DISA STIG Solaris 10 SPARC v2r2

Audit Details

Name: DISA STIG Solaris 10 SPARC v2r2

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 773

File Details

Filename: DISA_STIG_Solaris_10_SPARC_v2r2.audit

Size: 1.22 MB

MD5: f81a2de7571fb283160005c3d32e10ab
SHA256: 288a309f237fcf2d223fa06e9fa796108588ecab6806407e7cbe86313373da0b

Audit Items

DescriptionCategories
DISA_STIG_Solaris_10_SPARC_v2r2.audit from DISA Solaris 10 SPARC v2r2 STIG
GEN000000-SOL00020 - The nosuid option must be configured in the /etc/rmmount.conf file.

CONFIGURATION MANAGEMENT

GEN000000-SOL00040 - The /etc/security/audit_user file must not define a different auditing level for specific users.

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00060 - The /etc/security/audit_user file must be owned by root.

CONFIGURATION MANAGEMENT

GEN000000-SOL00080 - The /etc/security/audit_user file must be group-owned by root, sys, or bin.

CONFIGURATION MANAGEMENT

GEN000000-SOL00100 - The /etc/security/audit_user file must have mode 0640 or less permissive.

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00110 - The /etc/security/audit_user file must not have an extended ACL.

CONFIGURATION MANAGEMENT

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.high

ACCESS CONTROL

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.low

ACCESS CONTROL

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.med

ACCESS CONTROL

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - uid_aliases

ACCESS CONTROL

GEN000000-SOL00140 - The /usr/aset/masters/uid_aliases must be empty.

ACCESS CONTROL

GEN000000-SOL00160 - If the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-SOL00180 - The Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct - ASET configurable parameters in the asetenv file must be correct.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-SOL00200 - The asetenv file YPCHECK variable must be set to true when NIS+ is configured.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-SOL00220 - The /usr/aset/userlist file must exist - /usr/aset/userlist

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-SOL00220 - The /usr/aset/userlist file must exist - exec with userlist

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-SOL00240 - The /usr/aset/userlist file must be owned by root.

CONFIGURATION MANAGEMENT

GEN000000-SOL00250 - The /usr/aset/userlist file must be group-owned by root.

CONFIGURATION MANAGEMENT

GEN000000-SOL00260 - The /usr/aset/userlist file must have mode 0600 or less permissive.

CONFIGURATION MANAGEMENT

GEN000000-SOL00270 - The /usr/aset/userlist file must not have an extended ACL.

CONFIGURATION MANAGEMENT

GEN000000-SOL00300 - The Solaris system EEPROM security-mode parameter must be set to full or command mode.

CONFIGURATION MANAGEMENT

GEN000000-SOL00400 - The NFS server must have logging implemented - NFS_SERVER_VERSMAX

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00400 - The NFS server must have logging implemented.

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00420 - Hidden extended file attributes must not exist on the system.

ACCESS CONTROL

GEN000000-SOL00440 - The root account must be the only account with GID of 0.

CONFIGURATION MANAGEMENT

GEN000000-SOL00540 - The /etc/zones directory, and its contents, must be owned by root - /etc/zones

CONFIGURATION MANAGEMENT

GEN000000-SOL00540 - The /etc/zones directory, and its contents, must be owned by root - /etc/zones/*

CONFIGURATION MANAGEMENT

GEN000000-SOL00560 - The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin - /etc/zones

CONFIGURATION MANAGEMENT

GEN000000-SOL00560 - The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin - /etc/zones/*

CONFIGURATION MANAGEMENT

GEN000000-SOL00580 - The /etc/zones directory, and its contents, must not be group- or world-writable - /etc/zones

CONFIGURATION MANAGEMENT

GEN000000-SOL00580 - The /etc/zones directory, and its contents, must not be group- or world-writable - /etc/zones/*

CONFIGURATION MANAGEMENT

GEN000000-SOL00600 - The /etc/zones directory, and its contents, must not have an extended ACL.

CONFIGURATION MANAGEMENT

GEN000000-SOL00620 - The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.

CONFIGURATION MANAGEMENT

GEN000000-SOL00640 - The limitpriv zone option must be set to the vendor default or less permissive.

CONFIGURATION MANAGEMENT

GEN000000-SOL00660 - The physical devices must not be assigned to non-global zones.

CONFIGURATION MANAGEMENT

GEN000020 - The system must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

GEN000100 - The operating system must be a supported release.

CONFIGURATION MANAGEMENT

GEN000120 - System security patches and updates must be installed and up-to-date.

CONFIGURATION MANAGEMENT

GEN000140 - A file integrity baseline must be created and maintained.

CONFIGURATION MANAGEMENT

GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.

CONFIGURATION MANAGEMENT

GEN000240 - The system clock must be synchronized to an authoritative DoD time source.

AUDIT AND ACCOUNTABILITY

GEN000241 - The system clock must be synchronized continuously.

CONFIGURATION MANAGEMENT

GEN000242 - The system must use at least two time sources for clock synchronization - service ntp server 1

AUDIT AND ACCOUNTABILITY

GEN000242 - The system must use at least two time sources for clock synchronization - service ntp server 2

AUDIT AND ACCOUNTABILITY

GEN000244 - The system must use time sources local to the enclave.

AUDIT AND ACCOUNTABILITY

GEN000250 - The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.

CONFIGURATION MANAGEMENT

GEN000251 - The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.

CONFIGURATION MANAGEMENT

GEN000252 - The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.

ACCESS CONTROL

GEN000253 - The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.

CONFIGURATION MANAGEMENT