Host Alias Name Primary Application OS VER

ssappeai001 0 EAI P3 Solaris 8

ssappeai002 0 EAI P3 Solaris 8
ssappeai003 0 EAI P3 Solaris 8
ssappeai004 0 EAI P3 Solaris 8
ssappeai005 0 EAI P3 Solaris 8
ssappeai006 0 EAI P3 Solaris 8
ssappeai007 0 EAI P3 Solaris 8
ssappeai008 0 EAI P3 Solaris 8
ssappeai009 0 EAI P3 Solaris 8
ssappeai010 0 EAI P3 Solaris 8
ssdbeai002c01 0 EAI P3 Solaris 9
ssdbeai002c02 0 EAI P3 Solaris 9
vusno615 0 EAI P3 Solaris 8
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries OK
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files FAILED
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog OK
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files FAILED
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths FAILED
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files FAILED
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths FAILED
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files FAILED
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin OK
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths FAILED
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous FAILED
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files OK
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin OK
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths FAILED
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous FAILED
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files OK
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths FAILED
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files OK
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files FAILED
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin OK
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous FAILED
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files OK
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin OK
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous FAILED
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files OK
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
3.8 Only enable Windows-compatibility servers if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
7.11 Restrict root logins to system console
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users
Config Result
disable_std_serv FAILED
disable_telnet OK
disable_ftp FAILED
disable_rlogin OK
disable_tftp OK
disable_printer OK
disable_rquotad OK
disable_CDE_daemon OK
disable_vol_man FAILED
disable_kerb_daemon OK
minimize_inet FAILED
disable_serial_login FAILED
set_daemon_umask_58 FAILED
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_win_compat OK
disable_kerb_serv FAILED
disable_dir_serv OK
disable_print_daemon OK
disable_vol_manager OK
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK
disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss OK
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED
fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
remove_rhost_pam FAILED
symlink_dangerous OK
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
restrict_root_login FAILED
block_sys_accounts FAILED
check_empty_pw FAILED
legacy_entries FAILED
verify_path OK
user_home_access OK
default_umask_user OK
set_mesg_n FAILED
Comment
Standard Services not Disabled
Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised
login prompts not disabled on serial port
Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Not Applicable to this Version
Kerberos Server Daemons Disabled
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version
Core Dumps not disabled
Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly
File Systems are not all mounted as either 'ro' or 'nosuid'
Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
.rhosts support not removed from pam.conf
Dangerous Files are symlinked
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Already restricted
System Accounts are not blocked.
No Users with empty password
No Legacy Entries exist in passwd, shadow or group
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet OK
disable_ftp FAILED
disable_rlogin OK
disable_tftp OK
disable_printer OK
disable_rquotad OK
disable_CDE_daemon OK
disable_vol_man FAILED
disable_kerb_daemon OK
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 FAILED
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv OK
disable_nfs_client OK
disable_rpc_serv FAILED
disable_kerb_serv FAILED
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon OK
disable_vol_manager OK
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss OK
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms FAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login FAILED
limit_login OK
eeprom_security FAILED
FAILED
block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries OK
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files OK
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating
Description
1 Patches and Additional Software
1.1 Apply latest OS patches
#1.2 Install TCP Wrappers
1.3 Install SSH
2 Minimize inetd network services
2.1 Disable standard services
2.2 Only enable telnet if absolutely necessary
2.3 Only enable FTP if absolutely necessary
2.4 Only enable rlogin/rsh/rcp if absolutely necessary
2.5 Only enable TFTP if absolutely necessary
2.6 Only enable printer service if absolutely necessary
2.7 Only enable rquotad if absolutely necessary
2.8 Only enable CDE-related daemons if absolutely necessary
2.9 Only enable Solaris Volume Manager daemons if absolutely necessary
2.10 Only enable Kerberos-related daemons if absolutely necessary
2.11 Minimize inetd.conf file
3 Minimize boot services
3.1 Disable login: prompts on serial ports
3.2 Set daemon umask
3.3 Turn on inetd tracing, disable inetd if possible
3.4 Prevent Syslog from accepting messages from network
3.5 Disable email server, if possible
3.6 Disable boot services if possible
#3.7 Disable other standard boot services
3.8 Only enable Windows-compatibility servers if absolutely necessary
#3.9 Only enable NFS server processes if absolutely necessary
#3.10 Only enable NFS client processes if absolutely necessary
#3.11 Only enable other RPC-based services if absolutely necessary
3.12 Only enable Kerberos server daemons if absolutely necessary
3.13 Only enable directory server if absolutely necessary
#3.14 Only enable the LDAP cache manager if absolutely necessary
3.15 Only enable the printer daemons if absolutely necessary
3.16 Only enable the volume manager if absolutely necessary
3.17 Only enable GUI login if absolutely necessary
3.18 Only enable Web server if absolutely necessary
3.19 Only enable SNMP if absolutely necessary
3.20 Only enable DHCP server if absolutely necessary
4 Kernel Tuning
4.1 Disable core dumps
4.2 Enable stack protection
4.3 Restrict NFS client requests to privileged ports
4.4 Network Parameter Modifications
4.5 Additional network parameter modifications
4.6 Use better TCP sequence numbers
5 Logging
5.1 Capture messages sent to syslog AUTH facility
5.2 Capture FTP and inetd Connection Tracing Info
5.3 Create /var/adm/loginlog
5.4 Turn on cron logging
5.5 Enable system accounting
5.6 Enable kernel-level auditing
5.7 Confirm permissions on system log files
6 File/Directory Permissions/Access
6.1 File systems are mounted either 'ro' or 'nosuid'
6.2 Add 'logging' option to root file system
6.3 Add 'nosuid' option to /etc/rmmount.conf
6.4 Use full path names in /etc/dfs/dfstab file
6.5 Verify passwd, shadow, and group file permissions
6.6 World-writable directories should have their sticky bit set
6.7 Find unauthorized world-writable files
6.8 Find unauthorized SUID/SGID system executables
#6.9 Run fix-modes
7 System Access
7.1 Remove .rhosts support in /etc/pam.conf
7.2 Create symlinks for dangerous files
#7.4 Create /etc/shells
7.5 Prevent remote XDMCP access
7.6 Prevent X server from listening on port 6000/tcp
7.7 Set default locking screensaver timeout
7.8 Restrict at/cron to authorized users
7.9 Remove empty crontab files and restrict file permissions
#7.10 Create appropriate warning banners
7.11 Restrict root logins to system console
#7.12 Limit number of failed login attempts
#7.13 Set EEPROM security-mode and log failed access
8 User Accounts and Environment
8.1 Block system accounts
8.2 Verify that there are no accounts with empty password fields
#8.3 Set account expiration parameters on active accounts
8.4 Verify no legacy '+' entries exist in passwd, shadow, and group files
8.5 Verify that no UID 0 accounts exist other than root
8.6 No '.' or group/world-writable directory in root $PATH
8.7 User home directories should be mode 750 or more restrictive
8.8 No user dot-files should be group/world writable
8.9 Remove user .netrc files
8.10 Set default umask for users
8.11 Set "mesg n" as default for all users

Done: Pass=23, Count=80, Pass Rate=28.8%

Config Result

os_level29 WARNING
install_tcp_29 WARNING
install_ssh_29 WARNING

disable_std_serv FAILED
disable_telnet FAILED
disable_ftp FAILED
disable_rlogin FAILED
disable_tftp OK
disable_printer FAILED
disable_rquotad FAILED
disable_CDE_daemon OK
disable_vol_man OK
disable_kerb_daemon FAILED
minimize_inet FAILED

disable_serial_login FAILED
set_daemon_umask_58 OK
enable_inetd_trace FAILED
disable_syslog_8 OK
disable_email_server FAILED
disable_boot FAILED
disable_other_boot FAILED
disable_win_compat OK
disable_nfs_serv FAILED
disable_nfs_client FAILED
disable_rpc_serv FAILED
disable_kerb_serv OK
disable_dir_serv OK
disable_ldap_cache OK
disable_print_daemon FAILED
disable_vol_manager FAILED
disable_gui_login FAILED
disable_web_server OK
disable_SNMP FAILED
disable_DHCP OK

disable_core_dumps FAILED
enable_stack_pro FAILED
restrict_nfs_clients FAILED
network_params_58 FAILED
network_params_extra_58 FAILED
network_tcp_strong_iss FAILED
log_time WARNING
log_syslog FAILED
log_conn FAILED
log_login OK
log_cron OK
log_sys FAILED
log_kernel FAILED
log_check_perms FAILED

fs_mount FAILED
root_logging FAILED
nosuid_rmmount FAILED
dfstab_paths OK
users_group_perms fAILED
world_writable_dirs FAILED
unauth_world_writable FAILED
unauth_sys_exec FAILED
fix_modes OK

remove_rhost_pam FAILED
symlink_dangerous OK
create_shells_file FAILED
prevent_xdmcp FAILED
prevent_port_6000 OK
default_locking FAILED
restrict_cron_auth FAILED
remove_empty_cron FAILED
create_warn_ban FAILED
restrict_root_login OK
limit_login FAILED
eeprom_security FAILED

block_sys_accounts FAILED
check_empty_pw OK
account_expiry FAILED
legacy_entries FAILED
no_0_uid OK
verify_path OK
user_home_access FAILED
verify_dot_files FAILED
remove_netrc OK
default_umask_user FAILED
set_mesg_n FAILED
Comment

Install the latest OS software for: 5.8

Install TCP wrappers
Install open SSH

Standard Services not Disabled

Telnet not Disabled
ftp not Disabled
rlogin not Disabled
tftp Disabled
printer not Disabled
rquotad not Disabled
CDE Daemon Disabled
Solaris 9 systems only
Kerberos Daemons not Disabled
inetd.conf not minimised

login prompts not disabled on serial port

Daemon Umask set correctly
Not enabled
Not Applicable to this Version
Email Server not disabled
Boot Services not disabled
Other Boot Services not disabled
Not Applicable to this Version
NFS Server Processes not disabled
NFS Client Services not disabled
RPC Services not disabled
Kerberos Server Daemons Disabled
Not Applicable to this Version
Not Applicable to this Version
Print Daemons not disabled
Volume Manager not disabled
GUI Login not disabled
Not Applicable to this Version
SNMP not disabled
Not Applicable to this Version

Core Dumps not disabled

Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Ensure time synchronization is in place
Not enabled
Not enabled
Already enabled
Already enabled
System Accounting not enabled
Kernel Logging Not Enabled
System Log File Permissions not set correctly

File Systems are not all mounted as either 'ro' or 'nosuid'

Root File System Logging not enabled
'nosuid' not set in rmmount.conf
Full Path Names used in dfstab
passwd shadow and group file permission are not set correctly
See log for World Writable Directories without sticky bit set
See log for Unauthorised World Writable Files
See log for Unauthorised SUID/SGID System Executables
Fix Modes must be run manually

.rhosts support not removed from pam.conf

Dangerous Files are symlinked
/etc/shells file does not match recommended
Not enabled
Solaris 9 systems only
Default screensaver locking not set
Cron/At not restricted to authorised users
Failed to remove empty crontabs and restrict cron file permissions
Warning Banners not set correctly
Already restricted
Not enabled
Not enabled

System Accounts are not blocked.

No Users with empty password
Account Expiration not set correctly on Active Accounts
No Legacy Entries exist in passwd, shadow or group
Only root has uid 0
Root Path Integrity is OK
See log for Group Writable or Other Read/Writable Home Dirs
See log for user Group/World writable . files
No user .netrc directories
Default umask not set for users
mesg n not set as default for users
Remediating/Reporting Final TPO Comments
heading
Reporting
Not remediating due to high risk
Reporting
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
Not remediating due to high risk
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
Remediating
heading
Remediating
Remediating
Remediating
Remediating
Remediating
Reporting
Reporting
Reporting
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Remediating
Remediating
Remediating
Remediating
Not remediating due to high risk
Remediating
Not remediating due to high risk
Not remediating due to high risk
heading
Remediating
Remediating
Not remediating due to high risk
Remediating
Reporting
Remediating
Remediating
Reporting
Reporting
Remediating
Remediating