DISA STIG Solaris 10 X86 v2r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Solaris 10 X86 v2r1

Updated: 8/23/2021

Authority: DISA STIG

Plugin: Unix

Revision: 1.3

Estimated Item Count: 777

Audit Items

DescriptionCategories
DISA_STIG_Solaris_10_x86_v2r1.audit from DISA Solaris 10 X86 v2r1 STIG
GEN000000-SOL00020 - The nosuid option must be configured in the /etc/rmmount.conf file.

ACCESS CONTROL

GEN000000-SOL00040 - The /etc/security/audit_user file must not define a different auditing level for specific users.

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00060 - The /etc/security/audit_user file must be owned by root.

CONFIGURATION MANAGEMENT

GEN000000-SOL00080 - The /etc/security/audit_user file must be group-owned by root, sys, or bin.

CONFIGURATION MANAGEMENT

GEN000000-SOL00100 - The /etc/security/audit_user file must have mode 0640 or less permissive.

CONFIGURATION MANAGEMENT

GEN000000-SOL00110 - The /etc/security/audit_user file must not have an extended ACL.

ACCESS CONTROL

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.high

CONFIGURATION MANAGEMENT

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.low

CONFIGURATION MANAGEMENT

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - tune.med

CONFIGURATION MANAGEMENT

GEN000000-SOL00120 - The ASET master files must be located in the /usr/aset/masters directory - uid_aliases

CONFIGURATION MANAGEMENT

GEN000000-SOL00140 - The /usr/aset/masters/uid_aliases must be empty.

CONFIGURATION MANAGEMENT

GEN000000-SOL00160 - If the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.

SYSTEM AND COMMUNICATIONS PROTECTION

GEN000000-SOL00180 - The Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct - ASET configurable parameters in the asetenv file must be correct.

SYSTEM AND INFORMATION INTEGRITY

GEN000000-SOL00200 - The asetenv file YPCHECK variable must be set to true when NIS+ is configured.

CONFIGURATION MANAGEMENT

GEN000000-SOL00220 - The /usr/aset/userlist file must exist - /usr/aset/userlist

CONFIGURATION MANAGEMENT

GEN000000-SOL00220 - The /usr/aset/userlist file must exist - exec with userlist

CONFIGURATION MANAGEMENT

GEN000000-SOL00240 - The /usr/aset/userlist file must be owned by root.

CONFIGURATION MANAGEMENT

GEN000000-SOL00250 - The /usr/aset/userlist file must be group-owned by root.

CONFIGURATION MANAGEMENT

GEN000000-SOL00260 - The /usr/aset/userlist file must have mode 0600 or less permissive.

CONFIGURATION MANAGEMENT

GEN000000-SOL00270 - The /usr/aset/userlist file must not have an extended ACL.

ACCESS CONTROL

GEN000000-SOL00400 - The NFS server must have logging implemented - NFS_SERVER_VERSMAX

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00400 - The NFS server must have logging implemented.

AUDIT AND ACCOUNTABILITY

GEN000000-SOL00420 - Hidden extended file attributes must not exist on the system.

ACCESS CONTROL

GEN000000-SOL00440 - The root account must be the only account with GID of 0.

ACCESS CONTROL

GEN000000-SOL00540 - The /etc/zones directory, and its contents, must be owned by root - /etc/zones

CONFIGURATION MANAGEMENT

GEN000000-SOL00540 - The /etc/zones directory, and its contents, must be owned by root - /etc/zones/*

CONFIGURATION MANAGEMENT

GEN000000-SOL00560 - The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin - /etc/zones

CONFIGURATION MANAGEMENT

GEN000000-SOL00560 - The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin - /etc/zones/*

CONFIGURATION MANAGEMENT

GEN000000-SOL00580 - The /etc/zones directory, and its contents, must not be group- or world-writable - /etc/zones

CONFIGURATION MANAGEMENT

GEN000000-SOL00580 - The /etc/zones directory, and its contents, must not be group- or world-writable - /etc/zones/*

CONFIGURATION MANAGEMENT

GEN000000-SOL00600 - The /etc/zones directory, and its contents, must not have an extended ACL.

ACCESS CONTROL

GEN000000-SOL00620 - The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.

ACCESS CONTROL

GEN000000-SOL00640 - The limitpriv zone option must be set to the vendor default or less permissive.

ACCESS CONTROL

GEN000000-SOL00660 - The physical devices must not be assigned to non-global zones.

ACCESS CONTROL

GEN000020 - The system must require authentication upon booting into single-user and maintenance modes.

SYSTEM AND INFORMATION INTEGRITY

GEN000100 - The operating system must be a supported release.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

GEN000120 - System security patches and updates must be installed and up-to-date.

CONFIGURATION MANAGEMENT

GEN000140 - A file integrity baseline must be created and maintained.
GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.

SYSTEM AND INFORMATION INTEGRITY

GEN000240 - The system clock must be synchronized to an authoritative DoD time source.
GEN000241 - The system clock must be synchronized continuously.

CONFIGURATION MANAGEMENT

GEN000242 - The system must use at least two time sources for clock synchronization - service ntp server 1

AUDIT AND ACCOUNTABILITY

GEN000242 - The system must use at least two time sources for clock synchronization - service ntp server 2

AUDIT AND ACCOUNTABILITY

GEN000244 - The system must use time sources local to the enclave.

AUDIT AND ACCOUNTABILITY

GEN000250 - The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.

CONFIGURATION MANAGEMENT

GEN000251 - The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.

CONFIGURATION MANAGEMENT

GEN000252 - The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.

CONFIGURATION MANAGEMENT

GEN000253 - The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.

ACCESS CONTROL

GEN000280 - Direct logins must not be permitted to shared, default, application, or utility accounts.

ACCESS CONTROL