV-216450r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32301
RULE             : Kernel core dumps must be disabled unless needed.
QUESTION_TEXT    : The root role is required.
This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.


Verify savecore is not used.

# dumpadm | grep 'Savecore enabled' 

If the value is yes, this is a finding.

References:
SV-60885
V-48013
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 73 *******************************

QUESTION         : 74 of 148
TITLE            : CAT II, V-216451, SV-216451r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32501
RULE             : The kernel core dump data directory must be owned by root.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the system dump directory.

# dumpadm | grep directory

Check the ownership of the kernel core dump data directory.
# ls -ld [savecore directory]

If the kernel core dump data directory is not owned by root, this is a finding. 

In Solaris 11, /var/crash is linked to /var/share/crash.

References:
V-48011
SV-60883
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 74 *******************************

QUESTION         : 75 of 148
TITLE            : CAT II, V-216452, SV-216452r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32701
RULE             : The kernel core dump data directory must be group-owned by root.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the system dump directory.

# dumpadm | grep directory

Check ownership of the core dump data directory.

# ls -l [savecore directory]

If the directory is not group-owned by root, this is a finding.

In Solaris 11, /var/crash is linked to /var/share/crash.

References:
V-48009
SV-60881
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 75 *******************************

QUESTION         : 76 of 148
TITLE            : CAT II, V-216453, SV-216453r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32901
RULE             : The kernel core dump data directory must have mode 0700 or less permissive.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the system dump directory.

# dumpadm | grep directory

Check the permissions of the kernel core dump data directory.

# ls -ld [savecore directory]

If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.

References:
SV-60879
V-48007
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 76 *******************************

QUESTION         : 77 of 148
TITLE            : CAT II, V-216457, SV-216457r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33701
RULE             : A file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
QUESTION_TEXT    : The root role is required.

Solaris 11 includes the Basic Account and Reporting Tool (BART), which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.

A Baseline BART manifest may exist in: 
/var/adm/log/bartlogs/[control manifest filename]

If a BART manifest does not exist, this is a finding.

At least weekly, create a new BART baseline report.

# bart create > /var/adm/log/bartlogs/[new manifest filename]

Compare the new report to the previous report to identify any changes in the system baseline.

# bart compare /var/adm/log/bartlogs/[baseline manifest filename] /var/adm/log/bartlogs/[new manifest filename]

Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.

References:
V-47987
SV-60859
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 77 *******************************

QUESTION         : 78 of 148
TITLE            : CAT II, V-216459, SV-216459r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33901
RULE             : Direct logins must not be permitted to shared, default, application, or utility accounts.
QUESTION_TEXT    : The Audit Review profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Use the "auditreduce" command to check for multiple accesses to an account

# auditreduce -c lo -u [shared_user_name] | praudit -l

If users log directly into accounts, rather than using the "su" command from their own named account to access them, this is a finding. Also, ask the SA or the IAO if shared accounts are logged into directly or if users log into an individual account and switch user to the shared account.

References:
V-47983
SV-60855
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 78 *******************************

QUESTION         : 79 of 148
TITLE            : CAT II, V-216461, SV-216461r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34301
RULE             : The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
QUESTION_TEXT    : The operations staff shall ensure that proper backups are created, tested, and archived. 

Ask the operator for documentation on the backup procedures implemented.

If the backup procedures are not documented then this is a finding.

References:
SV-60849
V-47977
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 79 *******************************

QUESTION         : 80 of 148
TITLE            : CAT II, V-216462, SV-216462r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34501
RULE             : The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
QUESTION_TEXT    : The operations staff shall ensure that proper backups are created, tested, and archived. 

Ask the operator for documentation on the backup procedures implemented.

If the backup procedures are not documented then this is a finding.

References:
V-47975
SV-60847
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 80 *******************************

QUESTION         : 81 of 148
TITLE            : CAT II, V-216463, SV-216463r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34701
RULE             : The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
QUESTION_TEXT    : The operations staff shall ensure that proper backups are created, tested, and archived. 

Ask the operator for documentation on the backup procedures implemented.

If the backup procedures are not documented then this is a finding.

References:
V-47973
SV-60845
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 81 *******************************

QUESTION         : 82 of 148
TITLE            : CAT II, V-216464, SV-216464r958544, SRG-OS-000181
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34901
RULE             : The operating system must prevent the execution of prohibited mobile code.
QUESTION_TEXT    : Determine if the Firefox package is installed:

# pkg list web/browser/firefox

If the package is not installed, this check does not apply.

If installed, ensure that it is a supported version.

# pkg info firefox | grep Version
Version: 52.5.2

If the version is not supported, this is a finding.

Ensure that Java and JavaScript access by Firefox are disabled.

Start Firefox.

In the address bar type: about:config

In search bar type: javascript.enabled

If 'Value" is true, this is a finding

In the address bar type: about:addons

Click on "I accept the risk" button.

Click on "Plugins".

If Java is enabled, this is a finding.


References:
V-47969
SV-60841
CCI-001695
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 82 *******************************

QUESTION         : 83 of 148
TITLE            : CAT II, V-216465, SV-216465r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35101
RULE             : The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
QUESTION_TEXT    : The operator will ensure that a DoD approved PKI system is installed, configured, and properly operating. Ask the operator to document the PKI software installation and configuration.

If the operator is not able to provide a documented configuration for an installed PKI system or if the PKI system is not properly configured, maintained, or used, this is a finding.

References:
SV-62549
V-49625
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 83 *******************************

QUESTION         : 84 of 148
TITLE            : CAT II, V-216467, SV-216467r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35301
RULE             : The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
QUESTION_TEXT    : The operator will ensure that anti-virus software is installed and operating.

If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

References:
V-47959
SV-60831
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 84 *******************************

QUESTION         : 85 of 148
TITLE            : CAT II, V-216469, SV-216469r958574, SRG-OS-000215
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35501
RULE             : The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you a currently securing.

# zonename

If the command output is "global" this check applies.

The operator must back up audit records at least every 7 days.

If the operator is unable to provide a documented procedure or the documented procedure is not being followed, then this is a finding.

References:
V-47941
SV-60813
CCI-001348
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 85 *******************************

QUESTION         : 86 of 148
TITLE            : CAT II, V-216473, SV-216473r958528, SRG-OS-000142
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35901
RULE             : The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
QUESTION_TEXT    : Verify that you are on the global zone:
# zoneadm -z global list
global

Note: If the following message appears, you are not in the global zone:
"zoneadm: global: No such zone exists"

# dladm show-ether -Z | egrep "LINK|up"

LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE
net0 current up yes 1G-f bi

Determine the OS version that is being secured:

# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     en_1000fdx_cap  rw   1            1            1         1,0
net0     en_1000hdx_cap  r-   0            0            0         1,0
net0     en_100fdx_cap   rw   1            1            1         1,0
net0     en_100hdx_cap   rw   1            1            1         1,0
net0     en_10fdx_cap    rw   1            1            1         1,0
net0     en_10gfdx_cap   --   --           --           0         1,0
net0     en_10hdx_cap    rw   1            1            1         1,0

Do the above for all available/connected network adapters.

For Solaris 11.4.x.x.x or newer:

# dladm show-linkprop -p speed-duplex net0
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     speed-duplex    rw   1g-f,100m-f, 1g-f,100m-f, 1g-f,     1g-f,100m-f,
                              100m-h,      100m-h,      100m-f,   100m-h,10m-f,
                              10m-f,10m-h  10m-f,10m-h  100m-h,   10m-h
                                                        10m-f,
                                                        10m-h

Do the above for all available/connected network adapters.

For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.

References:
SV-60771
V-47899
CCI-001095
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 86 *******************************

QUESTION         : 87 of 148
TITLE            : CAT II, V-216476, SV-216476r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:36501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:36501
RULE             : The systems physical devices must not be assigned to non-global zones.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

List the non-global zones on the system.

# zoneadm list -vi | grep -v global

List the configuration for each zone.

# zonecfg -z [zonename] info | grep dev

Check for device lines. If such a line exists and is not approved by security, this is a finding.

References:
SV-60715
V-47841
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 87 *******************************

QUESTION         : 88 of 148
TITLE            : CAT II, V-219963, SV-219963r958442, SRG-OS-000062
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:38101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:38101
RULE             : The audit system must be configured to audit all discretionary access control permission modifications.
QUESTION_TEXT    : The Audit Configuration profile is required.

Check that the audit flag for auditing file access is enabled.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the OS version you are currently securing.
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=
If "fm" audit flag is not included in output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "fm" audit flag is not included in output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
V-47821
SV-60697
CCI-000169
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 88 *******************************

QUESTION         : 89 of 148
TITLE            : CAT II, V-219964, SV-219964r958442, SRG-OS-000062
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:38301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:38301
RULE             : The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone currently being secured.

# zonename

If the command output is "global", this check applies.

Determine the OS version currently being secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "as" audit flag is not included in the output, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa,fm,fd,-fa,-ps,-ex" audit flags are not included in the output, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
V-47823
SV-60699
CCI-000169
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 89 *******************************

QUESTION         : 90 of 148
TITLE            : CAT II, V-219967, SV-219967r958752, SRG-OS-000341
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:38901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:38901
RULE             : The operating system must allocate audit record storage capacity.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Review the current audit file space limitations

# pfexec auditconfig -getplugin audit_binfile
Plugin: audit_binfile (active)

The output of the command will appear in this form.

Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=2

If p_minfree is not equal to "2" of greater, this is a finding.

p_dir defines the current audit file system.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Check that zfs compression is enabled for the audit file system.

# zfs get compression [poolname/filesystemname]

If compression is off, this is a finding.

Check that a ZFS quota is enforced for the audit filesystem.

# zfs get quota [poolname/filesystemname]

If quota is set to "none", this is a finding.

Ensure that a reservation of space is enforced on /var/share so that other users do not use up audit space.

# zfs get quota,reservation [poolname/filesystemname]

If reservation is set to "none", this is a finding.

References:
V-47857
SV-60731
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 90 *******************************

QUESTION         : 91 of 148
TITLE            : CAT II, V-219969, SV-219969r1016281, SRG-OS-000366
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:39301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:39301
RULE             : The system must verify that package updates are digitally signed.
QUESTION_TEXT    : Determine what the signature policy is for pkg publishers:

# pkg property | grep signature-policy

Check that output produces:

signature-policy verify

If the output does not confirm that signature-policy verify is active, this is a finding.

References:
V-47883
SV-60755
CCI-003992
CCI-001749
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 91 *******************************

QUESTION         : 92 of 148
TITLE            : CAT II, V-219970, SV-219970r958794, SRG-OS-000363
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:39501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:39501
RULE             : The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
QUESTION_TEXT    : The Software Installation Profile is required.

Display the installation history of packages on the system to ensure that no undesirable packages have been installed:

# pkg history -o finish,user,operation,command |grep install

If the install command is listed as "/usr/bin/packagemanager", execute the command:

# pkg history -l 

to determine which packages were installed during package manager sessions.

If undocumented or unapproved packages have been installed, this is a finding.

References:
V-47923
SV-60795
CCI-001744
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 92 *******************************

QUESTION         : 93 of 148
TITLE            : CAT II, V-219971, SV-219971r958804, SRG-OS-000368
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:39701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:39701
RULE             : The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
QUESTION_TEXT    : Identify the packages installed on the system. 

# pkg list

Any unauthorized software packages listed in the output are a finding.

References:
V-47927
SV-60799
CCI-001764
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 93 *******************************

QUESTION         : 94 of 148
TITLE            : CAT II, V-219975, SV-219975r987791, SRG-OS-000396
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40301
RULE             : The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

The Crypto Management profile is required to execute this command.

Check to ensure that FIPS-140 encryption mode is enabled.

# cryptoadm list fips-140| grep -c "is disabled"

If the output of this command is not "0", this is a finding.

References:
V-48183
SV-61055
CCI-002450
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 94 *******************************

QUESTION         : 95 of 148
TITLE            : CAT II, V-219976, SV-219976r958908, SRG-OS-000423
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40501
RULE             : The operating system must protect the integrity of transmitted information.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Check that SSH is enabled:
# svcs svc:/network/ssh
STATE          STIME           FMRI
online         Nov_03          svc:/network/ssh:default

Ask the operator to document all configured external ports and protocols.

If any unencrypted connections are used, this is a finding.

References:
SV-61051
V-48179
CCI-001127
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 95 *******************************

QUESTION         : 96 of 148
TITLE            : CAT II, V-219977, SV-219977r971547, SRG-OS-000424
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40701
RULE             : The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Check that SSH is enabled:
# svcs svc:/network/ssh
STATE          STIME           FMRI
online         Nov_03          svc:/network/ssh:default

Ask the operator to document all configured external ports and protocols.

If any unencrypted connections are used, this is a finding.

References:
SV-61047
V-48175
CCI-002421
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 96 *******************************

QUESTION         : 97 of 148
TITLE            : CAT II, V-219978, SV-219978r958912, SRG-OS-000425
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40901
RULE             : The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
V-48171
SV-61043
CCI-002420
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 97 *******************************

QUESTION         : 98 of 148
TITLE            : CAT II, V-219979, SV-219979r958908, SRG-OS-000423
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41101
RULE             : The operating system must protect the confidentiality of transmitted information.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
SV-61039
V-48167
CCI-002418
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 98 *******************************

QUESTION         : 99 of 148
TITLE            : CAT II, V-219980, SV-219980r971547, SRG-OS-000424
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41301
RULE             : The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
V-48163
SV-61035
CCI-002421
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 99 *******************************

QUESTION         : 100 of 148
TITLE            : CAT II, V-219981, SV-219981r958912, SRG-OS-000425
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41501
RULE             : The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
SV-61033
V-48161
CCI-002420
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 100 *******************************

QUESTION         : 101 of 148
TITLE            : CAT II, V-219984, SV-219984r958908, SRG-OS-000423
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42101
RULE             : The operating system must protect the integrity of transmitted information.
QUESTION_TEXT    : The operator shall determine if IPsec is being used to encrypt data for activities such as cluster interconnects or other non-SSH, SFTP data connections.

On both systems review the file /etc/inet/ipsecinit.conf. Ensure that connections between hosts are configured properly in this file per the Solaris 11 documentation.

Check that the IPsec policy service is online:

# svcs svc:/network/ipsec/policy:default

If the IPsec service is not online, this is a finding.

If encrypted protocols are not used between systems, this is a finding.

References:
V-48141
SV-61013
CCI-002418
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 101 *******************************

QUESTION         : 102 of 148
TITLE            : CAT II, V-219985, SV-219985r958732, SRG-OS-000327
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42301
RULE             : The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
QUESTION_TEXT    : The audit configuration profile is required. 

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the local audit trail files.

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;"

In this example, the audit files can be found in /var/audit. Check that the permissions on the audit files are 640 (rw- r-- --) or less permissive.

# ls -al /var/audit

# ls -l /var/audit/*

If the permissions are more permissive than 640, this is a finding.

Note:  The default Solaris 11 location for /var/audit is a link to /var/share/audit.

References:
V-48031
SV-60903
CCI-002234
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 102 *******************************

QUESTION         : 103 of 148
TITLE            : CAT II, V-219986, SV-219986r1016282, SRG-OS-000356
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42501
RULE             : The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
QUESTION_TEXT    : NTP must be used and used only in the global zone. Determine the zone to be secured.

# zonename

If the command output is not "global", then NTP must be disabled. Check the system for a running NTP daemon.

# svcs -Ho state ntp

If NTP is online, this is a finding.

If the output from "zonename" is "global", then NTP must be enabled. Check the system for a running NTP daemon.

# svcs -Ho state ntp

If NTP is not online, this is a finding.

If NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative DOD source.

For the NTP daemon:

# more /etc/inet/ntp.conf

If a nonlocal/nonauthoritative (non-DOD source, non-USNO-based, or non-GPS) time server is used, this is a finding.

Determine if the time synchronization frequency is correct.

# grep "maxpoll" /etc/inet/ntp.conf

If the command returns "File not found" or any value for maxpoll, this is a finding.

Determine if the running NTP server is configured properly.

# ntpq -p | awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1" "$6 }'

This will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.

References:
V-47985
SV-60857
CCI-004926
CCI-002046
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 103 *******************************

QUESTION         : 104 of 148
TITLE            : CAT II, V-219987, SV-219987r958944, SRG-OS-000445
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42701
RULE             : The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
QUESTION_TEXT    : Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis.

If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.

References:
SV-60779
V-47907
CCI-002696
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 104 *******************************

QUESTION         : 105 of 148
TITLE            : CAT II, V-224670, SV-224670r958726, SRG-OS-000324
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42901
RULE             : The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
QUESTION_TEXT    : The operator will ensure that anti-virus software is installed and operating.

If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

References:
V-47963
SV-60835
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 105 *******************************

QUESTION         : 106 of 148
TITLE            : CAT II, V-224671, SV-224671r958944, SRG-OS-000445
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:43101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:43101
RULE             : The operating system must identify potentially security-relevant error conditions.
QUESTION_TEXT    : Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis.

If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.

References:
V-47903
SV-60775
CCI-002696
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 106 *******************************

QUESTION         : 107 of 148
TITLE            : CAT II, V-233300, SV-233300r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:43301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:43301
RULE             : The sshd server must bind the X11 forwarding server to the loopback address.
QUESTION_TEXT    : Determine if the X11 forwarding server is bound to the loopback address.

# grep "^X11UseLocalhost" /etc/ssh/sshd_config

If the output of this command is not:

X11UseLocalhost yes

this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 107 *******************************

QUESTION         : 108 of 148
TITLE            : CAT III, V-216265, SV-216265r958406, SRG-OS-000032
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:3101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:3101
RULE             : The audit system must be configured to audit login, logout, and session initiation.
QUESTION_TEXT    : The Audit Configuration profile is required.

Check that the audit flag for auditing login and logout is enabled.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the OS version you are currently securing.
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "lo" audit flag is not included in output, this is a finding

# pfexec auditconfig -getnaflags | grep active | cut -f2 -d=

If "na" and "lo" audit flags are not included in output, this is a finding

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "cusa" or if the "ft,lo,ap,ss,as,ua,pe” audit flag(s) are not included in output, this is a finding

# pfexec auditconfig -t -getnaflags | cut -f2 -d=

If "na" and "lo" audit flags are not included in output, this is a finding

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
SV-60695
V-47819
CCI-000067
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 108 *******************************

QUESTION         : 109 of 148
TITLE            : CAT III, V-216268, SV-216268r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:3301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:3301
RULE             : The audit system must be configured to audit failed attempts to access files and programs.
QUESTION_TEXT    : The Audit Configuration profile is required.

Check that the audit flag for auditing file access is enabled.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the OS version you are currently securing.
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# pfexec auditconfig -getflags | grep active | cut -f2 -d=

If "-fa" and "-ps" audit flags are not displayed, this is a finding.

For Solaris 11.4 or newer:
# pfexec auditconfig -t -getflags | cut -f2 -d=

If "-fa", "-ex", and "-ps" audit flags are not displayed, this is a finding.

Determine if auditing policy is set to collect command line arguments.

# pfexec auditconfig -getpolicy | grep active | grep argv

If the active audit policies line does not appear, this is a finding.

References:
V-47825
SV-60701
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 109 *******************************

QUESTION         : 110 of 148
TITLE            : CAT III, V-216269, SV-216269r958440, SRG-OS-000061
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:3501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:3501
RULE             : The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
QUESTION_TEXT    : Audit Configuration rights profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the syslog audit plugin is enabled.

# pfexec auditconfig -getplugin | grep audit_syslog

If "inactive" appears, this is a finding.

Determine which system-log service instance is online.

# pfexec svcs system-log

Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:

# grep audit.notice /etc/syslog.conf
or
# grep @@ /etc/rsyslog.conf

If 
audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)
or
*.* @@remotesystemname (rsyslog configuration)
points to an invalid remote system or is commented out, this is a finding.

If no output is produced, this is a finding.

Check the remote syslog host to ensure that audit records can be found for this host.

References:
SV-60703
V-47827
CCI-000166
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 110 *******************************

QUESTION         : 111 of 148
TITLE            : CAT III, V-216270, SV-216270r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:3701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:3701
RULE             : The auditing system must not define a different auditing level for specific users.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

For each user on the system (not including root), check to see if special auditing flag configurations are set.

# userattr audit_flags [username]

If any flags are returned, this is a finding.

References:
SV-60705
V-47831
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 111 *******************************

QUESTION         : 112 of 148
TITLE            : CAT III, V-216286, SV-216286r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:5501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:5501
RULE             : The finger daemon package must not be installed.
QUESTION_TEXT    : Determine if the finger package is installed.

# pkg list service/network/finger

If an installed package named service/network/finger is listed, this is a finding.

References:
V-47893
SV-60765
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 112 *******************************

QUESTION         : 113 of 148
TITLE            : CAT III, V-216289, SV-216289r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:6101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:6101
RULE             : The pidgin IM client package must not be installed.
QUESTION_TEXT    : Determine if the pidgin package is installed.

# pkg list communication/im/pidgin

If an installed package named communication/im/pidgin is listed, this is a finding.

References:
V-47909
SV-60781
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 113 *******************************

QUESTION         : 114 of 148
TITLE            : CAT III, V-216293, SV-216293r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:6901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:6901
RULE             : The UUCP service daemon must not be installed unless required.
QUESTION_TEXT    : Determine if the UUCP package is installed.

# pkg list /service/network/uucp

If an installed package named "/service/network/uucp" is listed, this is a finding.

References:
SV-60789
V-47917
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 114 *******************************

QUESTION         : 115 of 148
TITLE            : CAT III, V-216316, SV-216316r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11101
RULE             : Generic Security Services (GSS) must be disabled.
QUESTION_TEXT    : Determine the status of the Generic Security Services.

# svcs -Ho state svc:/network/rpc/gss

If the GSS service is reported as online, this is a finding.

References:
V-47931
SV-60803
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 115 *******************************

QUESTION         : 116 of 148
TITLE            : CAT III, V-216317, SV-216317r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11301
RULE             : Systems services that are not required must be disabled.
QUESTION_TEXT    : Determine all of the systems services that are enabled on the system.

# svcs -a | grep online

Document all enabled services and disable any that are not required.

References:
V-47933
SV-60805
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 116 *******************************

QUESTION         : 117 of 148
TITLE            : CAT III, V-216322, SV-216322r958364, SRG-OS-000002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11901
RULE             : The operating system must automatically terminate temporary accounts within 72 hours.
QUESTION_TEXT    : The root role is required.

Determine if an expiration date is set for temporary accounts.

# logins -aox |awk -F: '($14 == "0") {print}'

This command produces a list of accounts with no expiration date set. If any of these accounts are temporary accounts, this is a finding.

# logins -aox |awk -F: '($14 != "0") {print}'

This command produces a list of accounts with an expiration date set as defined in the last field. If any accounts have a date that is not within 72 hours, this is a finding.

References:
V-47949
SV-60821
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 117 *******************************

QUESTION         : 118 of 148
TITLE            : CAT III, V-216343, SV-216343r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:15701
RULE             : The value mesg n must be configured as the default setting for all users.
QUESTION_TEXT    : Determine if "mesg n" is the default for users.

# grep "^mesg" /etc/.login

# grep "^mesg" /etc/profile

If either of these commands produces a line:
mesg y

this is a finding.

For each existing user on the system, enter the command:

# mesg

If the command output is:
is y

this is a finding.

References:
V-48075
SV-60947
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 118 *******************************

QUESTION         : 119 of 148
TITLE            : CAT III, V-216367, SV-216367r958398, SRG-OS-000027
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:20101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:20101
RULE             : The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
QUESTION_TEXT    : Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.

For each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username.

# projects [username] | grep user

If the output does not include the project user.[username], this is a finding.

Determine the project membership for the user.

# projects [username]

If the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding.

Determine whether the max-tasks resource control is enabled properly.

# projects -l user.[username] | grep attribs

If the output does not include the text:

attribs: project.max-tasks=(privileged,[MAX],deny)

where [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.

References:
V-48151
SV-61023
CCI-000054
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 119 *******************************

QUESTION         : 120 of 148
TITLE            : CAT III, V-216368, SV-216368r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:20301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:20301
RULE             : The system must disable directed broadcast packet forwarding.
QUESTION_TEXT    : Determine if directed broadcast packet forwarding is disabled.

# ipadm show-prop -p _forward_directed_broadcasts -co current ip

If the output of this command is not "0", this is a finding.

References:
V-48165
SV-61037
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 120 *******************************

QUESTION         : 121 of 148
TITLE            : CAT III, V-216369, SV-216369r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:20501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:20501
RULE             : The system must not respond to ICMP timestamp requests.
QUESTION_TEXT    : Determine if ICMP time stamp responses are disabled.

# ipadm show-prop -p _respond_to_timestamp -co current ip


If the output of both commands is not "0", this is a finding.

References:
V-48169
SV-61041
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 121 *******************************

QUESTION         : 122 of 148
TITLE            : CAT III, V-216370, SV-216370r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:20701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:20701
RULE             : The system must not respond to ICMP broadcast timestamp requests.
QUESTION_TEXT    : Determine if response to ICMP broadcast timestamp requests is disabled.

# ipadm show-prop -p _respond_to_timestamp_broadcast -co current ip

If the output of this command is not "0", this is a finding.

References:
SV-61045
V-48173
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 122 *******************************

QUESTION         : 123 of 148
TITLE            : CAT III, V-216371, SV-216371r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:20901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:20901
RULE             : The system must not respond to ICMP broadcast netmask requests.
QUESTION_TEXT    : Determine if the response to address mask broadcast is disabled.

# ipadm show-prop -p _respond_to_address_mask_broadcast -co current ip

If the output of this command is not "0", this is a finding.

References:
SV-61049
V-48177
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 123 *******************************

QUESTION         : 124 of 148
TITLE            : CAT III, V-216373, SV-216373r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:21301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:21301
RULE             : The system must not respond to multicast echo requests.
QUESTION_TEXT    : Determine if response to multicast echo requests is disabled.

# ipadm show-prop -p _respond_to_echo_multicast -co current ipv4
# ipadm show-prop -p _respond_to_echo_multicast -co current ipv6


If the output of all commands is not "0", this is a finding.

References:
V-48185
SV-61057
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 124 *******************************

QUESTION         : 125 of 148
TITLE            : CAT III, V-216374, SV-216374r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:21501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:21501
RULE             : The system must ignore ICMP redirect messages.
QUESTION_TEXT    : Determine if ICMP redirect messages are ignored.

# ipadm show-prop -p _ignore_redirect -co current ipv4
# ipadm show-prop -p _ignore_redirect -co current ipv6

If the output of all commands is not "1", this is a finding.

References:
V-48189
SV-61061
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 125 *******************************

QUESTION         : 126 of 148
TITLE            : CAT III, V-216376, SV-216376r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:21901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:21901
RULE             : The system must disable ICMP redirect messages.
QUESTION_TEXT    : Determine the version of Solaris 11 in use.

# cat /etc/release

If the version of Solaris is earlier than Solaris 11.2, determine if ICMP redirect messages are disabled.

# ipadm show-prop -p _send_redirects -co current ipv4
# ipadm show-prop -p _send_redirects -co current ipv6

If the output of all commands is not "0", this is a finding.

If the version of Solaris is Solaris 11.2 or later, determine if ICMP redirect messages are disabled.

# ipadm show-prop -p send_redirects -co current ipv4
# ipadm show-prop -p send_redirects -co current ipv6

If the output of all commands is not "off", this is a finding.

References:
SV-75425
V-48197
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 126 *******************************

QUESTION         : 127 of 148
TITLE            : CAT III, V-216377, SV-216377r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:22101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:22101
RULE             : The system must disable TCP reverse IP source routing.
QUESTION_TEXT    : Determine if TCP reverse IP source routing is disabled. 

# ipadm show-prop -p _rev_src_routes -co current tcp

If the output of this command is not "0", this is a finding.

References:
SV-61073
V-48201
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 127 *******************************

QUESTION         : 128 of 148
TITLE            : CAT III, V-216379, SV-216379r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:22501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:22501
RULE             : The system must set maximum number of incoming connections to 1024.
QUESTION_TEXT    : Determine if the maximum number of incoming connections is set to 1024.

# ipadm show-prop -p _conn_req_max_q -co current tcp

If the value returned is smaller than "1024", this is a finding. 

In environments where connection numbers are high, such as a busy web server, this value may need to be increased.

References:
V-48211
SV-61083
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 128 *******************************

QUESTION         : 129 of 148
TITLE            : CAT III, V-216381, SV-216381r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:22901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:22901
RULE             : The system must implement TCP Wrappers.
QUESTION_TEXT    : Determine if TCP Wrappers is configured.

# inetadm -p | grep tcp_wrappers

If the output of this command is "FALSE", this is a finding.

The above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris
11.3. SunSSH is removed starting with Solaris 11.4.

Individual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to "FALSE". To check the status of individual inetd services, use the command:


# for svc in `inetadm | awk '/svc:\// { print $NF }'`; do
val=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE`
if [ ${val} -eq 1 ]; then
echo "TCP Wrappers enabled for ${svc}"
fi
done

If the required services are not configured to use TCP Wrappers, this is finding.

# ls /etc/hosts.deny
# ls /etc/hosts.allow

If these files are not found, this is a finding.

References:
SV-61093
V-48221
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 129 *******************************

QUESTION         : 130 of 148
TITLE            : CAT III, V-216394, SV-216394r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23301
RULE             : The system must prevent local applications from generating source-routed packets.
QUESTION_TEXT    : Determine the OS version you are currently securing.
# uname –v

Solaris 11, 11.1, 11.2, and 11.3 use IP Filter.  To continue checking IP Filter, the IP Filter Management profile is required.

Check the system for an IPF rule blocking outgoing source-routed packets.

# ipfstat -o

Examine the list for rules such as: 
block out log quick from any to any with opt lsrr
block out log quick from any to any with opt ssrr

If the listed rules do not block both lsrr and ssrr options, this is a finding.

For Solaris 11.3 or newer that use Packet Filter, the Network Firewall Management rights profile is required.

Ensure that IP Options are not in use:
# pfctl -s rules | grep allow-opts

If any output is returned, this is a finding.

References:
V-48213
SV-61085
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 130 *******************************

QUESTION         : 131 of 148
TITLE            : CAT III, V-216395, SV-216395r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23501
RULE             : The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.
QUESTION_TEXT    : Review the contents of these two files and check that the proper DoD banner message is configured.

# cat /etc/motd
# cat /etc/issue

If the DoD-approved banner text is not in the files, this is a finding.

References:
SV-61081
V-48209
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 131 *******************************

QUESTION         : 132 of 148
TITLE            : CAT III, V-216396, SV-216396r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23701
RULE             : The operating system must display the DoD approved system use notification message or banner for SSH connections.
QUESTION_TEXT    : Check SSH configuration for banner message:

# grep "^Banner" /etc/ssh/sshd_config

If the output is not:
Banner /etc/issue
and /etc/issue does not contain the approved banner text, this is a finding.

References:
V-48205
SV-61077
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 132 *******************************

QUESTION         : 133 of 148
TITLE            : CAT III, V-216397, SV-216397r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23901
RULE             : The GNOME service must display the DoD approved system use notification message or banner before granting access to the system.
QUESTION_TEXT    : This item does not apply if a graphic login is not configured.

Log in to the Gnome Graphical interface. If the approved banner message does not appear, this is a finding.

# cat /etc/issue

# grep /etc/gdm/Init/Default zenity

If /etc/issue does not contain that DoD-approved banner message or /etc/gdm/Init/Default does not contain the line:

/usr/bin/zenity --text-info --width=800 --height=300 \
--title="Security Message" --filename=/etc/issue

this is a finding.

References:
V-48203
SV-61075
CCI-000048
CCI-000050
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 133 *******************************

QUESTION         : 134 of 148
TITLE            : CAT III, V-216398, SV-216398r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24101
RULE             : The FTP service must display the DoD approved system use notification message or banner before granting access to the system.
QUESTION_TEXT    : Determine if the FTP server package is installed:

# pkg list service/network/ftp 

If the package is not installed, this check does not apply.

# grep DisplayConnect /etc/proftpd.conf

If:

DisplayConnect /etc/issue

does not appear, this is a finding.

If /etc/issue does not contain the approved DoD text, this is a finding.

References:
V-48199
SV-61071
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 134 *******************************

QUESTION         : 135 of 148
TITLE            : CAT III, V-216413, SV-216413r958552, SRG-OS-000185
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25501
RULE             : The operating system must protect the confidentiality and integrity of information at rest.
QUESTION_TEXT    : Determine if file system encryption is required by your organization. If not required, this item does not apply.

Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.

# zfs list 

Using the file system name, determine if the file system is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
SV-61025
V-48153
CCI-001199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 135 *******************************

QUESTION         : 136 of 148
TITLE            : CAT III, V-216415, SV-216415r958576, SRG-OS-000216
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25701
RULE             : The operating system must use cryptographic mechanisms to protect the integrity of audit information.
QUESTION_TEXT    : The Audit Configuration and the Audit Control profiles are required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine if audit log encryption is required by your organization. If not required, this check does not apply.

Determine where the audit logs are stored and whether the file system is encrypted.

# pfexec auditconfig -getplugin audit_binfile

The p_dir attribute lists the location of the audit log filesystem. 

The default location for Solaris 11.1 is /var/audit. /var/audit is a link to /var/share/audit which, by default, is mounted on rpool/VARSHARE.

Determine if this is encrypted:

# zfs get encryption rpool/VARSHARE

If the file system where audit logs are stored reports "encryption off", this is a finding.

References:
SV-61017
V-48145
CCI-001350
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 136 *******************************

QUESTION         : 137 of 148
TITLE            : CAT III, V-216424, SV-216424r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:27301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:27301
RULE             : All user accounts must be configured to use a home directory that exists.
QUESTION_TEXT    : The root role is required.

Check if a GUI is installed.

Determine the OS version you are currently securing:. 
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# pkg info gdm
# pkg info coherence-26
# pkg info coherence-27

If none of these packages are installed on the system, then no GUI is present.
For Solaris 11.4 or newer:
# pkg info gdm

If gdm is not installed on the system, then no GUI is present.

# pkg info uucp

uucp is no longer installed by default starting in 11.4 and is deprecated. 

For all versions, check that all users' home directories exist.

# pwck

Accounts with no home directory will output "Login directory not found".

If no GUI is present, then "gdm" and "upnp" accounts should generate errors. On all systems, with uucp package installed, the "uucp" and "nuucp" accounts should generate errors.

If users' home directories do not exist, this is a finding.

References:
SV-60977
V-48105
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 137 *******************************

QUESTION         : 138 of 148
TITLE            : CAT III, V-216435, SV-216435r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:29501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:29501
RULE             : All valid SUID/SGID files must be documented.
QUESTION_TEXT    : The root role is required.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -type f -perm -4000 -o \
-perm -2000 -print

Output should only be Solaris-provided files and approved customer files.

Solaris-provided SUID/SGID files can be listed using the command: 

# pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode

Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example:

# elfsign verify -e /usr/bin/su
elfsign: verification of /usr/bin/su passed.

This message indicates that the binary is properly signed.

If non-vendor provided or non-approved files are included in the list, this is a finding.

References:
V-48059
SV-60931
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 138 *******************************

QUESTION         : 139 of 148
TITLE            : CAT III, V-216437, SV-216437r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:29901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:29901
RULE             : The operating system must have no files with extended attributes.
QUESTION_TEXT    : The root role is required.

Identify all files with extended attributes.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -xattr -ls

If output is produced, this is a finding.

References:
V-48037
SV-60909
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 139 *******************************

QUESTION         : 140 of 148
TITLE            : CAT III, V-216444, SV-216444r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31101
RULE             : Address Space Layout Randomization (ASLR) must be enabled.
QUESTION_TEXT    : This check applies to the global zone only. 

Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine if address space layout randomization is enabled.

Determine the OS version you are currently securing:. 
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# sxadm info -p | grep aslr | grep enabled

For Solaris 11.4 or newer:
# sxadm status -p -o status aslr | grep enabled 

If no output is produced, this is a finding.

References:
SV-60895
V-48023
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 140 *******************************

QUESTION         : 141 of 148
TITLE            : CAT III, V-216454, SV-216454r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33101
RULE             : The system must require passwords to change the boot device settings. (SPARC)
QUESTION_TEXT    : This check applies only to SPARC-based systems.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine if the EEPROM security mode on SPARC-based systems is configured correctly.

# eeprom security-mode

If the output of this command is not "security-mode=command", this is a finding.

References:
SV-60875
V-48003
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 141 *******************************

QUESTION         : 142 of 148
TITLE            : CAT III, V-216460, SV-216460r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34101
RULE             : The system must not have any unnecessary accounts.
QUESTION_TEXT    : Check the system for unnecessary user accounts.

# getent passwd

Some examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.

References:
V-47979
SV-60851
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 142 *******************************

QUESTION         : 143 of 148
TITLE            : CAT III, V-216470, SV-216470r1099906, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35701
RULE             : All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
QUESTION_TEXT    : Ask the operators if they use vi, emacs, or gedit to make changes to system files.

If vi, emacs, or gedit are used to make changes to system files, this is a finding.

References:
SV-60809
V-47937
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 143 *******************************

QUESTION         : 144 of 148
TITLE            : CAT III, V-216474, SV-216474r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:36101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:36101
RULE             : The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check the ownership of the files and directories.

# pkg verify system/zones

The command should return no output. If output is produced, this is a finding.

References:
SV-60769
V-47897
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 144 *******************************

QUESTION         : 145 of 148
TITLE            : CAT III, V-216477, SV-216477r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:36701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:36701
RULE             : The audit system must identify in which zone an event occurred.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

List the non-global zones on the system.

# zoneadm list -vi | grep -v global

The Audit Configuration profile is required.

Determine whether the "zonename" auditing policy is in effect.

# pfexec auditconfig -getpolicy | grep active | grep zonename

If no output is returned, this is a finding.

References:
V-47839
SV-60713
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 145 *******************************

QUESTION         : 146 of 148
TITLE            : CAT III, V-216478, SV-216478r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:36901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:36901
RULE             : The audit system must maintain a central audit trail for all zones.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

List the non-global zones on the system.

# zoneadm list -vi | grep -v global

The Audit Configuration profile is required.

Determine whether the "perzone" auditing policy is in effect.

# pfexec auditconfig -getpolicy | grep active | grep perzone

If output is returned, this is a finding.

References:
V-47837
SV-60711
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 146 *******************************

QUESTION         : 147 of 148
TITLE            : CAT III, V-219982, SV-219982r958870, SRG-OS-000404
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41701
RULE             : The operating system must employ cryptographic mechanisms to protect information in storage.
QUESTION_TEXT    : Determine if file system encryption is required by your organization. If not required, this item does not apply.

Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.

# zfs list 

Using the file system name, determine if the file system is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
V-48155
SV-61027
CCI-002475
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 147 *******************************

QUESTION         : 148 of 148
TITLE            : CAT III, V-219983, SV-219983r958870, SRG-OS-000404
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41901
RULE             : The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
QUESTION_TEXT    : Determine if file system encryption is required by your organization. If not required, this item does not apply.

Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.

# zfs list 

Using the file system name, determine if the file system is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
SV-61021
V-48149
CCI-002475
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 148 *******************************

