Table of Contents
Table of Contents ................................................................................................................................................. 4
Overview ................................................................................................................................................................. 8
Consensus Guidance ....................................................................................................................................... 8
Intended Audience .......................................................................................................................................... 8
Acknowledgements ........................................................................................................................................ 9
Typographic Conventions .......................................................................................................................... 10
Configuration Levels ................................................................................................................................... 10
Level-I Benchmark settings/actions ................................................................................................. 10
Level-II Benchmark settings/actions................................................................................................ 10
Scoring Status ................................................................................................................................................ 10
Scorable ....................................................................................................................................................... 10
Not Scorable .............................................................................................................................................. 11
Identification Table ..................................................................................................................................... 11
Assumptions and Recommendations .................................................................................................... 11
OS Platform ................................................................................................................................................ 11
System State .............................................................................................................................................. 11
Test Actions ............................................................................................................................................... 11
Shell Environment ................................................................................................................................... 12
Order of Operations ................................................................................................................................ 12
Backup Key Files ...................................................................................................................................... 12
Create /opt/CIS Directory (optional) .......................................................................................... 12
Benchmark Items .............................................................................................................................................. 13
1. Install Updates, Patches and Additional Software ....................................................................... 13
1.1 Use the Latest OS Release .............................................................................................................. 13
1.2 Apply Latest OS Patches ................................................................................................................. 14
1.3 Install Solaris Encryption Kit ....................................................................................................... 15
2. Restrict Services ....................................................................................................................................... 17
2.1 Establish a Secure Baseline .......................................................................................................... 17
2.2 Disable Unnecessary Local Services .......................................................................................... 18
2.2.1 Disable Local CDE ToolTalk Database Server ............................................................... 19
2.2.2 Disable Local CDE Calendar Manager .............................................................................. 19
2.2.3 Disable Local Graphical Login Environment ................................................................. 20
2.2.4 Disable Local sendmail Service .......................................................................................... 21
2.2.5 Disable Local Web Console .................................................................................................. 22
2.2.6 Disable Local WBEM ............................................................................................................... 22
2.2.7 Disable Local BSD Print Protocol Adapter ..................................................................... 23
2.3 Disable Other Services .................................................................................................................... 24
2.3.1 Disable RPC Encryption Key ................................................................................................ 24
2.3.2 Disable NIS Server Daemons ............................................................................................... 25
2.3.3 Disable NIS Client Daemons................................................................................................. 26
2.3.4 Disable NIS+ Daemons ........................................................................................................... 26
2.3.5 Disable LDAP Cache Manager ............................................................................................. 27
2.3.6 Disable Kerberos TGT Expiration Warning ................................................................... 28
2.3.7 Disable Generic Security Services (GSS) Daemons ..................................................... 28
2.3.8 Disable Volume Manager ...................................................................................................... 29
2.3.9 Disable Samba Support .......................................................................................................... 30
2.3.10 Disable automount Daemon......................................................................................... 31
2.3.11 Disable Apache Services ................................................................................................... 32
2.3.12 Disable Solaris Volume Manager Services ................................................................. 33
2.3.13 Disable Solaris Volume Manager GUI .......................................................................... 34
2.3.14 Disable Local RPC Port Mapping Service ................................................................... 35
2.4 Configure TCP Wrappers ............................................................................................................... 36
3. Kernel Tuning ........................................................................................................................................... 38
3.1 Restrict Core Dumps to Protected Directory ......................................................................... 38
3.2 Enable Stack Protection ................................................................................................................. 39
3.3 Enable Strong TCP Sequence Number Generation .............................................................. 40
3.4 Modify Network Parameters ........................................................................................................ 41
3.4.1 Disable Source Packet Forwarding ................................................................................... 44
3.4.2 Disable Broadcast Packet Forwarding............................................................................. 45
3.4.3 Disable Response to ICMP Timestamp Requests ........................................................ 46
3.4.4 Disable Response to ICMP Broadcast Timestamp Requests ................................... 47
3.4.5 Disable Response to ICMP Netmask Requests ............................................................. 48
3.4.6 Disable ICMPv6 Redirect Messages .................................................................................. 50
3.4.7 Disable Response to Broadcast ICMPv4 Echo Request ............................................. 51
3.4.8 Disable Response to Multicast Echo Request ............................................................... 52
3.4.9 Set Interval for Scanning IRE_CACHE .............................................................................. 53
3.4.10 Ignore ICMP Redirect Messages .................................................................................... 55
3.4.11 Set Strict Multihoming ....................................................................................................... 56
3.4.12 Disable ICMPv4 Redirect Messages .............................................................................. 57
3.4.13 Set ARP Cleanup Interval .................................................................................................. 59
3.4.14 Disable TCP Reverse IP Source Routing ..................................................................... 60
Set Maximum Number of Half-open TCP Connections ...................................................... 61
3.4.15 ............................................................................................................................................................ 61
3.4.16 Set Maximum Number of Incoming Connections.................................................... 62
3.4.17 Lock down dtspcd(8) ................................................................................................... 64
3.5 Disable Network Routing .............................................................................................................. 65
4. Logging ........................................................................................................................................................ 66
4.1 Enable inetd Connection Logging ............................................................................................... 66
4.2 Enable FTP daemon Logging ........................................................................................................ 67
4.3 Enable Debug Level Daemon Logging ...................................................................................... 68
4.4 Capture syslog AUTH Messages.............................................................................................. 69
4.5 Enable Login Records ..................................................................................................................... 70
4.6 Capture All Failed Login Attempts ............................................................................................. 71
4.7 Enable cron Logging ........................................................................................................................ 71
4.8 Enable System Accounting ............................................................................................................ 72
4.9 Enable Kernel Level Auditing ...................................................................................................... 73
5. File/Directory Permissions/Access .................................................................................................. 76
5.1 Set daemon umask ........................................................................................................................... 76
5.2 Restrict Set-UID on User Mounted Devices ............................................................................ 77
5.3 Set Sticky Bit on World Writable Directories ........................................................................ 78
6. System Access, Authentication, and Authorization ..................................................................... 79
6.1 Disable login: Prompts on Serial Ports ............................................................................... 79
6.2 Disable "nobody" Access for RPC Encryption Key Storage Service .............................. 80
6.3 Configure SSH.................................................................................................................................... 80
6.3.1 Set SSH Protocol to 2 .............................................................................................................. 81
6.3.2 Disable SSH X11Forwarding ................................................................................................ 82
6.3.3 Set SSH MaxAuthTries to 3 ................................................................................................... 83
6.3.4 Set SSH MaxAuthTriesLog to 0 ........................................................................................... 84
6.3.5 Set SSH IgnoreRhosts to yes ................................................................................................ 85
6.3.6 Set SSH RhostsAuthentication to no ................................................................................. 86
6.3.7 Set SSH RhostsRSAAuthentication to no......................................................................... 87
6.3.8 Disable SSH root login ............................................................................................................ 87
6.3.9 Set SSH PermitEmptyPasswords to no ............................................................................ 88
6.3.10 Set SSH Banner ..................................................................................................................... 89
6.4 Disable .rhosts Support in /etc/pam.conf ............................................................................... 90
6.5 Restrict FTP Use ............................................................................................................................... 91
6.6 Set Delay between Failed Login Attempts to 4 ..................................................................... 92
6.7 Set Default Screen Lock for CDE Users ..................................................................................... 93
6.8 Set Default Screen Lock for GNOME Users ............................................................................. 94
6.9 Restrict at/cron to Authorized Users ....................................................................................... 95
6.10 Restrict root Login to System Console .............................................................................. 96
6.11 Set Retry Limit for Account Lockout ..................................................................................... 97
6.12 Set EEPROM Security Mode and Log Failed Access ........................................................ 98
6.13 Secure the GRUB Menu ............................................................................................................ 100
7. User Accounts and Environment ...................................................................................................... 101
7.1 Disable System Accounts ............................................................................................................. 101
7.2 Set Password Expiration Parameters on Active Accounts ............................................. 103
7.3 Set Strong Password Creation Policies .................................................................................. 104
7.4 Set Default Group for root Account ...................................................................................... 106
7.5 Change Home Directory for root Account ........................................................................ 107
7.6 Set Default umask for Users ....................................................................................................... 108
7.7 Set Default umask for FTP Users .............................................................................................. 109
7.8 Set "mesg n" as Default for All Users ....................................................................................... 110
7.9 Lock Inactive User Accounts ...................................................................................................... 111
8. Warning Banners ................................................................................................................................... 112
8.1 Create Warnings for Standard Login Services..................................................................... 113
8.2 Create Warning Banner for CDE Users .................................................................................. 114
8.3 Create Warning Banner for GNOME Users ........................................................................... 115
8.4 Create Warning Banner for FTP daemon .............................................................................. 116
8.5 Check Banner Setting for telnet is Null ............................................................................. 117
9. System Maintenance ............................................................................................................................. 117
9.1 Check for Remote Consoles ........................................................................................................ 118
9.2 Verify System File Permissions ................................................................................................. 118
9.3 Ensure Password Fields are Not Empty ................................................................................ 119
9.4 Verify No Legacy “+” Entries Exist in passwd, shadow, and group Files ............. 120
9.5 Verify No UID 0 Accounts Exist Other than root ................................................................ 120
9.6 Ensure root PATH Integrity ........................................................................................................ 121
9.7 Check Permissions on User Home Directories .................................................................... 122
9.8 Check User Dot File Permissions .............................................................................................. 123
9.9 Check Permissions on User .netrc Files ............................................................................ 124
9.10 Check for Presence of User .rhosts Files............................................................................ 125
9.11 Check Groups in /etc/passwd ............................................................................................... 126
9.12 Check That Users Are Assigned Home Directories ....................................................... 127
9.13 Check That Defined Home Directories Exist .................................................................... 128
9.14 Check User Home Directory Ownership ........................................................................... 130
9.15 Check for Duplicate UIDs ......................................................................................................... 131
9.16 Check for Duplicate GIDs ......................................................................................................... 132
9.17 Check That Reserved UIDs Are Assigned to System Accounts ................................. 132
9.18 Check for Duplicate User Names .......................................................................................... 133
9.19 Check for Duplicate Group Names ....................................................................................... 134
9.20 Check for Presence of User .netrc Files .............................................................................. 135
9.21 Check for Presence of User .forward Files ........................................................................ 136
9.22 Find World Writable Files ....................................................................................................... 137
9.23 Find SUID/SGID System Executables ................................................................................. 137
9.24 Find Un-owned Files and Directories ................................................................................. 138
9.25 Find Files and Directories with Extended Attributes ................................................... 139
Appendix A: File Backup Script .................................................................................................................. 141
Appendix B: Service Manifest for /lib/svc/method/cis_netconfig.sh ........................................ 142
Appendix C: Additional Security Notes .................................................................................................. 144
SN.1 Enable process accounting at boot time ............................................................................ 144
SN.2 Use full path names in /etc/dfs/dfstab file ...................................................................... 145
SN.3 Restrict access to power management functions .......................................................... 145
SN.4 Restrict access to sys-suspend feature .............................................................................. 146
SN.5 Create symlinks for dangerous files .................................................................................... 147
SN.7 Remove Support for Internet Services (inetd) ............................................................... 148
Appendix D: Application Notes ................................................................................................................... 150
AN.1 Samba: Enable SSH Port Forwarding in Web Admin Tool ......................................... 150
AN.2 Samba: Set Secure Permissions on smb.conf File...................................................... 150
AN.3 Samba: Set Group Ownership of smb.conf File .......................................................... 151
AN.4 Samba: Set Secure Permissions on smbpasswd File ................................................... 152
AN.5 Samba: Set Group Ownership of smbpasswd File ....................................................... 152
AN.6 Samba: Set Secure smb.conf File Options ......................................................................... 153
AN.7 sendmail: Set Secure Logfile Ownership to the root User ....................................... 154
AN.8 sendmail: Set Secure Permissions on Log File ................................................................ 154
Appendix E: References ................................................................................................................................ 156
Appendix F: Change History ........................................................................................................................ 159
