################################################################################
DOCUMENT         : Solaris_11_SPARC_STIG
VERSION          : 003.004.016
CHECKSUM         : b224ab884a1013b85f062101a1a4ff65e6b188de599ed0057cd5e14416de4126
MANUAL QUESTIONS : 77

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 77
TITLE            : CAT I, V-216311, SV-216311r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10101
RULE             : X displays must not be exported to the world.
QUESTION_TEXT    : If X Windows is not used on the system, this is not applicable.

Check the output of the xhost command from an X terminal.

Procedure:
$ xhost
If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

NOTE: It may be necessary to define the display if the command reports it cannot open the display. 

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

References:
SV-75493
V-61025
CCI-000225
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 77
TITLE            : CAT I, V-216456, SV-216456r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33501
RULE             : SNMP communities, users, and passphrases must be changed from the default.
QUESTION_TEXT    : The root role is required.

Check the SNMP configuration for default passwords.
Locate and examine the SNMP configuration.

Procedure:

Find any occurrences of the snmpd.conf file delivered with Solaris packages:

# pkg search -l -Ho path snmpd.conf | awk '{ print "/"$1 }'

# more [filename]

Identify any community names or user password configurations. If any community name or password is set to a default value, such as public, private, snmp-trap, or password, this is a finding.

References:
V-47995
SV-60867
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 77
TITLE            : CAT II, V-216277, SV-216277r958434, SRG-OS-000057
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:4301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:4301
RULE             : The operating system must protect audit information from unauthorized access.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the directory storing the audit files is owned by root and has permissions 750 or less.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit

Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.

References:
V-47869
SV-60741
CCI-000162
CCI-000163
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 77
TITLE            : CAT II, V-216297, SV-216297r958478, SRG-OS-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:7501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:7501
RULE             : The operating system must be configured to provide essential capabilities.
QUESTION_TEXT    : Identify the packages installed on the system. 

# pkg list

Any unauthorized software packages listed in the output are a finding.

References:
V-47925
SV-60797
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 77
TITLE            : CAT II, V-216304, SV-216304r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:8701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:8701
RULE             : Run control scripts must not execute world writable programs or scripts.
QUESTION_TEXT    : Check the permissions on the files or scripts executed from system startup scripts to see if they are world writable.

Create a list of all potential run command level scripts.

# ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "

Create a list of world writable files.

# find / -perm -002 -type f >> WorldWritableFileList

Determine if any of the world writeable files in "WorldWritableFileList" are called from the run command level scripts.

Note: Depending upon the number of scripts vs. world writable files, it may be easier to inspect the scripts manually.

# more `ls -l /etc/init.d/* /etc/rc* | tr '\011' ' ' | tr -s ' ' | cut -f 9,9 -d " "`

If any system startup script executes any file or script that is world writable, this is a finding.

References:
SV-74267
V-59837
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 77
TITLE            : CAT II, V-216307, SV-216307r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:9301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:9301
RULE             : System start-up files must only execute programs owned by a privileged UID or an application.
QUESTION_TEXT    : Determine the programs executed by system start-up files.  Determine the ownership of the executed programs. 

# cat /etc/rc* /etc/init.d/* | more

Check the ownership of every program executed by the system start-up files.

# ls -l <executed program>

If any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.

References:
V-59843
SV-74273
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 77
TITLE            : CAT II, V-216308, SV-216308r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:9501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:9501
RULE             : Any X Windows host must write .Xauthority files.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running.
Procedure:
# ps -ef | grep xdm

If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running.
Procedure:
# ps -ef | grep xdm

Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X.

Procedure:
# cd ~someuser
# ls -la .Xauthority

If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

References:
SV-75471
V-61003
CCI-000297
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 77
TITLE            : CAT II, V-216310, SV-216310r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:9901
RULE             : The .Xauthority files must not have extended ACLs.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running. 

Procedure:
# ps -ef | grep xdm

Check the file permissions for the .Xauthority files. 
# ls -lL .Xauthority

If the permissions include a "+", the file has an extended ACL and this is a finding.

References:
V-61023
SV-75491
CCI-000225
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 77
TITLE            : CAT II, V-216312, SV-216312r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10301
RULE             : .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running. 

Procedure:
# ps -ef | grep xdm

Determine if xauth is being used. 

Procedure:
# xauth 
xauth> list

If the above command sequence does not show any host other than the localhost, then xauth is not being used.

Search the system for an X*.hosts files, where * is a display number that may be used to limit X window connections. 

If no files are found, X*.hosts files are not being used. 

If the X*.hosts files contain any unauthorized hosts, this is a finding.

If both xauth and X*.hosts files are not being used, this is a finding.

References:
SV-75495
V-61027
CCI-000297
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 77
TITLE            : CAT II, V-216313, SV-216313r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10501
RULE             : The .Xauthority utility must only permit access to authorized hosts.
QUESTION_TEXT    : If X Display Manager (XDM) is not used on the system, this is not applicable.

Determine if XDM is running. 

Procedure:
# ps -ef | grep xdm

Check the X Window system access is limited to authorized clients. 

Procedure:
# xauth 
xauth> list

Ask the SA if the clients listed are authorized. 

If any are not, this is a finding. 

References:
SV-75497
V-61029
CCI-000366
CCI-000225
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 77
TITLE            : CAT II, V-216314, SV-216314r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10701
RULE             : X Window System connections that are not required must be disabled.
QUESTION_TEXT    : Determine if the X Window system is running.

Procedure:
# ps -ef |grep X

Ask the SA if the X Window system is an operational requirement. If it is not, this is a finding.

References:
SV-75499
V-61031
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 77
TITLE            : CAT II, V-216315, SV-216315r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:10901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:10901
RULE             : The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode.
QUESTION_TEXT    : Determine if the X11 server system is providing remote services on the network.

# svcprop -p options/tcp_listen svc:/application/x11/x11-server

If the output of the command is "true" and network access to graphical user login is not required, this is a finding.

References:
SV-60801
V-47929
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 77
TITLE            : CAT II, V-216344, SV-216344r1016278, SRG-OS-000003
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:15901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:15901
RULE             : User accounts must be locked after 35 days of inactivity.
QUESTION_TEXT    : Determine whether the 35-day inactivity lock is configured properly.

# useradd -D | xargs -n 1 | grep inactive |\
awk -F= '{ print $2 }'

If the command returns a result other than 35, this is a finding.

The root role is required for the "logins" command.

For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.

# logins -axo -l [username] | awk -F: '{ print $13 }'


If these commands provide output other than 35, this is a finding.

References:
V-48079
SV-60951
CCI-000017
CCI-003627
CCI-003628
CCI-000795
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 77
TITLE            : CAT II, V-216348, SV-216348r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:16301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:16301
RULE             : Access to a domain console via telnet must be restricted to the local host.
QUESTION_TEXT    : This action applies only to the control domain. 

Determine the domain that you are currently securing.

# virtinfo 
Domain role: LDoms control I/O service root
The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.

If the current domain is not the control domain, this check does not apply.

Determine if vnsd is in use.

# svcs vntsd
STATE          STIME    FMRI
online         Oct_08   svc:/ldoms/vntsd:default

If the state is not "online", this is not applicable.

Determine if a role has been created for domain console access.

# cat /etc/user_attr | grep solaris.vntsd.consoles
rolename::::type=role;auths=solaris.vntsd.consoles;profiles=All;roleauth=role

If a role for "vntsd.consoles" is not established, this is a finding.

References:
V-71495
SV-86119
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 77
TITLE            : CAT II, V-216349, SV-216349r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:16501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:16501
RULE             : Access to a logical domain console must be restricted to authorized users.
QUESTION_TEXT    : The root role is required. This action applies only to the control domain. 

Determine the domain that you are currently securing.

# virtinfo 
Domain role: LDoms control I/O service root
The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.

If the current domain is not the control domain, this check does not apply.

Determine if the vntsd service is online.

# pfexec svcs vntsd

If the service is not "online", this is not applicable.

Check the status of the vntsd authorization property.

# svcprop -p vntsd/authorization vntsd

If the state is not true, this is a finding.

References:
SV-86121
V-71497
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 77
TITLE            : CAT II, V-216360, SV-216360r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:18701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:18701
RULE             : Unauthorized use of the at or cron capabilities must not be permitted.
QUESTION_TEXT    : Check that "at" and "cron" users are configured correctly.

# ls /etc/cron.d/cron.deny

If cron.deny exists, this is a finding.

# ls /etc/cron.d/at.deny

If at.deny exists, this is a finding.

# cat /etc/cron.d/cron.allow

cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC.  
 
If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding.

# wc -l /etc/cron.d/at.allow | awk '{ print $1 }'

If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.

References:
SV-60997
V-48125
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 77
TITLE            : CAT II, V-216363, SV-216363r1016279, SRG-OS-000030
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:19301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:19301
RULE             : The operating system must provide the capability for users to directly initiate session lock mechanisms.
QUESTION_TEXT    : Determine whether the lock screen function works correctly.

For Solaris 11, 11.1, 11.2, and 11.3:
In the GNOME 2 desktop System >> Lock Screen.

For Solaris 11.4 or newer:
In the GNOME 3 desktop Status Menu (top right corner) >> Lock Icon, check that the screen locks and displays the "password" prompt.

Check that "Disable Screensaver" is not selected in the GNOME Screensaver preferences. 

If the screen does not lock or the "Disable Screensaver" option is selected, this is a finding.

References:
V-48135
SV-61007
CCI-000057
CCI-000058
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 77
TITLE            : CAT II, V-216366, SV-216366r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:19901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:19901
RULE             : The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
QUESTION_TEXT    : Determine if the "RestrictOutbound" profile is configured properly:

# profiles -p RestrictOutbound info

If the output is not:
name=RestrictOutbound
desc=Restrict Outbound Connections
limitpriv=zone,!net_access

this is a finding.


For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile.

# profiles -l [username]

If the output does not include:

[username]:
RestrictOutbound

this is a finding.

References:
SV-61019
V-48147
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 77
TITLE            : CAT II, V-216400, SV-216400r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24501
RULE             : The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
QUESTION_TEXT    : Determine the zone that you are currently securing.

# zonename

If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require inspection. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require inspection.

Identify if this system has physical interfaces. 

# dladm show-link -Z | grep -v vnic 
LINK                ZONE      CLASS     MTU    STATE    OVER
net0                global    phys      1500   unknown  --
e1000g0             global    phys      1500   up       --
e1000g1             global    phys      1500   up       --
zoneD/net2          zoneD     iptun     65515  up       --

If "phys" appears in the third column, then the interface is physical.   

For each physical interface, determine if the network interface is Ethernet or InfiniBand:

# dladm show-phys [interface name]
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
[name]            Ethernet             unknown    0      half      dnet0

The second column indicates either "Ethernet" or "Infiniband".

For each physical interface, determine if the host is using ip-forwarding:

# ipadm show-ifprop [interface name] | grep forwarding
[name]      forwarding      ipv4  rw   off        --         off        on,off
[name]      forwarding      ipv6  rw   off        --         off        on,off

If "on" appears in the fifth column, then the interface is using ip-forwarding.

For each interface, determine if the host is using SR-IOV’s Virtual Function (VF) driver:

# dladm show-phys [interface name] | grep vf

If the sixth column includes 'vf' in its name, it is using SR-IOV (ex: ixgbevf0).

For each physical and SR-IOV interface, determine if network link protection capabilities are enabled.

# dladm show-linkprop -p protection
LINK    PROPERTY    PERM   VALUE         DEFAULT   POSSIBLE
net0    protection  rw     mac-nospoof,  --        mac-nospoof,
                           restricted,             restricted,
                           ip-nospoof,             ip-nospoof,
                           dhcp-nospoof            dhcp-nospoof

If the interface uses Infiniband and if restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

If the interface uses ip-forwarding and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

If the interface uses SR-IOV and if mac-nospoof, restricted, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

If the interface uses Ethernet without IP forwarding and if mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the "VALUE" column, this is a finding.

References:
V-48191
SV-61063
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 77
TITLE            : CAT II, V-216401, SV-216401r958358, SRG-OS-000481
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24701
RULE             : Wireless network adapters must be disabled.
QUESTION_TEXT    : This is N/A for systems that do not have wireless network adapters.

Verify that there are no wireless interfaces configured on the system:

# ifconfig -a


eth0      Link encap:Ethernet  HWaddr b8:ac:6f:65:31:e5  
          inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::baac:6fff:fe65:31e5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2697529 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2630541 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2159382827 (2.0 GiB)  TX bytes:1389552776 (1.2 GiB)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2849 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2849 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2778290 (2.6 MiB)  TX bytes:2778290 (2.6 MiB)


If a wireless interface is configured, it must be documented and approved by the local Authorizing Official.

If a wireless interface is configured and has not been documented and approved, this is a finding.


References:
V-72827
SV-87479
CCI-002418
CCI-001443
CCI-001444
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 77
TITLE            : CAT II, V-216410, SV-216410r958408, SRG-OS-000033
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25101
RULE             : The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
QUESTION_TEXT    : Check the SSH daemon configuration for allowed ciphers.
 
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#’ 
Ciphers  aes256-ctr,aes192-ctr,aes128-ctr 
 
If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.

References:
V-48159
SV-61031
CCI-000068
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 77
TITLE            : CAT II, V-216411, SV-216411r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25301
RULE             : The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the logical node of all attached removable media:

# rmformat

This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0

Determine which zpool is mapped to the device:

# zpool status

Determine the file system names of the portable digital media:

# zfs list | grep [poolname]

Using the file system name, determine if the removal media is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
V-48157
SV-61029
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 77
TITLE            : CAT II, V-216417, SV-216417r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25901
RULE             : The sticky bit must be set on all world writable directories.
QUESTION_TEXT    : The root role is required.

Identify all world-writable directories without the "sticky bit" set.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
   -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
   -o -fstype proc \) -prune -o -type d \( -perm -0002 \
   -a ! -perm -1000 \) -ls

Output of this command identifies world-writable directories without the "sticky bit" set.  If output is created, this is a finding.

References:
V-48137
SV-61009
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 77
TITLE            : CAT II, V-216419, SV-216419r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:26301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:26301
RULE             : Permissions on user . (hidden) files must be 750 or less permissive.
QUESTION_TEXT    : The root role is required.

Ensure that the permissions on user "." files are 750 or less permissive.

# for dir in \
`logins -ox | awk -F: '($8 == "PS") { print $6 }'`; do
find ${dir}/.[A-Za-z0-9]* \! -type l \
\( -perm -0001 -o -perm -0002 -o -perm -0004 -o -perm -0020 \) -ls
done

If output is produced, this is a finding.

References:
SV-61001
V-48129
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 77
TITLE            : CAT II, V-216425, SV-216425r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:27501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:27501
RULE             : All home directories must be owned by the respective user assigned to it in /etc/passwd.
QUESTION_TEXT    : The root role is required.

Check that home directories are owned by the correct user.

# export IFS=":"; logins -uxo | while read user uid group gid gecos home rest; do result=$(find ${home} -type d -prune \! -user $user -print 2>/dev/null); 
if [ ! -z "${result}" ]; then 
echo "User: ${user}\tOwner: $(ls -ld $home | awk '{ print $3 }')";
fi;
done

If any output is produced, this is a finding.

References:
V-48097
SV-60969
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 77
TITLE            : CAT II, V-216441, SV-216441r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:30501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:30501
RULE             : The operator must document all file system objects that have non-standard access control list settings.
QUESTION_TEXT    : The root role is required.

Identify all file system objects that have non-standard access control lists enabled.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -acl -ls

This command should return no output. If output is created, this is a finding.

If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.

References:
V-48029
SV-60901
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 77
TITLE            : CAT II, V-216443, SV-216443r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:30901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:30901
RULE             : The system must implement non-executable program stacks.
QUESTION_TEXT    : Determine the OS version you are currently securing.

# uname –v

If the OS version is 11.3 or newer, this check applies to all zones and relies on the "sxadm" command. Determine if the system implements non-executable program stacks.

# sxadm status -p nxstack | cut -d: -f2
enabled.all

If the command output is not "enabled.all", this is a finding.

For Solaris 11, 11.1, and 11.2, this check applies to the global zone only and the "/etc/system" file is inspected. Determine the zone that you are currently securing.

# zonename

If the command output is "global", determine if the system implements non-executable program stacks. 

# grep noexec_user_stack /etc/system

If the noexec_user_stack is not set to 1, this is a finding.

References:
SV-60897
V-48025
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 77
TITLE            : CAT II, V-216447, SV-216447r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31701
RULE             : The centralized process core dump data directory must be owned by root.
QUESTION_TEXT    : Check the defined directory for process core dumps.
# coreadm | grep "global core file pattern"

Check the ownership of the directory.
# ls -lLd [core file directory]

If the directory is not owned by root, this is a finding.

References:
V-48019
SV-60891
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 77
TITLE            : CAT II, V-216448, SV-216448r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:31901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:31901
RULE             : The centralized process core dump data directory must be group-owned by root, bin, or sys.
QUESTION_TEXT    : Check the defined directory for process core dumps.
# coreadm | grep "global core file pattern"

Check the group ownership of the directory.
# ls -lLd [core file directory]

If the directory is not group-owned by root, bin, or sys, this is a finding.

References:
SV-60889
V-48017
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 77
TITLE            : CAT II, V-216449, SV-216449r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32101
RULE             : The centralized process core dump data directory must have mode 0700 or less permissive.
QUESTION_TEXT    : Check the defined directory for process core dumps.
# coreadm | grep "global core file pattern"

Check the permissions of the directory.

# ls -lLd [core file directory]

If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.

References:
SV-60887
V-48015
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 77
TITLE            : CAT II, V-216451, SV-216451r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32501
RULE             : The kernel core dump data directory must be owned by root.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the system dump directory.

# dumpadm | grep directory

Check the ownership of the kernel core dump data directory.
# ls -ld [savecore directory]

If the kernel core dump data directory is not owned by root, this is a finding. 

In Solaris 11, /var/crash is linked to /var/share/crash.

References:
V-48011
SV-60883
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 77
TITLE            : CAT II, V-216452, SV-216452r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32701
RULE             : The kernel core dump data directory must be group-owned by root.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the system dump directory.

# dumpadm | grep directory

Check ownership of the core dump data directory.

# ls -l [savecore directory]

If the directory is not group-owned by root, this is a finding.

In Solaris 11, /var/crash is linked to /var/share/crash.

References:
V-48009
SV-60881
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 77
TITLE            : CAT II, V-216453, SV-216453r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:32901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:32901
RULE             : The kernel core dump data directory must have mode 0700 or less permissive.
QUESTION_TEXT    : The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the system dump directory.

# dumpadm | grep directory

Check the permissions of the kernel core dump data directory.

# ls -ld [savecore directory]

If the directory has a mode more permissive than 0700 (rwx --- ---), this is a finding.

References:
SV-60879
V-48007
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 77
TITLE            : CAT II, V-216457, SV-216457r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33701
RULE             : A file integrity baseline must be created, maintained, and reviewed at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.
QUESTION_TEXT    : The root role is required.

Solaris 11 includes the Basic Account and Reporting Tool (BART), which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.

A Baseline BART manifest may exist in: 
/var/adm/log/bartlogs/[control manifest filename]

If a BART manifest does not exist, this is a finding.

At least weekly, create a new BART baseline report.

# bart create > /var/adm/log/bartlogs/[new manifest filename]

Compare the new report to the previous report to identify any changes in the system baseline.

# bart compare /var/adm/log/bartlogs/[baseline manifest filename] /var/adm/log/bartlogs/[new manifest filename]

Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.

References:
V-47987
SV-60859
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 77
TITLE            : CAT II, V-216459, SV-216459r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:33901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:33901
RULE             : Direct logins must not be permitted to shared, default, application, or utility accounts.
QUESTION_TEXT    : The Audit Review profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Use the "auditreduce" command to check for multiple accesses to an account

# auditreduce -c lo -u [shared_user_name] | praudit -l

If users log directly into accounts, rather than using the "su" command from their own named account to access them, this is a finding. Also, ask the SA or the IAO if shared accounts are logged into directly or if users log into an individual account and switch user to the shared account.

References:
V-47983
SV-60855
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 77
TITLE            : CAT II, V-216461, SV-216461r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34301
RULE             : The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
QUESTION_TEXT    : The operations staff shall ensure that proper backups are created, tested, and archived. 

Ask the operator for documentation on the backup procedures implemented.

If the backup procedures are not documented then this is a finding.

References:
SV-60849
V-47977
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 77
TITLE            : CAT II, V-216462, SV-216462r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34501
RULE             : The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
QUESTION_TEXT    : The operations staff shall ensure that proper backups are created, tested, and archived. 

Ask the operator for documentation on the backup procedures implemented.

If the backup procedures are not documented then this is a finding.

References:
V-47975
SV-60847
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 77
TITLE            : CAT II, V-216463, SV-216463r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34701
RULE             : The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
QUESTION_TEXT    : The operations staff shall ensure that proper backups are created, tested, and archived. 

Ask the operator for documentation on the backup procedures implemented.

If the backup procedures are not documented then this is a finding.

References:
V-47973
SV-60845
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 77
TITLE            : CAT II, V-216464, SV-216464r958544, SRG-OS-000181
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34901
RULE             : The operating system must prevent the execution of prohibited mobile code.
QUESTION_TEXT    : Determine if the Firefox package is installed:

# pkg list web/browser/firefox

If the package is not installed, this check does not apply.

If installed, ensure that it is a supported version.

# pkg info firefox | grep Version
Version: 52.5.2

If the version is not supported, this is a finding.

Ensure that Java and JavaScript access by Firefox are disabled.

Start Firefox.

In the address bar type: about:config

In search bar type: javascript.enabled

If 'Value" is true, this is a finding

In the address bar type: about:addons

Click on "I accept the risk" button.

Click on "Plugins".

If Java is enabled, this is a finding.


References:
V-47969
SV-60841
CCI-001695
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 77
TITLE            : CAT II, V-216465, SV-216465r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35101
RULE             : The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates.
QUESTION_TEXT    : The operator will ensure that a DoD approved PKI system is installed, configured, and properly operating. Ask the operator to document the PKI software installation and configuration.

If the operator is not able to provide a documented configuration for an installed PKI system or if the PKI system is not properly configured, maintained, or used, this is a finding.

References:
SV-62549
V-49625
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 77
TITLE            : CAT II, V-216467, SV-216467r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35301
RULE             : The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
QUESTION_TEXT    : The operator will ensure that anti-virus software is installed and operating.

If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

References:
V-47959
SV-60831
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 77
TITLE            : CAT II, V-216469, SV-216469r958574, SRG-OS-000215
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35501
RULE             : The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you a currently securing.

# zonename

If the command output is "global" this check applies.

The operator must back up audit records at least every 7 days.

If the operator is unable to provide a documented procedure or the documented procedure is not being followed, then this is a finding.

References:
V-47941
SV-60813
CCI-001348
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 77
TITLE            : CAT II, V-216473, SV-216473r958528, SRG-OS-000142
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35901
RULE             : The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
QUESTION_TEXT    : Verify that you are on the global zone:
# zoneadm -z global list
global

Note: If the following message appears, you are not in the global zone:
"zoneadm: global: No such zone exists"

# dladm show-ether -Z | egrep "LINK|up"

LINK PTYPE STATE AUTO SPEED-DUPLEX PAUSE
net0 current up yes 1G-f bi

Determine the OS version that is being secured:

# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# dladm show-linkprop net0 | egrep "LINK|en_" | sort|uniq
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     en_1000fdx_cap  rw   1            1            1         1,0
net0     en_1000hdx_cap  r-   0            0            0         1,0
net0     en_100fdx_cap   rw   1            1            1         1,0
net0     en_100hdx_cap   rw   1            1            1         1,0
net0     en_10fdx_cap    rw   1            1            1         1,0
net0     en_10gfdx_cap   --   --           --           0         1,0
net0     en_10hdx_cap    rw   1            1            1         1,0

Do the above for all available/connected network adapters.

For Solaris 11.4.x.x.x or newer:

# dladm show-linkprop -p speed-duplex net0
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     speed-duplex    rw   1g-f,100m-f, 1g-f,100m-f, 1g-f,     1g-f,100m-f,
                              100m-h,      100m-h,      100m-f,   100m-h,10m-f,
                              10m-f,10m-h  10m-f,10m-h  100m-h,   10m-h
                                                        10m-f,
                                                        10m-h

Do the above for all available/connected network adapters.

For each link, determine if its current speed-duplex settings VALUE field is appropriate for managing any excess bandwidth capacity based on its POSSIBLE settings field; if not, this is a finding.

References:
SV-60771
V-47899
CCI-001095
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 77
TITLE            : CAT II, V-216476, SV-216476r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:36501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:36501
RULE             : The systems physical devices must not be assigned to non-global zones.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

List the non-global zones on the system.

# zoneadm list -vi | grep -v global

List the configuration for each zone.

# zonecfg -z [zonename] info | grep dev

Check for device lines. If such a line exists and is not approved by security, this is a finding.

References:
SV-60715
V-47841
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 77
TITLE            : CAT II, V-219967, SV-219967r958752, SRG-OS-000341
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:38901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:38901
RULE             : The operating system must allocate audit record storage capacity.
QUESTION_TEXT    : The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Review the current audit file space limitations

# pfexec auditconfig -getplugin audit_binfile
Plugin: audit_binfile (active)

The output of the command will appear in this form.

Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=2

If p_minfree is not equal to "2" of greater, this is a finding.

p_dir defines the current audit file system.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Check that zfs compression is enabled for the audit file system.

# zfs get compression [poolname/filesystemname]

If compression is off, this is a finding.

Check that a ZFS quota is enforced for the audit filesystem.

# zfs get quota [poolname/filesystemname]

If quota is set to "none", this is a finding.

Ensure that a reservation of space is enforced on /var/share so that other users do not use up audit space.

# zfs get quota,reservation [poolname/filesystemname]

If reservation is set to "none", this is a finding.

References:
V-47857
SV-60731
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 77
TITLE            : CAT II, V-219970, SV-219970r958794, SRG-OS-000363
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:39501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:39501
RULE             : The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
QUESTION_TEXT    : The Software Installation Profile is required.

Display the installation history of packages on the system to ensure that no undesirable packages have been installed:

# pkg history -o finish,user,operation,command |grep install

If the install command is listed as "/usr/bin/packagemanager", execute the command:

# pkg history -l 

to determine which packages were installed during package manager sessions.

If undocumented or unapproved packages have been installed, this is a finding.

References:
V-47923
SV-60795
CCI-001744
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

QUESTION         : 47 of 77
TITLE            : CAT II, V-219971, SV-219971r958804, SRG-OS-000368
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:39701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:39701
RULE             : The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
QUESTION_TEXT    : Identify the packages installed on the system. 

# pkg list

Any unauthorized software packages listed in the output are a finding.

References:
V-47927
SV-60799
CCI-001764
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 47 *******************************

QUESTION         : 48 of 77
TITLE            : CAT II, V-219976, SV-219976r958908, SRG-OS-000423
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40501
RULE             : The operating system must protect the integrity of transmitted information.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Check that SSH is enabled:
# svcs svc:/network/ssh
STATE          STIME           FMRI
online         Nov_03          svc:/network/ssh:default

Ask the operator to document all configured external ports and protocols.

If any unencrypted connections are used, this is a finding.

References:
SV-61051
V-48179
CCI-001127
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 48 *******************************

QUESTION         : 49 of 77
TITLE            : CAT II, V-219977, SV-219977r1117271, SRG-OS-000424
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40701
RULE             : The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Check that SSH is enabled:
# svcs svc:/network/ssh
STATE          STIME           FMRI
online         Nov_03          svc:/network/ssh:default

Ask the operator to document all configured external ports and protocols.

If any unencrypted connections are used, this is a finding.

References:
SV-61047
V-48175
CCI-002421
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 49 *******************************

QUESTION         : 50 of 77
TITLE            : CAT II, V-219978, SV-219978r958912, SRG-OS-000425
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:40901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:40901
RULE             : The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
V-48171
SV-61043
CCI-002420
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 50 *******************************

QUESTION         : 51 of 77
TITLE            : CAT II, V-219979, SV-219979r958908, SRG-OS-000423
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41101
RULE             : The operating system must protect the confidentiality of transmitted information.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
SV-61039
V-48167
CCI-002418
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 51 *******************************

QUESTION         : 52 of 77
TITLE            : CAT II, V-219980, SV-219980r1117271, SRG-OS-000424
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41301
RULE             : The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
V-48163
SV-61035
CCI-002421
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 52 *******************************

QUESTION         : 53 of 77
TITLE            : CAT II, V-219981, SV-219981r958912, SRG-OS-000425
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41501
RULE             : The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
QUESTION_TEXT    : All remote sessions must be conducted via encrypted services and ports.

Ask the operator to document all configured external ports and protocols. If any unencrypted connections are used, this is a finding.

References:
SV-61033
V-48161
CCI-002420
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 53 *******************************

QUESTION         : 54 of 77
TITLE            : CAT II, V-219985, SV-219985r958732, SRG-OS-000327
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42301
RULE             : The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
QUESTION_TEXT    : The audit configuration profile is required. 

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the location of the local audit trail files.

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;"

In this example, the audit files can be found in /var/audit. Check that the permissions on the audit files are 640 (rw- r-- --) or less permissive.

# ls -al /var/audit

# ls -l /var/audit/*

If the permissions are more permissive than 640, this is a finding.

Note:  The default Solaris 11 location for /var/audit is a link to /var/share/audit.

References:
V-48031
SV-60903
CCI-002234
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 54 *******************************

QUESTION         : 55 of 77
TITLE            : CAT II, V-219986, SV-219986r1016282, SRG-OS-000356
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42501
RULE             : The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
QUESTION_TEXT    : NTP must be used and used only in the global zone. Determine the zone to be secured.

# zonename

If the command output is not "global", then NTP must be disabled. Check the system for a running NTP daemon.

# svcs -Ho state ntp

If NTP is online, this is a finding.

If the output from "zonename" is "global", then NTP must be enabled. Check the system for a running NTP daemon.

# svcs -Ho state ntp

If NTP is not online, this is a finding.

If NTP is running, confirm the servers and peers or multicast client (as applicable) are local or an authoritative DOD source.

For the NTP daemon:

# more /etc/inet/ntp.conf

If a nonlocal/nonauthoritative (non-DOD source, non-USNO-based, or non-GPS) time server is used, this is a finding.

Determine if the time synchronization frequency is correct.

# grep "maxpoll" /etc/inet/ntp.conf

If the command returns "File not found" or any value for maxpoll, this is a finding.

Determine if the running NTP server is configured properly.

# ntpq -p | awk '($6 ~ /[0-9]+/ && $6 > 86400) { print $1" "$6 }'

This will print out the name of any time server whose current polling time is greater than 24 hours (along with the actual value). If there is any output, this is a finding.

References:
V-47985
SV-60857
CCI-004926
CCI-002046
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 55 *******************************

QUESTION         : 56 of 77
TITLE            : CAT II, V-219987, SV-219987r958944, SRG-OS-000445
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42701
RULE             : The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
QUESTION_TEXT    : Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis.

If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.

References:
SV-60779
V-47907
CCI-002696
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 56 *******************************

QUESTION         : 57 of 77
TITLE            : CAT II, V-224670, SV-224670r958726, SRG-OS-000324
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:42901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:42901
RULE             : The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
QUESTION_TEXT    : The operator will ensure that anti-virus software is installed and operating.

If the operator is unable to provide a documented configuration for an installed anti-virus software system or if not properly used, this is a finding.

References:
V-47963
SV-60835
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 57 *******************************

QUESTION         : 58 of 77
TITLE            : CAT II, V-224671, SV-224671r958944, SRG-OS-000445
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:43101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:43101
RULE             : The operating system must identify potentially security-relevant error conditions.
QUESTION_TEXT    : Ask the operator if DoD-approved SCAP compliance checking software is installed and run on a periodic basis.

If DoD-approved SCAP compliance checking software is not installed and/or not run on a periodic basis, this is a finding.

References:
V-47903
SV-60775
CCI-002696
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 58 *******************************

QUESTION         : 59 of 77
TITLE            : CAT III, V-216269, SV-216269r958440, SRG-OS-000061
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:3501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:3501
RULE             : The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
QUESTION_TEXT    : Audit Configuration rights profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the syslog audit plugin is enabled.

# pfexec auditconfig -getplugin | grep audit_syslog

If "inactive" appears, this is a finding.

Determine which system-log service instance is online.

# pfexec svcs system-log

Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:

# grep audit.notice /etc/syslog.conf
or
# grep @@ /etc/rsyslog.conf

If 
audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)
or
*.* @@remotesystemname (rsyslog configuration)
points to an invalid remote system or is commented out, this is a finding.

If no output is produced, this is a finding.

Check the remote syslog host to ensure that audit records can be found for this host.

References:
SV-60703
V-47827
CCI-000166
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 59 *******************************

QUESTION         : 60 of 77
TITLE            : CAT III, V-216270, SV-216270r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:3701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:3701
RULE             : The auditing system must not define a different auditing level for specific users.
QUESTION_TEXT    : This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

For each user on the system (not including root), check to see if special auditing flag configurations are set.

# userattr audit_flags [username]

If any flags are returned, this is a finding.

References:
SV-60705
V-47831
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 60 *******************************

QUESTION         : 61 of 77
TITLE            : CAT III, V-216317, SV-216317r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11301
RULE             : Systems services that are not required must be disabled.
QUESTION_TEXT    : Determine all of the systems services that are enabled on the system.

# svcs -a | grep online

Document all enabled services and disable any that are not required.

References:
V-47933
SV-60805
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 61 *******************************

QUESTION         : 62 of 77
TITLE            : CAT III, V-216322, SV-216322r958364, SRG-OS-000002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:11901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:11901
RULE             : The operating system must automatically terminate temporary accounts within 72 hours.
QUESTION_TEXT    : The root role is required.

Determine if an expiration date is set for temporary accounts.

# logins -aox |awk -F: '($14 == "0") {print}'

This command produces a list of accounts with no expiration date set. If any of these accounts are temporary accounts, this is a finding.

# logins -aox |awk -F: '($14 != "0") {print}'

This command produces a list of accounts with an expiration date set as defined in the last field. If any accounts have a date that is not within 72 hours, this is a finding.

References:
V-47949
SV-60821
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 62 *******************************

QUESTION         : 63 of 77
TITLE            : CAT III, V-216343, SV-216343r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:15701
RULE             : The value mesg n must be configured as the default setting for all users.
QUESTION_TEXT    : Determine if "mesg n" is the default for users.

# grep "^mesg" /etc/.login

# grep "^mesg" /etc/profile

If either of these commands produces a line:
mesg y

this is a finding.

For each existing user on the system, enter the command:

# mesg

If the command output is:
is y

this is a finding.

References:
V-48075
SV-60947
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 63 *******************************

QUESTION         : 64 of 77
TITLE            : CAT III, V-216367, SV-216367r958398, SRG-OS-000027
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:20101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:20101
RULE             : The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions.
QUESTION_TEXT    : Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.

For each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username.

# projects [username] | grep user

If the output does not include the project user.[username], this is a finding.

Determine the project membership for the user.

# projects [username]

If the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding.

Determine whether the max-tasks resource control is enabled properly.

# projects -l user.[username] | grep attribs

If the output does not include the text:

attribs: project.max-tasks=(privileged,[MAX],deny)

where [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.

References:
V-48151
SV-61023
CCI-000054
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 64 *******************************

QUESTION         : 65 of 77
TITLE            : CAT III, V-216381, SV-216381r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:22901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:22901
RULE             : The system must implement TCP Wrappers.
QUESTION_TEXT    : Determine if TCP Wrappers is configured.

# inetadm -p | grep tcp_wrappers

If the output of this command is "FALSE", this is a finding.

The above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris
11.3. SunSSH is removed starting with Solaris 11.4.

Individual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to "FALSE". To check the status of individual inetd services, use the command:


# for svc in `inetadm | awk '/svc:\// { print $NF }'`; do
val=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE`
if [ ${val} -eq 1 ]; then
echo "TCP Wrappers enabled for ${svc}"
fi
done

If the required services are not configured to use TCP Wrappers, this is finding.

# ls /etc/hosts.deny
# ls /etc/hosts.allow

If these files are not found, this is a finding.

References:
SV-61093
V-48221
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 65 *******************************

QUESTION         : 66 of 77
TITLE            : CAT III, V-216395, SV-216395r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23501
RULE             : The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons.
QUESTION_TEXT    : Review the contents of these two files and check that the proper DoD banner message is configured.

# cat /etc/motd
# cat /etc/issue

If the DoD-approved banner text is not in the files, this is a finding.

References:
SV-61081
V-48209
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 66 *******************************

QUESTION         : 67 of 77
TITLE            : CAT III, V-216396, SV-216396r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23701
RULE             : The operating system must display the DoD approved system use notification message or banner for SSH connections.
QUESTION_TEXT    : Check SSH configuration for banner message:

# grep "^Banner" /etc/ssh/sshd_config

If the output is not:
Banner /etc/issue
and /etc/issue does not contain the approved banner text, this is a finding.

References:
V-48205
SV-61077
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 67 *******************************

QUESTION         : 68 of 77
TITLE            : CAT III, V-216397, SV-216397r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:23901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:23901
RULE             : The GNOME service must display the DoD approved system use notification message or banner before granting access to the system.
QUESTION_TEXT    : This item does not apply if a graphic login is not configured.

Log in to the Gnome Graphical interface. If the approved banner message does not appear, this is a finding.

# cat /etc/issue

# grep /etc/gdm/Init/Default zenity

If /etc/issue does not contain that DoD-approved banner message or /etc/gdm/Init/Default does not contain the line:

/usr/bin/zenity --text-info --width=800 --height=300 \
--title="Security Message" --filename=/etc/issue

this is a finding.

References:
V-48203
SV-61075
CCI-000048
CCI-000050
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 68 *******************************

QUESTION         : 69 of 77
TITLE            : CAT III, V-216398, SV-216398r958390, SRG-OS-000023
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:24101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:24101
RULE             : The FTP service must display the DoD approved system use notification message or banner before granting access to the system.
QUESTION_TEXT    : Determine if the FTP server package is installed:

# pkg list service/network/ftp 

If the package is not installed, this check does not apply.

# grep DisplayConnect /etc/proftpd.conf

If:

DisplayConnect /etc/issue

does not appear, this is a finding.

If /etc/issue does not contain the approved DoD text, this is a finding.

References:
V-48199
SV-61071
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 69 *******************************

QUESTION         : 70 of 77
TITLE            : CAT III, V-216413, SV-216413r958552, SRG-OS-000185
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25501
RULE             : The operating system must protect the confidentiality and integrity of information at rest.
QUESTION_TEXT    : Determine if file system encryption is required by your organization. If not required, this item does not apply.

Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.

# zfs list 

Using the file system name, determine if the file system is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
SV-61025
V-48153
CCI-001199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 70 *******************************

QUESTION         : 71 of 77
TITLE            : CAT III, V-216415, SV-216415r958576, SRG-OS-000216
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:25701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:25701
RULE             : The operating system must use cryptographic mechanisms to protect the integrity of audit information.
QUESTION_TEXT    : The Audit Configuration and the Audit Control profiles are required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine if audit log encryption is required by your organization. If not required, this check does not apply.

Determine where the audit logs are stored and whether the file system is encrypted.

# pfexec auditconfig -getplugin audit_binfile

The p_dir attribute lists the location of the audit log filesystem. 

The default location for Solaris 11.1 is /var/audit. /var/audit is a link to /var/share/audit which, by default, is mounted on rpool/VARSHARE.

Determine if this is encrypted:

# zfs get encryption rpool/VARSHARE

If the file system where audit logs are stored reports "encryption off", this is a finding.

References:
SV-61017
V-48145
CCI-001350
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 71 *******************************

QUESTION         : 72 of 77
TITLE            : CAT III, V-216424, SV-216424r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:27301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:27301
RULE             : All user accounts must be configured to use a home directory that exists.
QUESTION_TEXT    : The root role is required.

Check if a GUI is installed.

Determine the OS version you are currently securing:. 
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3:
# pkg info gdm
# pkg info coherence-26
# pkg info coherence-27

If none of these packages are installed on the system, then no GUI is present.
For Solaris 11.4 or newer:
# pkg info gdm

If gdm is not installed on the system, then no GUI is present.

# pkg info uucp

uucp is no longer installed by default starting in 11.4 and is deprecated. 

For all versions, check that all users' home directories exist.

# pwck

Accounts with no home directory will output "Login directory not found".

If no GUI is present, then "gdm" and "upnp" accounts should generate errors. On all systems, with uucp package installed, the "uucp" and "nuucp" accounts should generate errors.

If users' home directories do not exist, this is a finding.

References:
SV-60977
V-48105
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 72 *******************************

QUESTION         : 73 of 77
TITLE            : CAT III, V-216435, SV-216435r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:29501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:29501
RULE             : All valid SUID/SGID files must be documented.
QUESTION_TEXT    : The root role is required.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -type f -perm -4000 -o \
-perm -2000 -print

Output should only be Solaris-provided files and approved customer files.

Solaris-provided SUID/SGID files can be listed using the command: 

# pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode

Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example:

# elfsign verify -e /usr/bin/su
elfsign: verification of /usr/bin/su passed.

This message indicates that the binary is properly signed.

If non-vendor provided or non-approved files are included in the list, this is a finding.

References:
V-48059
SV-60931
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 73 *******************************

QUESTION         : 74 of 77
TITLE            : CAT III, V-216460, SV-216460r959010, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:34101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:34101
RULE             : The system must not have any unnecessary accounts.
QUESTION_TEXT    : Check the system for unnecessary user accounts.

# getent passwd

Some examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.

References:
V-47979
SV-60851
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 74 *******************************

QUESTION         : 75 of 77
TITLE            : CAT III, V-216470, SV-216470r1099906, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:35701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:35701
RULE             : All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files.
QUESTION_TEXT    : Ask the operators if they use vi, emacs, or gedit to make changes to system files.

If vi, emacs, or gedit are used to make changes to system files, this is a finding.

References:
SV-60809
V-47937
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 75 *******************************

QUESTION         : 76 of 77
TITLE            : CAT III, V-219982, SV-219982r958870, SRG-OS-000404
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41701
RULE             : The operating system must employ cryptographic mechanisms to protect information in storage.
QUESTION_TEXT    : Determine if file system encryption is required by your organization. If not required, this item does not apply.

Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.

# zfs list 

Using the file system name, determine if the file system is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
V-48155
SV-61027
CCI-002475
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 76 *******************************

QUESTION         : 77 of 77
TITLE            : CAT III, V-219983, SV-219983r958870, SRG-OS-000404
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.solaris11:testaction:41901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.solaris11:question:41901
RULE             : The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
QUESTION_TEXT    : Determine if file system encryption is required by your organization. If not required, this item does not apply.

Determine if file system encryption is enabled for user data sets. This check does not apply to the root, var, share, swap or dump datasets.

# zfs list 

Using the file system name, determine if the file system is encrypted:

# zfs get encryption [filesystem] 

If "encryption off" is listed, this is a finding.

References:
SV-61021
V-48149
CCI-002475
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 77 *******************************

