CIS Solaris 9 v1.3

Audit Details

Name: CIS Solaris 9 v1.3

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.51

Estimated Item Count: 86

File Details

Filename: CIS_Solaris_9_v13.audit

Size: 258 kB

MD5: 1f67054556bc3997d9d7f73b18b231e7
SHA256: 370317c19cfa3d603d92b10e204c581507c00caeb5e29ec04e77344844ee7532

Audit Items

DescriptionCategories
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization.

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Configure SSH - Check if Protocol is set to 2 and not commented for client.
2.1 Disable standard services - Comment service time in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.2 Only enable telnet if absolutely necessary - Uncomment service telnet in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.3 Only enable FTP if absolutely necessary - Uncomment service ftp in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.4 Only enable rlogin/rsh/rcp if absolutely necessary - Uncomment service shell in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.5 Only enable TFTP if absolutely necessary - Uncomment service tftp in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.6 Only enable printer service if absolutely necessary - Uncomment service printer in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.7 Only enable rquotad if absolutely necessary - Uncomment service rquotad/1 in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.8 Only enable CDE-related daemons if absolutely necessary - Uncomment service 100083 in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.9 Only enable Solaris Volume Manager daemons if absolutely necessary - Uncomment service 100229 in /etc/inet/inetd.conf

CONFIGURATION MANAGEMENT

2.10 Only enable removable media daemon if absolutely necessary - Uncomment service 100155 in /etc/inet/inetd.conf (Solaris 9 or later)

CONFIGURATION MANAGEMENT

2.11 Only enable Kerberos-related daemons if absolutely necessary - Uncomment service 100134 in /etc/inet/inetd.conf (Solaris 8 or later)

CONFIGURATION MANAGEMENT

2.12 Only enable GSS daemon if absolutely necessary - Uncomment service 100234 in /etc/inet/inetd.con (Solaris 7 or later)

CONFIGURATION MANAGEMENT

3.1 Disable login: prompts on serial ports - Check if x is added to the flag field for ttyb

CONFIGURATION MANAGEMENT

3.2 Set daemon umask - Check if CMASK is set to 022 in /etc/default/init (Solaris 8 or later)

ACCESS CONTROL

3.3 Disable inetd if possible, Check if newinetsvc contains grep statement to count lines in inetd.conf

CONFIGURATION MANAGEMENT

3.5 Disable boot services if possible - Ensure file /etc/rc3.d/S16boot.server does not exist (Solaris 9)

CONFIGURATION MANAGEMENT

3.6 Disable other standard boot services - Ensure file /etc/rc2.d/S72autoinstall does not exist.

CONFIGURATION MANAGEMENT

3.7 Only enable Windows-compatibility servers if absolutely necessary - Ensure file /etc/rc3.d/S90samba does NOT exist.

CONFIGURATION MANAGEMENT

3.8 Only enable NFS server processes if absolutely necessary - Ensure file /etc/rc3.d/S15nfs.server does NOT exist.

CONFIGURATION MANAGEMENT

3.9 Only enable NFS client processes if absolutely necessary - Ensure file /etc/rc2.d/S73nfs.client does NOT exist.

CONFIGURATION MANAGEMENT

3.10 Only enable automount daemon if absolutely necessary - Ensure file /etc/rc2.d/S74autofs does NOT exist.

CONFIGURATION MANAGEMENT

3.11 Only enable other RPC-based services if absolutely necessary - Ensure file /etc/rc2.d/S71rpc does NOT exist.

CONFIGURATION MANAGEMENT

3.12 Only enable Kerberos server daemons if absolutely necessary - Ensure file /etc/rc3.d/S13kdc.master does NOT exist.

CONFIGURATION MANAGEMENT

3.13 Only enable directory server if absolutely necessary - Ensure file /etc/rc2.d/S72directory does NOT exist.

CONFIGURATION MANAGEMENT

3.14 Only enable the LDAP cache manager if absolutely necessary - Ensure file /etc/rc2.d/S71ldap.client does NOT exist.

CONFIGURATION MANAGEMENT

3.15 Only enable the printer daemons if absolutely necessary - Ensure file /etc/rc2.d/S80lp does NOT exist.

CONFIGURATION MANAGEMENT

3.16 Only enable the volume manager if absolutely necessary - Ensure file /etc/rc2.d/S92volmgt does NOT exist.

CONFIGURATION MANAGEMENT

3.17 Only enable GUI login if absolutely necessary - Ensure file /etc/rc2.d/S99dtlogin does NOT exist (Solaris 2.6 or later)

CONFIGURATION MANAGEMENT

3.18 Only enable Web server if absolutely necessary - Ensure file /etc/rc3.d/S50apache does NOT exist.

CONFIGURATION MANAGEMENT

3.19 Only enable SNMP if absolutely necessary - Ensure file /etc/rc3.d/S76snmpdx does NOT exist.

CONFIGURATION MANAGEMENT

3.20 Only enable DHCP server if absolutely necessary - Ensure file /etc/rc3.d/S34dhcp does NOT exist.

CONFIGURATION MANAGEMENT

4.1 Restrict core dumps to protected directory - Check if COREADM_GLOB_PATTERN is set to /var/core/core_%n_%f_%u_%g_%t_%p

ACCESS CONTROL

4.2 Enable stack protection - Check if 'noexec_user_stack' is set to 1 in /etc/system (Solaris 2.6 or later)

SYSTEM AND INFORMATION INTEGRITY

4.3 Restrict NFS client requests to privileged ports - Check if 'nfssrv:nfs_portmon' is set to 1 in /etc/system.

CONFIGURATION MANAGEMENT

4.4 Network Parameter Modifications - Check if 'ip_forward_src_routed' is set to 0 in /etc/init.d/netconfig.

SYSTEM AND COMMUNICATIONS PROTECTION

4.6 Use better TCP sequence numbers - Check if 'TCP_STRONG_ISS' is set to 2 in /etc/init.d/netconfig.

SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Turn on inetd tracing, Check if 'ENABLE_CONNECTION_LOGGING' is set to YES in /etc/default/inetd.

AUDIT AND ACCOUNTABILITY

5.2 Turn on additional logging for FTP daemon -
5.2 Turn on additional logging for FTP daemon - Check if '-l' & '-d' flags are set for ftpd in /etc/inet/inetd.conf.

CONFIGURATION MANAGEMENT

5.2 Turn on additional logging for FTP daemon - Check if file /etc/inet/inetd.conf exists.
5.3 Capture FTP and inetd Connection Tracing Info - Check if 'daemon.debug' is set to /var/log/connlog
5.4 Capture messages sent to syslog AUTH facility - Check if 'auth.info' is set to /var/log/authlog
5.5 Create /var/adm/loginlog - Check if /var/adm/loginlog permissions are OK.
5.6 Turn on cron logging - Check if 'CRONLOG' is set to YES in /etc/default/cron.

AUDIT AND ACCOUNTABILITY

5.7 Enable system accounting - Check if system accounting '/usr/bin/su' is configured correctly.

AUDIT AND ACCOUNTABILITY

5.8 Enable kernel-level auditing

AUDIT AND ACCOUNTABILITY

5.9 Confirm permissions on system log files, should pass if /var/log/syslog permissions are OK.
6.1 Add 'logging' option to root file system - Check if 'logging' is set for root file system.