#
# (C) 2013-2014 Tenable Network Security, Inc.
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_5_SLA_and_Subscription_Agreement.pdf
# http://static.tenable.com/prod_docs/Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# 
# $Revision: 1.4 $
# $Date: 2014/09/16 12:33:39 $
# 
# Description: This .audit is designed against the CIS Benchmark 
#	       for Solaris 10 v5.1.0 based on: https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.1.0.pdf	
#
#<ui_metadata>
#<display_name>Safeguards Solaris 10 Audit ob体育 v1.0</display_name>
#</ui_metadata>

<check_type : "Unix">


<if>
 <condition type: "AND">

  <custom_item>
   system                 : "SunOS"
   type                   : FILE_CONTENT_CHECK
   description            : "Solaris 10 is installed"
   file                   : "/etc/release"
   regex		     : ".*Solaris[\\s]+10"
   expect                 : ".*Solaris[\\s]+10"
  </custom_item>
	
 </condition>
 <then>

<custom_item>
 system        	: "SunOS"
 type		: PKG_CHECK
 description	: "1.3 Install Solaris Encryption Kit - Check if Package SUNWcry is installed"
 info		: "Level: 1\n"
 info           : "The Solaris 10 Encryption Kit contains kernel modules that implement various encryption algorithms for IPsec and Kerberos, utilities that encrypt and decrypt files from the command line, and libraries with functions that application programs call to perform encryption.\n\n The Encryption Kit enables larger key sizes (> 128) of the following algorithms -
AES (128, 192, and 256-bit key sizes) Blowfish (32 to 448-bit key sizes in 8-bit increments) RCFOUR/RC4 (8 to 2048-bit key sizes)
\nPlease see the documentation included with the package for more information. Regulations on the export of encryption software are subject to change. This action is not needed for systems running Solaris 10 08/07 and newer as the Solaris 10 Encryption Kit is installed by default. Do not use this software download on systems running Solaris 10 08/07 or newer versions of the operating system.
\n\nNote - If you are installing the Encryption Kit on Solaris 10 11/06 or older versions of the Solaris OS, the package will also install SUNWcryman. On newer versions, the manual pages are included in the system manual pages by default."
 solution       : "For Solaris 10 11/06 or older versions of the Solaris OS, obtain the Solaris 10 Encryption Kit from https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMISite/ en_US/-/USD/ViewProductDetail-Start?ProductRef=Sol10-GA-Encryption-G-F@CDSCDS_ SMI
After downloading the software, to implement this action, execute the following commands -
\n unzip -qq sol-10-encrypt-GA-iso.zip
\n lofiadm -a `pwd`/sol-10-encrypt-GA.iso /dev/lofi/1
\n mount -F hsfs -o ro /dev/lofi/1 /mnt
\nNote that the device returned in the step above is the one to be used in the next step.
\nmount -F hsfs -o ro /dev/lofi/1 /mnt
\ncd /mnt/Encryption_10/`uname -p`/Packages
\npkgadd -d . all [respond to pkgadd questions]
\ncd
\numount /mnt
\nlofiadm -d /dev/lofi/1"
 pkg		: "SUNWcry"
 required	: YES
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: PKG_CHECK
 description	: "1.3 Install Solaris Encryption Kit - Check if Package SUNWcryr is installed"
 info		: "Level: 1\n"
 info           : "The Solaris 10 Encryption Kit contains kernel modules that implement various encryption algorithms for IPsec and Kerberos, utilities that encrypt and decrypt files from the command line, and libraries with functions that application programs call to perform encryption.\n\n The Encryption Kit enables larger key sizes (> 128) of the following algorithms -
AES (128, 192, and 256-bit key sizes) Blowfish (32 to 448-bit key sizes in 8-bit increments) RCFOUR/RC4 (8 to 2048-bit key sizes)
\nPlease see the documentation included with the package for more information. Regulations on the export of encryption software are subject to change. This action is not needed for systems running Solaris 10 08/07 and newer as the Solaris 10 Encryption Kit is installed by default. Do not use this software download on systems running Solaris 10 08/07 or newer versions of the operating system.
\n\nNote - If you are installing the Encryption Kit on Solaris 10 11/06 or older versions of the Solaris OS, the package will also install SUNWcryman. On newer versions, the manual pages are included in the system manual pages by default."
 solution       : "For Solaris 10 11/06 or older versions of the Solaris OS, obtain the Solaris 10 Encryption Kit from https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMISite/ en_US/-/USD/ViewProductDetail-Start?ProductRef=Sol10-GA-Encryption-G-F@CDSCDS_ SMI
After downloading the software, to implement this action, execute the following commands -
\n unzip -qq sol-10-encrypt-GA-iso.zip
\n lofiadm -a `pwd`/sol-10-encrypt-GA.iso /dev/lofi/1
\n mount -F hsfs -o ro /dev/lofi/1 /mnt
\nNote that the device returned in the step above is the one to be used in the next step.
\nmount -F hsfs -o ro /dev/lofi/1 /mnt
\ncd /mnt/Encryption_10/`uname -p`/Packages
\npkgadd -d . all [respond to pkgadd questions]
\ncd
\numount /mnt
\nlofiadm -d /dev/lofi/1"
 pkg		: "SUNWcryr"
 required	: YES
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
## 2.Restrict Services
##
#

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.1 Disable Local CDE ToolTalk Database Server  - Make sure that /network/rpc/cde-ttdbserver:tcp is disabled"
 info		: "Level: 1\n"
 info           : "The ToolTalk service enables independent CDE applications to communicate with each other without having direct knowledge of each other. Applications create and send ToolTalk messages to communicate with each other. The ToolTalk service receives these messages, determines the recipients, and then delivers the messages to the appropriate applications."
 solution       : "To disable the ToolTalk service, run the following command-
 svcadm disable svc:/network/rpc/cde-ttdbserver:tcp"
 service	: "network/rpc/cde-ttdbserver:tcp"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.2 Disable Local CDE Calendar Manager  - Make sure that /network/rpc/cde-calendar-manager is disabled"
 info		: "Level: 1\n"
 info           : "CDE Calendar Manager is an appointment and resource scheduling tool. CDE Calendar Manager can help you schedule and keep track of your daily appointments. Upon request, Calendar Manager can send you reminders in advance of your appointments. If you place the CDE Calendar Manager in local only mode, users on other computers will not be able to attach to the system calendar manager and look at the local users calendar."
 solution       : "To disable the CDE Calendar Manager service, run the following command-
svcadm disable svc:/network/rpc/cde-calendar-manager:default"
 service	: "network/rpc/cde-calendar-manager:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.3 Disable Local Graphical Login Environment  - Make sure that /application/graphical-login/cde-login is disabled"
 info		: "Level: 1\n"
 info           : "The CDE login service provides the capability of logging into the system using an Xwindows type interface from the console. If XDMCP remote session access to a machine is not required at all, but graphical login access for the console is required, leave the service in local-only mode. If there is no requirement for graphical services on the console, disable this service. Run this command from the command-line interface as disabling it will kill any active graphical sessions.
CDE login manager is just one of two available in the Solaris OS, the other being the GNOME Display Manager which is not enabled by default in Solaris."
 solution       : "To disable graphical login access from the console, run the following command-
 svcadm disable svc:/application/graphical-login/cde-login"
 service	: "application/graphical-login/cde-login:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.3 Disable Local Graphical Login Environment  - Make sure that /application/graphical-login/gdm2-login is disabled"
 info		: "Level: 1\n"
 info           : "The CDE login service provides the capability of logging into the system using an Xwindows type interface from the console. If XDMCP remote session access to a machine is not required at all, but graphical login access for the console is required, leave the service in local-only mode. If there is no requirement for graphical services on the console, disable this service. Run this command from the command-line interface as disabling it will kill any active graphical sessions.
CDE login manager is just one of two available in the Solaris OS, the other being the GNOME Display Manager which is not enabled by default in Solaris."
 solution       : "To disable graphical login access from the console, run the following command-
 svcadm disable svc:/application/graphical-login/cde-login"
 service	: "gdm2-login:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.4 Disable Local sendmail Service  - Make sure that /network/smtp:sendmail is disabled"
 info		: "Level: 1\n"
 info           : "If sendmail is set to local only mode, users on remote systems cannot connect to the sendmail daemon. This eliminates the possibility of a remote exploit attack against sendmail. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, disable the sendmail service. If you disable sendmail for local use, messages sent to the root account, such as for cron job output or audit daemon warnings, will fail to be delivered properly. Another solution often used is to disable sendmail's local-only mode and to have a cron job process all mail that is queued on the local system and send it to a relay host that is defined in the sendmail.cf file. It is recommended that sendmail be left in localonly mode unless there is a specific requirement to disable it."
 solution       : "To disable sendmail for local use, run the following command-
 svcadm disable svc:/network/smtp:sendmail"
 service	: "network/smtp:sendmail"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.5 Disable Local Web Console  - Make sure that /system/webconsole:console is disabled"
 info		: "Level: 1\n"
 info           : "The Java Web Console (smcwebserver(1M)) provides a common location for users to access web-based system management applications."
 solution       : "Perform the following to disable the Java Web Console-
 svcadm disable svc:/system/webconsole:console"
 service	: "system/webconsole:console"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.6 Disable Local WBEM  - Make sure that application/management/wbem is disabled"
 info		: "Level: 1\n"
 info           : "Web-Based Enterprise Management (WBEM) is a set of management and Internet technologies. Solaris WBEM Services software provides WBEM services in the Solaris OS, including secure access and manipulation of management data. The software includes a Solaris platform provider that enables management applications to access information about managed resources such as devices and software in the Solaris OS. WBEM is used by the Solaris Management Console (SMC)."
 solution       : "To disable Web-Based Enterprise Management, run the following command-
 svcadm disable svc:/application/management/wbem"
 service	: "application/management/wbem:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.1.7 Disable Local BSD Print Protocol Adapter  - Make sure that /application/print/rfc1179 is disabled"
 info		: "Level: 1\n"
 info           : "RFC 1179 describes the Berkeley system based line printer protocol. The service is used to control local Berkeley system based print spooling. It listens on port 515 for incoming print jobs. Secure by default limits access to the line printers by only allowing print jobs to be initiated from the local system. If the machine does not have locally attached printers, disable this service. Note that this service is not required for printing to a network printer.
\nNote - In Solaris 10, Update 8, this service is disabled by netservices limited if the service /application/print/server is disabled."
 solution       : "To disable local Berkeley system based print spooling, run the following command-
 svcadm disable svc:/application/print/rfc1179"
 service	: "application/print/rfc1179:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.1 Disable RPC Encryption Key  - Make sure that /network/rpc/keyserv is disabled"
 info		: "Level: 1\n"
 info           : "The keyserv process is only required for sites that are using Oracle's Secure RPC mechanism. The most common uses for Secure RPC on Solaris machines are NIS+ and 'secure NFS', which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. Do not confuse 'secure NFS' with sites that use Kerberos authentication as a mechanism for providing higher levels of NFS security. 'Kerberized' NFS does not require the keyserv process to be running."
 solution       : "To disable the keyserv process, run the following command-
 svcadm disable svc:/network/rpc/keyserv"
 service	: "network/rpc/keyserv:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.2 Disable NIS Server Daemons  - Make sure that /network/nis/server is disabled"
 info		: "Level: 1\n"
 info           : "These daemons are only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server."
 solution       : "No action is necessary to disable NIS server daemons unless they have been specifically enabled by the administrator. If so, they may be disabled using the following commands -
 \nsvcadm disable svc:/network/nis/server
 \nsvcadm disable svc:/network/nis/passwd
 \nsvcadm disable svc:/network/nis/update
 \nsvcadm disable svc:/network/nis/xfr"
 service	: "network/nis/server:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.2 Disable NIS Server Daemons  - Make sure that /network/nis/passwd is disabled"
 info		: "Level: 1\n"
 info           : "These daemons are only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server."
 solution       : "No action is necessary to disable NIS server daemons unless they have been specifically enabled by the administrator. If so, they may be disabled using the following commands -
 \nsvcadm disable svc:/network/nis/server
 \nsvcadm disable svc:/network/nis/passwd
 \nsvcadm disable svc:/network/nis/update
 \nsvcadm disable svc:/network/nis/xfr"
 service	: "network/nis/passwd:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.2 Disable NIS Server Daemons  - Make sure that /network/nis/update is disabled"
 info		: "Level: 1\n"
 info           : "These daemons are only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server."
 solution       : "No action is necessary to disable NIS server daemons unless they have been specifically enabled by the administrator. If so, they may be disabled using the following commands -
 \nsvcadm disable svc:/network/nis/server
 \nsvcadm disable svc:/network/nis/passwd
 \nsvcadm disable svc:/network/nis/update
 \nsvcadm disable svc:/network/nis/xfr"
 service	: "network/nis/update:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.2 Disable NIS Server Daemons  - Make sure that /network/nis/xfr is disabled"
 info		: "Level: 1\n"
 info           : "These daemons are only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server."
 solution       : "No action is necessary to disable NIS server daemons unless they have been specifically enabled by the administrator. If so, they may be disabled using the following commands -
 \nsvcadm disable svc:/network/nis/server
 \nsvcadm disable svc:/network/nis/passwd
 \nsvcadm disable svc:/network/nis/update
 \nsvcadm disable svc:/network/nis/xfr"
 service	: "network/nis/xfr:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.3 Disable NIS Client Daemons  - Make sure that /network/nis/client is disabled"
 info		: "Level: 1\n"
 info           : "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been configured on the system."
 solution       : "No action is necessary to disable NIS client daemons unless they have been specifically enabled by the administrator. If so, they may be disabled using the following command -
 \nsvcadm disable svc:/network/nis/client"
 service	: "network/nis/client:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.4 Disable NIS+ daemons - Make sure that /network/rpc/nisplus is disabled"
 info		: "Level: 1\n"
 info           : "NIS+ was designed to be a more secure version of NIS. However, the use of NIS+ has been deprecated by Oracle and customers are encouraged to use LDAP as an alternative naming service. This service is disabled by default unless the NIS+ service has been configured on the system."
 solution       : "No action is necessary to disable NIS+ daemons unless they have been specifically enabled by the administrator. If so, they may be disabled using the following command-
 \nsvcadm disable svc:/network/rpc/nisplus"
 service	: "network/rpc/nisplus:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system  	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.5 Disable LDAP Cache Manager - Make sure that /network/ldap/client is disabled"
 info		: "Level: 1\n"
 info           : "If the local site is not currently using LDAP as a naming service, there is no need to keep LDAP-related daemons running on the local machine. This service is disabled by default unless LDAP client services have been configured on the system. If a naming service is required, users are encouraged to use LDAP instead of NIS/NIS+."
 solution       : "No action is necessary to disable the LDAP cache manager unless it has been specifically enabled by the administrator. To disable the LDAP cache manager, run the following command-
 \nsvcadm disable svc:/network/ldap/client"
 service	: "network/ldap/client:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.6 Disable Kerberos TGT Expiration Warning - Make sure that /network/security/ktkt_warn is disabled"
 info		: "Level: 1\n"
 info           : "While Kerberos can be a security enhancement, if the local site is not currently using Kerberos then there is no need to have the Kerberos TGT expiration warning enabled."
 solution       : "To disable the Kerberos TGT expiration warning, run the following command-
 \nsvcadm disable svc:/network/security/ktkt_warn"
 service	: "network/security/ktkt_warn:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.7 Disable Generic Security Services (GSS) daemons - Make sure that /network/rpc/gss is disabled"
 info		: "Level: 1\n"
 info           : "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes.
\nNote - Since this service uses Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on. This daemon will be taken offline if rpcbind is disabled. For more information see Item 2.3.14."
 solution       : "To disable the GSS API, run the following command-
 \nsvcadm disable svc:/network/rpc/gss"
 service	: "network/rpc/gss:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.8 Disable Volume Manager - Make sure that system/filesystem/volfs is disabled"
 info		: "Level: 1\n"
 info           : "The volume manager automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the vold (1M) manual page for more details.
\nNote - Since this service uses Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 2.3.14 Disable Local RPC Port Mapping Service"
 solution       : "To disable vold, run the following command-
\n svcadm disable svc:/system/filesystem/volfs
\n svcadm disable svc:/network/rpc/smserver"
 service	: "system/filesystem/volfs:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.8 Disable Volume Manager - Make sure that network/rpc/smserver is disabled"
 info		: "Level: 1\n"
 info           : "The volume manager automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the vold (1M) manual page for more details.
\nNote - Since this service uses Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 2.3.14 Disable Local RPC Port Mapping Service"
 solution       : "To disable vold, run the following command-
\n svcadm disable svc:/system/filesystem/volfs
\n svcadm disable svc:/network/rpc/smserver"
 service	: "network/rpc/smserver:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<if>
 <condition type : "and">
  <custom_item>
   system               : "SunOS"
   type                 : FILE_CONTENT_CHECK
   description          : "Silent check to determine if it is Solaris 10 >= 08/07"
   file                 : "/etc/release"
   regex                : "Solaris 10 [0-9]+/(0[7-9]|[1-9][0-9])+"
   expect               : "Solaris 10 [0-9]+/(0[7-9]|[1-9][0-9])+"
  </custom_item>
 </condition>
 <then>
  <custom_item>
   system               : "SunOS"
   type                 : SVC_PROP
   description          : "2.2.9 Disable Samba Support - Make sure that /network/samba is disabled. Note this check is only applicable for Solaris 10 >= 8/07"
   info			: "Level: 1\n"
   info                 : "Solaris includes the popular open source Samba server for providing file and print services to Windows-based systems. This allows a Solaris system to act as a file or print server on a Windows network, and even act as a Domain Controller (authentication server) to older Windows operating systems. Note that on Solaris releases prior to 11/06 the file /etc/sfw/smb.conf does not exist and the service will not be started by default even on newer releases."
   solution             : "To disable Samba, run the appropriate command for your Solaris OS level -
Solaris 10 <= 11/06
/etc/init.d/samba stop
mv /etc/sfw/smb.conf /etc/sfw/smb.conf.CIS"
   service              : "network/samba:default"
   property             : "restarter/state"
   regex                : "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </then>
</if>

<if>
 <condition type : "and">
  <custom_item>
   system               : "SunOS"
   type                 : FILE_CONTENT_CHECK
   description          : "Silent check to determine if it is Solaris 10 <= 11/06"
   file                 : "/etc/release"
   regex                : "Solaris 10 [0-9]+/(0[0-6])"
   expect               : "Solaris 10 [0-9]+/(0[0-6])"
  </custom_item>
 </condition>
 <then>
  <custom_item>
   system               : "SunOS"
   type                 : FILE_CHECK_NOT
   description          : "2.2.9 Disable Samba Support - Make sure that /etc/sfw/smb.conf does not exist. Note this check is only applicable for Solaris 10 >= 11/06"
   info			: "Level: 1\n"
   info                 : "Solaris includes the popular open source Samba server for providing file and print services to Windows-based systems. This allows a Solaris system to act as a file or print server on a Windows network, and even act as a Domain Controller (authentication server) to older Windows operating systems. Note that on Solaris releases prior to 11/06 the file /etc/sfw/smb.conf does not exist and the service will not be started by default even on newer releases."
   solution             : "To disable Samba, run the appropriate command for your Solaris OS level -
\nSolaris 10 <= 11/06
\n/etc/init.d/samba stop
\nmv /etc/sfw/smb.conf /etc/sfw/smb.conf.CIS"
   file                 : "/etc/sfw/smb.conf"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </then>
</if>


<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.10 Disable automount daemon - Make sure that /system/filesystem/autofs is disabled."
 info		: "Level: 1\n"
 info           : "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration.\n Sites that have local home directories configured via the automount daemon in this fashion will need to ensure that this daemon is running for Oracle's Solaris Management Console administrative interface to function properly. If the automount daemon is not running, the mount points created by SMC will not be mounted.
\nNote - Since this service uses Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 2.3.14 Disable Local RPC Portmapping Service."
 solution       : "To disable the automount daemon, run the following command-
 svcadm disable svc:/system/filesystem/autofs"
 service	: "system/filesystem/autofs:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type   	: FILE_CHECK_NOT
 description    : "2.2.11 Disable Apache services - Make sure that /etc/apache/httpd.conf does not exist. Note this check is only applicable for Apache 1.x"
 info		: "Level: 1\n"
 info           : "The action in this section describes disabling the Apache 1.x and 2.x web servers provided with Solaris 10. Both services are disabled by default. Run control scripts for Apache 1 and the NCA web servers still exist, but the services will only be started if the respective configuration files have been set up appropriately, and these configuration files do not exist by default.
Even if the system is a Web server, the local site may choose not to use the Web server provided with Solaris in favor of a locally developed and supported Web environment. If the machine is a Web server, the administrator is encouraged to search the Web for additional documentation on Web server security."
 solution       : "To disable Apache, run the appropriate command for the version installed-
\nApache 1.x-
\n/etc/init.d/apache stop # mv /etc/apache/httpd.conf /etc/apache/httpd.conf.CIS
\nApache 2.x-
\nsvcadm disable svc:/network/http:apache2"
 file	       	: "/etc/apache/httpd.conf"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.11 Disable Apache services - Make sure that network/http:apache2 is disabled."
 info		: "Level: 1\n"
 info           : "The action in this section describes disabling the Apache 1.x and 2.x web servers provided with Solaris 10. Both services are disabled by default. Run control scripts for Apache 1 and the NCA web servers still exist, but the services will only be started if the respective configuration files have been set up appropriately, and these configuration files do not exist by default.
Even if the system is a Web server, the local site may choose not to use the Web server provided with Solaris in favor of a locally developed and supported Web environment. If the machine is a Web server, the administrator is encouraged to search the Web for additional documentation on Web server security."
 solution       : "To disable Apache, run the appropriate command for the version installed-
\nApache 1.x-
\n/etc/init.d/apache stop # mv /etc/apache/httpd.conf /etc/apache/httpd.conf.CIS
\nApache 2.x-
\nsvcadm disable svc:/network/http:apache2"
 service	: "network/http:apache2"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<if>
 <condition type : "and">
  <custom_item>
   system               : "SunOS"
   type                 : FILE_CONTENT_CHECK
   description          : "Silent check to check if its a Solaris 10 <= 11/06"
   file                 : "/etc/release"
   regex                : "Solaris 10 [0-9]+/(0[0-6])"
   expect               : "Solaris 10 [0-9]+/(0[0-6])"
  </custom_item>
 </condition>
 <then>
  <custom_item>
   system        	: "SunOS"
   type			: SVC_PROP
   description		: "2.2.12 Disable Solaris Volume Manager Services - Make sure that /system/metainit is disabled. Note this check is only applicable for Solaris 10 <= 11/06"
   info			: "Level: 1\n"
   info                 : "The Solaris Volume Manager, formerly known as Solstice DiskSuite, provides functionality for managing disk storage, disk arrays, etc. However, many systems without large storage arrays do not require that these services be enabled or may be using an alternate volume manager rather than the bundled SVM functionality. This service is disabled by default in the OS."
   solution             : "To disable the Solaris Volume Manager, run the following commands-
 \nsvcadm disable svc:/system/metainit
 \nsvcadm disable svc:/system/mdmonitor
\nIn addition, run the appropriate command for the Solaris 10 level that you are running-
\nSolaris 10 <= 11/06
\nsvcadm disable svc:/platform/sun4u/mpxio-upgrade
\nSolaris 10 >= 8/07
\nsvcadm disable svc:/system/device/mpxio-upgrade"
   service		: "system/metainit:default"
   property		: "restarter/state"
   regex		: "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
  <custom_item>
   system        	: "SunOS"
   type			: SVC_PROP
   description		: "2.2.12 Disable Solaris Volume Manager Services - Make sure that /platform/sun4u/mpxio-upgrade is disabled. Note this check is only applicable for Solaris 10 <= 11/06"
   info			: "Level: 1\n"
   info                 : "The Solaris Volume Manager, formerly known as Solstice DiskSuite, provides functionality for managing disk storage, disk arrays, etc. However, many systems without large storage arrays do not require that these services be enabled or may be using an alternate volume manager rather than the bundled SVM functionality. This service is disabled by default in the OS."
   solution             : "To disable the Solaris Volume Manager, run the following commands-
 \nsvcadm disable svc:/system/metainit
 \nsvcadm disable svc:/system/mdmonitor
\nIn addition, run the appropriate command for the Solaris 10 level that you are running-
\nSolaris 10 <= 11/06
\nsvcadm disable svc:/platform/sun4u/mpxio-upgrade
\nSolaris 10 >= 8/07
\nsvcadm disable svc:/system/device/mpxio-upgrade"
   service		: "platform/sun4u/mpxio-upgrade:default"
   property		: "restarter/state"
   regex		: "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
  <custom_item>
   system		: "SunOS"
   type			: SVC_PROP
   description		: "2.2.12 Disable Solaris Volume Manager Services - Make sure that system/mdmonitor is disabled. Note this check is only applicable for Solaris 10 <= 11/06"
   info			: "Level: 1\n"
   info                 : "The Solaris Volume Manager, formerly known as Solstice DiskSuite, provides functionality for managing disk storage, disk arrays, etc. However, many systems without large storage arrays do not require that these services be enabled or may be using an alternate volume manager rather than the bundled SVM functionality. This service is disabled by default in the OS."
   solution             : "To disable the Solaris Volume Manager, run the following commands-
 \nsvcadm disable svc:/system/metainit
 \nsvcadm disable svc:/system/mdmonitor
\nIn addition, run the appropriate command for the Solaris 10 level that you are running-
\nSolaris 10 <= 11/06
\nsvcadm disable svc:/platform/sun4u/mpxio-upgrade
\nSolaris 10 >= 8/07
\nsvcadm disable svc:/system/device/mpxio-upgrade"
   service		: "system/mdmonitor:default"
   property		: "restarter/state"
   regex		: "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </then>
</if>

<if>
 <condition type : "and">
  <custom_item>
   system               : "SunOS"
   type                 : FILE_CONTENT_CHECK
   description          : "Silent check to determine if it is Solaris 10 >= 08/07"
   file                 : "/etc/release"
   regex                : "Solaris 10 [0-9]+/(0[7-9]|[1-9][0-9])+"
   expect               : "Solaris 10 [0-9]+/(0[7-9]|[1-9][0-9])+"
  </custom_item>
 </condition>
 <then>
  <custom_item>
   system        	: "SunOS"
   type			: SVC_PROP
   description		: "2.2.12 Disable Solaris Volume Manager Services - Make sure that /system/metainit is disabled. Note this check is only applicable for Solaris 10 >= 8/07"
   info			: "Level: 1\n"
   info                 : "The Solaris Volume Manager, formerly known as Solstice DiskSuite, provides functionality for managing disk storage, disk arrays, etc. However, many systems without large storage arrays do not require that these services be enabled or may be using an alternate volume manager rather than the bundled SVM functionality. This service is disabled by default in the OS."
   solution             : "To disable the Solaris Volume Manager, run the following commands-
 \nsvcadm disable svc:/system/metainit
 \nsvcadm disable svc:/system/mdmonitor
\nIn addition, run the appropriate command for the Solaris 10 level that you are running-
\nSolaris 10 <= 11/06
\nsvcadm disable svc:/platform/sun4u/mpxio-upgrade
\nSolaris 10 >= 8/07
\nsvcadm disable svc:/system/device/mpxio-upgrade"
   service		: "system/metainit:default"
   property		: "restarter/state"
   regex		: "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
  <custom_item>
   system        	: "SunOS"
   type			: SVC_PROP
   description		: "2.2.12 Disable Solaris Volume Manager Services - Make sure that /system/device/mpxio-upgrade is disabled. Note this check is only applicable for Solaris 10 >= 8/07"
   info			: "Level: 1\n"
   info                 : "The Solaris Volume Manager, formerly known as Solstice DiskSuite, provides functionality for managing disk storage, disk arrays, etc. However, many systems without large storage arrays do not require that these services be enabled or may be using an alternate volume manager rather than the bundled SVM functionality. This service is disabled by default in the OS."
   solution             : "To disable the Solaris Volume Manager, run the following commands-
 \nsvcadm disable svc:/system/metainit
 \nsvcadm disable svc:/system/mdmonitor
\nIn addition, run the appropriate command for the Solaris 10 level that you are running-
\nSolaris 10 <= 11/06
\nsvcadm disable svc:/platform/sun4u/mpxio-upgrade
\nSolaris 10 >= 8/07
\nsvcadm disable svc:/system/device/mpxio-upgrade"
   service		: "system/device/mpxio-upgrade:default"
   property		: "restarter/state"
   regex		: "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
  <custom_item>
   system		: "SunOS"
   type			: SVC_PROP
   description		: "2.2.12 Disable Solaris Volume Manager Services - Make sure that system/mdmonitor is disabled. Note this check is only applicable for Solaris 10 >= 8/07"
   info			: "Level: 1\n"
   info                 : "The Solaris Volume Manager, formerly known as Solstice DiskSuite, provides functionality for managing disk storage, disk arrays, etc. However, many systems without large storage arrays do not require that these services be enabled or may be using an alternate volume manager rather than the bundled SVM functionality. This service is disabled by default in the OS."
   solution             : "To disable the Solaris Volume Manager, run the following commands-
 \nsvcadm disable svc:/system/metainit
 \nsvcadm disable svc:/system/mdmonitor
\nIn addition, run the appropriate command for the Solaris 10 level that you are running-
\nSolaris 10 <= 11/06
\nsvcadm disable svc:/platform/sun4u/mpxio-upgrade
\nSolaris 10 >= 8/07
\nsvcadm disable svc:/system/device/mpxio-upgrade"
   service		: "system/mdmonitor:default"
   property		: "restarter/state"
   regex		: "disabled"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </then>
</if>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.13 Disable Solaris Volume Manager GUI - Make sure that /network/rpc/mdcomm is disabled." 
 info		: "Level: 1\n"
 info           : "The Solaris Volume Manager, formerly Solstice DiskSuite, provides software RAID capability for Solaris systems. \nThis functionality can either be controlled via the GUI administration tools provided with the operating system, or via the command line. However, the GUI tools cannot function without several daemons listed in Item 2.3.12 Disable Solaris Volume Manager Services enabled. \nIf you have disabled Solaris Volume Manager Services, also disable the Solaris Volume Manager GUI.
\nNote - Since these services use Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when these services are turned on. For more information see Item 2.3.14 Disable Local RPC Port Mapping Service."
 solution       : "To disable the GUI administration tools for the Solaris Volume Manager, run the following commands-
\n svcadm disable svc:/network/rpc/mdcomm
\n svcadm disable svc:/network/rpc/meta
\n svcadm disable svc:/network/rpc/metamed
\n svcadm disable svc:/network/rpc/metamh"
 service	: "network/rpc/mdcomm:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.13 Disable Solaris Volume Manager GUI - Make sure that network/rpc/meta is disabled." 
 info		: "Level: 1\n"
 info           : "The Solaris Volume Manager, formerly Solstice DiskSuite, provides software RAID capability for Solaris systems. \nThis functionality can either be controlled via the GUI administration tools provided with the operating system, or via the command line. However, the GUI tools cannot function without several daemons listed in Item 2.3.12 Disable Solaris Volume Manager Services enabled. \nIf you have disabled Solaris Volume Manager Services, also disable the Solaris Volume Manager GUI.
\nNote - Since these services use Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when these services are turned on. For more information see Item 2.3.14 Disable Local RPC Port Mapping Service."
 solution       : "To disable the GUI administration tools for the Solaris Volume Manager, run the following commands-
\n svcadm disable svc:/network/rpc/mdcomm
\n svcadm disable svc:/network/rpc/meta
\n svcadm disable svc:/network/rpc/metamed
\n svcadm disable svc:/network/rpc/metamh"
 service	: "network/rpc/meta:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.13 Disable Solaris Volume Manager GUI - Make sure that network/rpc/metamed is disabled." 
 info		: "Level: 1\n"
 info           : "The Solaris Volume Manager, formerly Solstice DiskSuite, provides software RAID capability for Solaris systems. \nThis functionality can either be controlled via the GUI administration tools provided with the operating system, or via the command line. However, the GUI tools cannot function without several daemons listed in Item 2.3.12 Disable Solaris Volume Manager Services enabled. \nIf you have disabled Solaris Volume Manager Services, also disable the Solaris Volume Manager GUI.
\nNote - Since these services use Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when these services are turned on. For more information see Item 2.3.14 Disable Local RPC Port Mapping Service."
 solution       : "To disable the GUI administration tools for the Solaris Volume Manager, run the following commands-
\n svcadm disable svc:/network/rpc/mdcomm
\n svcadm disable svc:/network/rpc/meta
\n svcadm disable svc:/network/rpc/metamed
\n svcadm disable svc:/network/rpc/metamh"
 service	: "network/rpc/metamed:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.13 Disable Solaris Volume Manager GUI - Make sure that network/rpc/metamh is disabled." 
 info		: "Level: 1\n"
 info           : "The Solaris Volume Manager, formerly Solstice DiskSuite, provides software RAID capability for Solaris systems. \nThis functionality can either be controlled via the GUI administration tools provided with the operating system, or via the command line. However, the GUI tools cannot function without several daemons listed in Item 2.3.12 Disable Solaris Volume Manager Services enabled. \nIf you have disabled Solaris Volume Manager Services, also disable the Solaris Volume Manager GUI.
\nNote - Since these services use Oracle's standard RPC mechanism, it is important that the system's RPC portmapper (rpcbind) also be enabled when these services are turned on. For more information see Item 2.3.14 Disable Local RPC Port Mapping Service."
 solution       : "To disable the GUI administration tools for the Solaris Volume Manager, run the following commands-
\n svcadm disable svc:/network/rpc/mdcomm
\n svcadm disable svc:/network/rpc/meta
\n svcadm disable svc:/network/rpc/metamed
\n svcadm disable svc:/network/rpc/metamh"
 service	: "network/rpc/metamh:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.2.14 Disable Local RPC Port Mapping Service - Make sure that network/rpc/bind is disabled." 
 info		: "Level: 1\n"
 info           : "RPC-based services are typically deployed to use very weak or non-existent authentication and yet may share very sensitive information. Unless one of the services is required on this machine, it is best to disable RPC-based tools completely. If you are unsure whether or not a particular third-party application requires RPC services, consult with the application vendor."
 solution       : "To disable local RPC port mapping service, run the following command-
\n svcadm disable svc:/network/rpc/bind
\nIf you want to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this daemon. Alternatively, TCP Wrappers support can be enabled in the daemon with the commands-
\n svccfg -s svc:/network/rpc/bind setprop \ config/enable_tcpwrappers = true
\n svcadm refresh rpc/bind"
 service	: "network/rpc/bind:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/cde-printinfo:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/cde-printinfo:default"
 property	: "restarter/state"
 value 		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
# See also :
#
# http://opensolaris.org/os/community/security/projects/sbd/sbd_design/
# http://opensolaris.org/os/community/security/projects/sbd/sbd_toi.pdf
# According to the above document, cde-printinfo:default should be disabled, but "netservices limited"
# does not disable it. You may disable it manually by running: "svcadm disable application/cde-printinfo:default"
# which will cause the check directly below to pass.
#

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/cde-spc:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/cde-spc:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/management/dmi:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/management/dmi:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/management/sma:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/management/sma:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/management/snmpdx:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/management/snmpdx:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/management/seaport:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/management/seaport:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/graphical-login/cde-login is only limited to local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/graphical-login/cde-login"
 property	: "dtlogin/args"
 value		: "\\ -udpPort\\ 0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/cde-ttdbserver:tcp is only limited to local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/cde-ttdbserver:tcp"
 property	: "inetd/proto"
 regex		: "ticotsord"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/cde-calendar-manager is only limited to local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/cde-calendar-manager"
 property	: "inetd/proto"
 regex		: "(ticlts|datagram_v)"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 # See also : http://uw714doc.sco.com/en/man/html.7sock/ticlts.7sock.html
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/print/rfc1179:default is only limited to local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/print/rfc1179:default"
 property	: "inetd/bind_addr"
 regex		: "localhost"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 info		: "To set this item you will need to utilize inetadm, otherwise it does not exist by default on a Solaris system. Example: \"inetadm -m svc:/application/print/rfc1179:default bind_addr=localhost\""
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that /network/rpc/bind only allows local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "/network/rpc/bind"
 property	: "config/local_only"
 value		: "true"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that system/system-log only allows local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "/system/system-log"
 property	: "config/log_from_remote"
 value		: "false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that /network/smtp:sendmail only allows local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "/network/smtp:sendmail"
 property	: "config/local_only"
 value		: "true"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that system/webconsole:console only allows local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "/system/webconsole:console"
 property	: "options/tcp_listen"
 value		: "false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/management/wbem only allows local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "/application/management/wbem"
 property	: "options/tcp_listen"
 value		: "false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/x11/x11-server only allows local connections (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/x11/x11-server"
 property	: "options/tcp_listen"
 value		: "false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/x11/xfs:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/x11/xfs:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that application/print/ipp-listener:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "application/print/ipp-listener:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/meta is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/meta:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 #  http://www.sun.com/bigadmin/content/selfheal/smf-quickstart.jsp
 #  As per the above link following can be interchangeably used
 #  network/rpc/meta or network/rpc/meta:default
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/metamed:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/metamed:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/metamh:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/metamh:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/mdcomm:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/mdcomm:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/rstat:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/rstat:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/telnet:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/telnet:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/status:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/status:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/rpc/rusers:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/rpc/rusers:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/nlockmgr:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/nlockmgr:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/client:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/client:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/server:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/server:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/rquota:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/rquota:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/cbd:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/cbd:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/nfs/mapid:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/nfs/mapid:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/ftp:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/ftp:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/finger:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/finger:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/login:rlogin is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/login:rlogin"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item> 
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/shell:default is disabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/shell:default"
 property	: "restarter/state"
 regex		: "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: SVC_PROP
 description	: "2.3 Establish a Secure Baseline - Make sure that network/ssh:default is enabled (netservices limited)"
 info		: "Level: 1\n"
 info           : "Starting with Solaris 10 11/06, Oracle has provided an option for new installations to install the system as 'Secure By Default (SBD).' \nUse of this installation option provides a secure system base in which the only network service that is enabled for remote access is Secure Shell (ssh). Some services, such as sendmail(1M) and syslogd(1M), are enabled for local connections only.\n Users who are upgrading to this release or who wish to establish a secure baseline may invoke the SBD settings by running the netservices(1M) command. SBD settings will not be reversed by applying patches."
 solution       : "To establish a hardened OS baseline as recommended by Oracle, run the netservices (1M) command as follows-
\n netservices limited
\n\nNote - At present, there is a known bug that prevents webconsole from refreshing after 'netservices limited' is run-
\n6555726 svc:/system/webconsole SMF service doesn't have a refresh method
\nUntil a patch is available, this bug requires that an extra step be performed to restart the webconsole as follows-
\nsvcadm restart svc:/system/webconsole:console"
 service	: "network/ssh:default"
 property	: "restarter/state"
 regex		: "online"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
## 3.Kernel Tuning
##
#

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.2 Disable Source Packet Forwarding - Check ip_forward_src_routed value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_forward_src_routed and ip6_forward_src_routed parameters control whether IPv4/IPv6 forwards packets with source IPv4/IPv6 routing options
\n\nNote - These settings will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\n ndd -set /dev/ip ip_forward_src_routed 0
\nIPv6-
\n ndd -set /dev/ip ip6_forward_src_routed 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_forward_src_routed"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.2 Disable Source Packet Forwarding - Check ip6_forward_src_routed value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_forward_src_routed and ip6_forward_src_routed parameters control whether IPv4/IPv6 forwards packets with source IPv4/IPv6 routing options
\n\nNote - These settings will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\n ndd -set /dev/ip ip_forward_src_routed 0
\nIPv6-
\n ndd -set /dev/ip ip6_forward_src_routed 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip6_forward_src_routed"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.3 Disable Broadcast Packet Forwarding - Check ip_forward_directed_broadcasts value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_forward_directed_broadcasts parameter controls whether or not Solaris forwards broadcast packets for a specific network if it is directly connected to the machine.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip_forward_directed_broadcasts 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_forward_directed_broadcasts"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.4 Disable Response to ICMP Timestamp Requests - Check ip_respond_to_timestamp value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_respond_to_timestamp parameter controls whether or not to respond to ICMP timestamp requests.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip_respond_to_timestamp 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_respond_to_timestamp"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type		: CMD_EXEC
 description	: "3.1.5 Disable Response to ICMP Broadcast Timestamp Requests - Check ip_respond_to_timestamp_broadcast value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_respond_to_timestamp_broadcast parameter controls whether or not to respond to ICMP broadcast timestamp requests.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_respond_to_timestamp_broadcast"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type		: CMD_EXEC
 description	: "3.1.6 Disable Response to ICMP Netmask Requests - Check ip_respond_to_address_mask_broadcast value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_respond_to_address_mask_broadcast parameter controls whether or not to respond to ICMP netmask requests, typically sent by diskless clients when booting.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_respond_to_address_mask_broadcast"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.7 Disable ICMPv6 Redirect Messages - Check ip6_send_redirects value. Expected value: 1."
 info		: "Level: 1\n"
 info           : "The ip6_send_redirects parameter controls whether or not IPv6 sends out ICMPv6 redirect messages.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip6_send_redirects 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip6_send_redirects"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.8 Disable Response to Broadcast ICMPv4 Echo Request - Check ip_respond_to_echo_broadcast value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_respond_to_echo_broadcast parameter controls whether or not IPv4 responds to a broadcast ICMPv4 echo request.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
s\nvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip_respond_to_echo_broadcast 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_respond_to_echo_broadcast"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.9 Disable Response to Multicast Echo Request - Check ip_respond_to_echo_multicast value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip6_respond_to_echo_multicast and ip_respond_to_echo_multicast parameters control whether or not IPv6 or IPv4 responds to a multicast IPv6 or IPv4 echo request.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\nndd -set /dev/ip ip_respond_to_echo_multicast 0
\nIPv6-
\nndd -set /dev/ip ip6_respond_to_echo_multicast 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_respond_to_echo_multicast"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.9 Disable Response to Multicast Echo Request - Check ip6_respond_to_echo_multicast value. Expected value: 0."
 info		: "3.1 Modify Network Parameters"
 info		: "Level: 1\n"
 info           : "The ip6_respond_to_echo_multicast and ip_respond_to_echo_multicast parameters control whether or not IPv6 or IPv4 responds to a multicast IPv6 or IPv4 echo request.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\nndd -set /dev/ip ip_respond_to_echo_multicast 0
\nIPv6-
\nndd -set /dev/ip ip6_respond_to_echo_multicast 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip6_respond_to_echo_multicast"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.10 Set Interval for Scanning IRE_CACHE - Check ip_ire_arp_interval value. Expected value: 60000."
 info		: "Level: 1\n"
 info           : "The ip_ire_arp_interval parameter determines the intervals in which Solaris scans the IRE_CACHE (IP Resolved Entries) and deletes entries that are more than one scan old. This interval is used for solicited arp entries, not un-solicited which are handled by arp_cleanup_interval.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nndd -set /dev/ip ip_ire_arp_interval 60000"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_ire_arp_interval"
 expect		: "60000"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.11 Ignore ICMP Redirect Messages - Check ip_ignore_redirect value. Expected value: 1."
 info		: "Level: 1\n"
 info           : "The ip_ignore_redirect and ip6_ignore_redirect parameters determine if redirect messages will be ignored. ICMP redirect messages cause a host to re-route packets and could be used in a DoS attack. The default value for this is 0. Setting this parameter to 1 causes redirect messages to be ignored.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\n cp cis_netconfig.sh /lib/svc/method
\n chmod 750 /lib/svc/method/cis_netconfig.sh
\n svccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\nndd -set /dev/ip ip_ignore_redirect 1
\nIPv6-
\n ndd -set /dev/ip ip6_ignore_redirect 1"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_ignore_redirect"
 expect		: "1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.11 Ignore ICMP Redirect Messages - Check ip6_ignore_redirect value. Expected value: 1."
 info		: "Level: 1\n"
 info           : "The ip_ignore_redirect and ip6_ignore_redirect parameters determine if redirect messages will be ignored. ICMP redirect messages cause a host to re-route packets and could be used in a DoS attack. The default value for this is 0. Setting this parameter to 1 causes redirect messages to be ignored.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\n cp cis_netconfig.sh /lib/svc/method
\n chmod 750 /lib/svc/method/cis_netconfig.sh
\n svccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\nndd -set /dev/ip ip_ignore_redirect 1
\nIPv6-
\n ndd -set /dev/ip ip6_ignore_redirect 1"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip6_ignore_redirect"
 expect		: "1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.12 Set Strict Multihoming - Check ip_strict_dst_multihoming value. Expected value: 1."
 info		: "Level: 1\n"
 info           : "The ip_strict_dst_multihoming and ip6_strict_dst_multihoming parameters determines whether a packet arriving on a non -forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. If ip_forwarding is enabled, or xxx:ip_forwarding (where xxx is the interface name) for the appropriate interfaces is enabled, then this parameter is ignored because the packet is actually forwarded.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\nndd -set /dev/ip ip_strict_dst_multihoming 1
\nIPv6-
\nndd -set /dev/ip ip6_strict_dst_multihoming 1"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_strict_dst_multihoming"
 expect		: "1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.12 Set Strict Multihoming - Check ip6_strict_dst_multihoming value. Expected value: 1."
 info		: "Level: 1\n"
 info           : "The ip_strict_dst_multihoming and ip6_strict_dst_multihoming parameters determines whether a packet arriving on a non -forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. If ip_forwarding is enabled, or xxx:ip_forwarding (where xxx is the interface name) for the appropriate interfaces is enabled, then this parameter is ignored because the packet is actually forwarded.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nIPv4-
\nndd -set /dev/ip ip_strict_dst_multihoming 1
\nIPv6-
\nndd -set /dev/ip ip6_strict_dst_multihoming 1"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip6_strict_dst_multihoming"
 expect		: "1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.13 Disable ICMPv4 Redirect Messages - Check ip_send_redirects value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The ip_send_redirects parameter controls whether or not IPv4 sends out ICMPv4 redirect messages.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/ip ip_send_redirects 0"
 cmd		: "/usr/sbin/ndd -get /dev/ip ip_send_redirects"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.14 Set ARP Cleanup Interval - Check arp_cleanup_interval value. Expected value: 60000."
 info		: "Level: 1\n"
 info           : "The arp_cleanup_interval parameter controls the length of time, in milliseconds, that an unsolicited Address Resolution Protocal (ARP) request remains in the ARP cache.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/arp arp_cleanup_interval 60000"
 cmd		: "/usr/sbin/ndd -get /dev/arp arp_cleanup_interval"
 expect		: "60000"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.15 Disable TCP Reverse IP Source Routing - Check tcp_rev_src_routes value. Expected value: 0."
 info		: "Level: 1\n"
 info           : "The tcp_rev_src_routes parameter determines if TCP reverses the IP source routing option for incoming connections. If set to 0, TCP does not reverse IP source. If set to 1, TCP does the normal reverse source routing. The default setting is 0.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/tcp tcp_rev_src_routes 0"
 cmd		: "/usr/sbin/ndd -get /dev/tcp tcp_rev_src_routes"
 expect		: "0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.16 Set Maximum Number of Half-open TCP Connections - Check tcp_conn_req_max_q0 value. Expected value: 4096."
 info		: "Level: 1\n"
 info           : "The tcp_conn_req_max_q0 parameter determines how many half-open TCP connections can exist for a port. This setting is closely related with tcp_conn_req_max_q.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set
\nthe network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\nndd -set /dev/tcp tcp_conn_req_max_q0 4096"
 cmd		: "/usr/sbin/ndd -get /dev/tcp tcp_conn_req_max_q0"
 expect		: "4096"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.17 Set Maximum Number of Incoming Connections - Check tcp_conn_req_max_q value. Expected value: 1024."
 info		: "Level: 1\n"
 info           : "The tcp_conn_req_max_q parameter determines the maximum number of incoming connections that can be accepted on a port. This setting is closely related with tcp_conn_req_max_q0.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/tcp tcp_conn_req_max_q 1024"
 cmd		: "/usr/sbin/ndd -get /dev/tcp tcp_conn_req_max_q"
 expect		: "1024"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "3.1.18 Lock down dtspcd(8) - Check tcp_extra_priv_ports_add value. Expected value: 6112."
 info		: "Level: 1\n"
 info           : "The tcp_extra_priv_ports_add parameter adds a non-privileged port to the privileged port list.
\n\nNote - This setting will NOT persist between reboots.
\nAppendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
\ncp cis_netconfig.sh /lib/svc/method
\nchmod 750 /lib/svc/method/cis_netconfig.sh
\nsvccfg import cis_netconfig.xml
\nWhen the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date."
 solution       : "See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
\n ndd -set /dev/tcp tcp_extra_priv_ports_add 6112"
 cmd		: "/usr/sbin/ndd -get /dev/tcp tcp_extra_priv_ports"
 expect		: "6112"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_GLOB_PATTERN is set to /var/cores/core_%n_%f_%u_%g_%t_%p"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_GLOB_PATTERN\\s*=\\s*.*"
 expect         : "COREADM_GLOB_PATTERN\\s*=\\s*/var/cores/core_%n_%f_%u_%g_%t_%p"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_GLOB_CONTENT is set to default"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_GLOB_CONTENT\\s*=\\s*.*"
 expect         : "COREADM_GLOB_CONTENT\\s*=\\s*[Dd][Ee][Ff][Aa][Uu][Ll][Tt]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_INIT_PATTERN is set to core"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_INIT_PATTERN\\s*=\\s*.*"
 expect         : "COREADM_INIT_PATTERN\\s*=\\s*[Cc][Oo][Rr][Ee]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_INIT_CONTENT is set to default"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_INIT_CONTENT\\s*=\\s*.*"
 expect         : "COREADM_INIT_CONTENT\\s*=\\s*[Dd][Ee][Ff][Aa][Uu][Ll][Tt]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_GLOB_ENABLED is set to yes"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_GLOB_ENABLED\\s*=\\s*.*"
 expect         : "COREADM_GLOB_ENABLED\\s*=\\s*[Yy][Ee][Ss]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_PROC_ENABLED is set to no"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_PROC_ENABLED\\s*=\\s*.*"
 expect         : "COREADM_PROC_ENABLED\\s*=\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_GLOB_SETID_ENABLED is set to yes"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_GLOB_SETID_ENABLED\\s*=\\s*.*"
 expect         : "COREADM_GLOB_SETID_ENABLED\\s*=\\s*[Yy][Ee][Ss]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_PROC_SETID_ENABLED is set to no"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_PROC_SETID_ENABLED\\s*=\\s*.*"
 expect         : "COREADM_PROC_SETID_ENABLED\\s*=\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "3.2 Restrict Core Dumps to Protected Directory - Check if COREADM_GLOB_LOG_ENABLED is set to yes"
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file           : "/etc/coreadm.conf"
 regex          : "COREADM_GLOB_LOG_ENABLED\\s*=\\s*.*"
 expect         : "COREADM_GLOB_LOG_ENABLED\\s*=\\s*[Yy][Ee][Ss]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: FILE_CHECK
 description	: "3.2 Restrict Core Dumps to Protected Directory - Check if permissions for /var/cores are OK."
 info		: "Level: 1\n"
 info           : "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
 solution       : "To restrict core files to a protected directory, run the following commands-
\n mkdir -p /var/cores
\n chown root:root /var/cores
\n chmod 700 /var/cores
\n coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid
\nIf the local site chooses, dumping of core files can be completely disabled with the following command-
\ncoreadm -d global -d global-setid -d process \ -d proc-setid"
 file		: "/var/cores"
 owner		: "root"
 group		: "root"
 mode		: "700"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "3.3 Enable Stack Protection - Makes sure 'noexec_user_stack' is set to 1 in /etc/system. Note: Only applicable if NX bit is set."
 info		: "Level: 1\n"
 info           : "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor-supplied and third-party software."
 solution       : "Please refer to the remediation steps on page 62 of the CIS document."
 file		: "/etc/system"
 regex		: "^ *[^#]*set\\s*noexec_user_stack\\s*=.*"
 expect		: "set\\s*noexec_user_stack\\s*=\\s*1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 # Check if NX bit is set, by running following command, dmesg | grep features.
 # un 28 11:00:05 sec1 unix: [ID 126719 kern.info] features: 1176fdf<cpuid,cmp,sse3,nx,asysc,sse2,sse,pat,cx8,pae,mca,mmx,cmov,pge,mtrr,msr,tsc,lgpg>
 # See also : http://blogs.sun.com/gbrunett/entry/solaris_non_executable_stack_overview
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "3.3 Enable Stack Protection - Makes sure 'noexec_user_stack_log' is set to 1 in /etc/system. Note: Only applicable if NX bit is set."
 info		: "Level: 1\n"
 info           : "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor-supplied and third-party software."
 solution       : "Please refer to the remediation steps on page 62 of the CIS document."
 file		: "/etc/system"
 regex		: "^ *[^#]*set\\s*noexec_user_stack_log\\s*=.*"
 expect		: "set\\s*noexec_user_stack_log\\s*=\\s*1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 # Check if NX bit is set, by running following command, dmesg | grep features.
 # jun 28 11:00:05 sec1 unix: [ID 126719 kern.info] features: 1176fdf<cpuid,cmp,sse3,nx,asysc,sse2,sse,pat,cx8,pae,mca,mmx,cmov,pge,mtrr,msr,tsc,lgpg>
 # See also : http://blogs.sun.com/gbrunett/entry/solaris_non_executable_stack_overview
</custom_item>

<custom_item>
 system		: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "3.4 Enable Strong TCP Sequence Number Generation - Enforce Strong TCP Sequence Number Generation setting (TCP_STRONG_ISS = 2)."
 info		: "Level: 1\n"
 info           : "The variable TCP_STRONG_ISS sets the mechanism for generating the order of TCP packets. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session. Solaris supports three sequence number methods-
\n0 = Old-fashioned sequential initial sequence number generation.
\n1 = Improved sequential generation, with random variance in increment.
\n2 = RFC 1948 sequence number generation, unique-per-connection-ID."
 solution       : "Run the following commands to set TCP_STRONG_ISS to use RFC 1948 sequence number generation-
\n cd /etc/default
\n awk '/TCP_STRONG_ISS=/ { $1 = 'TCP_STRONG_ISS=2' }; \ { print }' inetinit > inetinit.new
\n mv inetinit.new inetinit
\n pkgchk -f -n -p /etc/default/inetinit
\n ndd -set /dev/tcp tcp_strong_iss 2"
 file		: "/etc/default/inetinit"
 regex		: "^ *[^#]*TCP_STRONG_ISS\\s*=.*"
 expect		: "TCP_STRONG_ISS\\s*=\\s*2"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 # Based upon RFC 1948 sequence number generation, unique-per-connection-ID.
</custom_item>

# For a more complete discussion of these parameters and their effect on the security of the system, 
# see: http://blogs.sun.com/security/entry/reference_security_blueprints and http://www.sun.com/blueprints/0603/816-5240.pdf.


<custom_item>
 system         : "SunOS"
 type           : SVC_PROP
 description    : "3.5 Disable Network Routing - Make sure that ipv4-forwarding is disabled"
 info           : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts."
 solution       : "Run the following commands to disable routing. This action is unnecessary unless it was manually enabled by the administrator or the system was previously used as a network gateway.
\n routeadm -d ipv4-forwarding -d ipv6-forwarding
\n routeadm -d ipv4-routing -d ipv6-routing
\n routeadm -u"
 service        : "svc:/network/ipv4-forwarding:default"
 property       : "restarter/state"
 value          : "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : SVC_PROP
 description    : "3.5 Disable Network Routing - Make sure that ipv6-forwarding is disabled"
 info		: "Level: 1\n"
 info           : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts."
 solution       : "Run the following commands to disable routing. This action is unnecessary unless it was manually enabled by the administrator or the system was previously used as a network gateway.
\n routeadm -d ipv4-forwarding -d ipv6-forwarding
\n routeadm -d ipv4-routing -d ipv6-routing
\n routeadm -u"
 service        : "svc:/network/ipv6-forwarding:default"
 property       : "restarter/state"
 value          : "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : SVC_PROP
 description    : "3.5 Disable Network Routing - Make sure that ipv4-routing is disabled"
 info		: "Level: 1\n"
 info           : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts."
 solution       : "Run the following commands to disable routing. This action is unnecessary unless it was manually enabled by the administrator or the system was previously used as a network gateway.
\n routeadm -d ipv4-forwarding -d ipv6-forwarding
\n routeadm -d ipv4-routing -d ipv6-routing
\n routeadm -u"
 service        : "network/routing/route:default"
 property       : "restarter/state"
 value          : "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : SVC_PROP
 description    : "3.5 Disable Network Routing - Make sure that ipv6-routing is disabled"
 info		: "Level: 1\n"
 info           : "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts."
 solution       : "Run the following commands to disable routing. This action is unnecessary unless it was manually enabled by the administrator or the system was previously used as a network gateway.
\n routeadm -d ipv4-forwarding -d ipv6-forwarding
\n routeadm -d ipv4-routing -d ipv6-routing
\n routeadm -u"
 service        : "network/routing/ripng:default"
 property       : "restarter/state"
 value          : "disabled"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
## 4.Logging
##
#

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "4.1 Enable inetd Connection Logging - Make sure that tcp_trace is set to true"
 info		: "Level: 1\n"
 info           : "The inetd process starts Internet standard services and the 'tracing' feature can be used to log information about the source of any network connections seen by the daemon."
 solution       : "Run the following commands to enable inetd connection logging-
\n inetadm -M tcp_trace=true
\nsvcadm refresh svc:/network/inetd"
 cmd		: "/usr/sbin/inetadm -p"
 regex		: "tcp_trace\\s*=.*"
 expect 	: "tcp_trace\\s*=\\s*(TRUE|true)"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 # Using CMD_EXEC instead of SVC_PROP as svcprop returns incorrect results for tcp_trace on Solaris 10
 # http://mail.opensolaris.org/pipermail/smf-discuss/2007-January/003292.html 
</custom_item>

<custom_item>
 system   	: "SunOS"
 type		: SVC_PROP
 description	: "4.2 Enable FTP daemon Logging - Make sure that exec is set to /usr/sbin/in.ftpd -a -l -d"
 info		: "Level: 1\n"
 info           : "Information about FTP sessions will be logged via syslogd (1M), but the system must be configured to capture these messages."
 solution       : "Run the following command to enable FTP daemon logging-
\n inetadm -m svc:/network/ftp \ exec='/usr/sbin/in.ftpd -a -l -d'"
 service	: "network/ftp:default"
 property	: "inetd_start/exec"
 regex          : "/usr/sbin/in.ftpd.+-a.+ -l.+-d"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : SVC_PROP
 description    : "4.3 Enable Debug Level Daemon Logging/4.4 Capture syslog AUTH Messages - Check if svc:/system/system-log is online"
 info		: "Level: 1\n"
 info           : "If the FTP service is installed and enabled on the system, Item 4.2 Enable FTP daemon Logging enables the 'debugging' (-d) and connection logging (-l) flags to track FTP activity on the system. Similarly, the tracing (-t) option to inetd was enabled in Item 4.1 Enable inetd Connection Logging."
 solution       : "Please refer to the remediation steps on page 67 of the CIS document."
 service        : "system/system-log:default"
 property       : "restarter/state"
 value          : "online"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>


<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "4.3 Enable Debug Level Daemon Logging - Check if daemon.debug is set to /var/log/connlog"
 info		: "Level: 1\n"
 info           : "If the FTP service is installed and enabled on the system, Item 4.2 Enable FTP daemon Logging enables the 'debugging' (-d) and connection logging (-l) flags to track FTP activity on the system. Similarly, the tracing (-t) option to inetd was enabled in Item 4.1 Enable inetd Connection Logging."
 solution       : "Please refer to the remediation steps on page 67 of the CIS document."
 file           : "/etc/syslog.conf"
 regex          : "^ *[^#]*daemon\.debug.*"
 expect         : "daemon\.debug\\s*/var/log/connlog"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK
 description    : "4.3 Enable Debug Level Daemon Logging - Check if permissions for /var/log/connlog are OK."
 info		: "Level: 1\n"
 info           : "If the FTP service is installed and enabled on the system, Item 4.2 Enable FTP daemon Logging enables the 'debugging' (-d) and connection logging (-l) flags to track FTP activity on the system. Similarly, the tracing (-t) option to inetd was enabled in Item 4.1 Enable inetd Connection Logging."
 solution       : "Please refer to the remediation steps on page 67 of the CIS document."
 file           : "/var/log/connlog"
 owner          : "root"
 group          : "root"
 mask           : "177"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "4.4 Capture syslog AUTH Messages - Check if auth.info is set to var/log/authlog"
 info		: "Level: 1\n"
 info           : "By default, Solaris systems do not capture logging information that is sent to the LOG_AUTH facility."
 solution       : "Please refer to the remediation steps on page 69 of the CIS document."
 file           : "/etc/syslog.conf"
 regex          : "^ *[^#]*auth\.info.*"
 expect         : "auth\.info\\s*/var/log/authlog"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "4.4 Capture syslog AUTH Messages - Check if authlog in /etc/logadm.conf is appropiately set"
 info		: "Level: 1\n"
 info           : "By default, Solaris systems do not capture logging information that is sent to the LOG_AUTH facility."
 solution       : "Please refer to the remediation steps on page 69 of the CIS document."
 file           : "/etc/logadm.conf"
 regex          : "^ *[^#]*authlog.*"
 expect         : "authlog -C 13 -a 'pkill -HUP syslogd' /var/log/authlog"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /var/log/authlog
#

<custom_item>
 system		: "SunOS"
 type		: FILE_CHECK
 description	: "4.5 Enable Login Records - Check if permissions for /var/adm/loginlog are OK."
 info		: "Level: 1\n"
 info           : "If the file /var/adm/loginlog exists, it will capture failed login attempt messages with the login name, tty specification, and time. This file does not exist by default and must be manually created."
 solution       : "Perform the following to implement the recommended state-
\n touch /var/adm/loginlog
\n chown root:sys /var/adm/loginlog
\n chmod 600 /var/adm/loginlog
\n logadm -w loginlog -C 13 /var/adm/loginlog"
 file		: "/var/adm/loginlog"
 owner		: "root"
 group		: "sys"
 mask		: "177"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system		: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "4.5 Enable Login Records - Check if loginlog in /etc/logadm.conf is appropiately set"
 info		: "Level: 1\n"
 info           : "If the file /var/adm/loginlog exists, it will capture failed login attempt messages with the login name, tty specification, and time. This file does not exist by default and must be manually created."
 solution       : "Perform the following to implement the recommended state-
\n touch /var/adm/loginlog
\n chown root:sys /var/adm/loginlog
\n chmod 600 /var/adm/loginlog
\n logadm -w loginlog -C 13 /var/adm/loginlog"
 file		: "/etc/logadm.conf"
 regex		: "^ *[^#]*loginlog.*"
 expect		: "loginlog -C 13 /var/adm/loginlog"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/login
#

<custom_item>
 system		: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "4.6 Capture All Failed Login Attempts - Check if SYSLOG_FAILED_LOGINS is set to 0 in /etc/default/login."
 info		: "Level: 1\n"
 info           : "The SYS_FAILED_LOGINS variable is used to determine how many failed login attempts occur before a failed login message is logged. Setting the value to 0 will cause a failed login message on every failed login attempt."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/SYSLOG_FAILED_LOGINS=/ \ { $1 = 'SYSLOG_FAILED_LOGINS=0' }; \ { print }' login >login.new
\n mv login.new login # pkgchk -f -n -p /etc/default/login"
 file		: "/etc/default/login"
 regex		: "^ *[^#]*SYSLOG_FAILED_LOGINS.*"
 expect		: "SYSLOG_FAILED_LOGINS\\s*=\\s*0"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/cron
#

<custom_item>
 system		: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "4.7 Enable cron Logging - Check if CRONLOG is set to yes in /etc/default/cron."
 info		: "Level: 1\n"
 info           : "Setting the CRONLOG parameter to YES in the /etc/default/cron file causes information to be logged for every cron job that gets executed on the system. This setting is the default for Solaris."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/CRONLOG=/ { $1 = 'CRONLOG=YES' }; \ { print }' cron > cron.new
\n mv cron.new cron
\n pkgchk -f -n -p /etc/default/cron
\n chown root:root /var/cron/log
\n chmod go-rwx /var/cron/log"
 file		: "/etc/default/cron"
 regex		: "^ *[^#]*CRONLOG.*"
 expect		: "CRONLOG\\s*=\\s*(YES|yes|Yes)"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system		: "SunOS"
 type		: FILE_CHECK
 description	: "4.7 Enable cron Logging - Check if permissions for /var/cron/log are OK."
 info		: "Level: 1\n"
 info           : "Setting the CRONLOG parameter to YES in the /etc/default/cron file causes information to be logged for every cron job that gets executed on the system. This setting is the default for Solaris."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/CRONLOG=/ { $1 = 'CRONLOG=YES' }; \ { print }' cron > cron.new
\n mv cron.new cron
\n pkgchk -f -n -p /etc/default/cron
\n chown root:root /var/cron/log
\n chmod go-rwx /var/cron/log"
 file		: "/var/cron/log"
 owner		: "root"
 group		: "root"
 mask		: "077"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : SVC_PROP
 description    : "4.8 Enable System Accounting - Check if svc:/system/sar is online"
 info		: "Level: 1\n"
 info           : "System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 20 minutes. The data may be accessed with the sar command, or by reviewing the nightly report files named /var/adm/sa/sar*.
\n\nNote - The sys id must be added to /etc/cron.allow to run the system accounting commands."
 solution       : "Perform the following to implement the recommended state-
\n svcadm enable -r svc:/system/sar
\n EDITOR=ed crontab -e sys << END_ENTRIES \$a 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A . w q END_ENTRIES
\n chown sys:sys /var/adm/sa/*
\n chmod go-wx /var/adm/sa/*
\n\nNote - This data is only archived for one week before being automatically removed by the regular nightly cron job. Administrators may wish to archive the /var/adm/sa directory on a regular basis to preserve this data for longer periods.
\nThe sys account must be permitted to use the cron(1M) facility for system accounting to function properly. See Item 6.9 Restrict at/cron to Authorized Users."
 service        : "system/sar:default"
 property       : "restarter/state"
 value          : "online"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK
 description    : "4.8 Enable System Accounting - Check for files in /var/adm/sa"
 info		: "Level: 1\n"
 info           : "System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 20 minutes. The data may be accessed with the sar command, or by reviewing the nightly report files named /var/adm/sa/sar*.
\n\nNote - The sys id must be added to /etc/cron.allow to run the system accounting commands."
 solution       : "Perform the following to implement the recommended state-
\n svcadm enable -r svc:/system/sar
\n EDITOR=ed crontab -e sys << END_ENTRIES \$a 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A . w q END_ENTRIES
\n chown sys:sys /var/adm/sa/*
\n chmod go-wx /var/adm/sa/*
\n\nNote - This data is only archived for one week before being automatically removed by the regular nightly cron job. Administrators may wish to archive the /var/adm/sa directory on a regular basis to preserve this data for longer periods.
\nThe sys account must be permitted to use the cron(1M) facility for system accounting to function properly. See Item 6.9 Restrict at/cron to Authorized Users."
 file           : "/var/adm/sa/*"
 expect         : "sar.*"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "4.8 Enable System Accounting - Check if contents of /var/spool/cron/crontabs/sys (/usr/lib/sa/sa1)are OK."
 info		: "Level: 1\n"
 info           : "System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 20 minutes. The data may be accessed with the sar command, or by reviewing the nightly report files named /var/adm/sa/sar*.
\n\nNote - The sys id must be added to /etc/cron.allow to run the system accounting commands."
 solution       : "Perform the following to implement the recommended state-
\n svcadm enable -r svc:/system/sar
\n EDITOR=ed crontab -e sys << END_ENTRIES \$a 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A . w q END_ENTRIES
\n chown sys:sys /var/adm/sa/*
\n chmod go-wx /var/adm/sa/*
\n\nNote - This data is only archived for one week before being automatically removed by the regular nightly cron job. Administrators may wish to archive the /var/adm/sa directory on a regular basis to preserve this data for longer periods.
\nThe sys account must be permitted to use the cron(1M) facility for system accounting to function properly. See Item 6.9 Restrict at/cron to Authorized Users."
 file           : "/var/spool/cron/crontabs/sys"
 # Look at the crontab regex pattern for user 'sys'
 regex          : "^ *[^#].*/usr/lib/sa/sa1"
 expect         : "0,20,40.*/usr/lib/sa/sa1"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
 # System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 20 minutes
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "4.8 Enable System Accounting - Check if contents of /var/spool/cron/crontabs/sys (/usr/lib/sa/sa2) are OK."
 info		: "Level: 1\n"
 info           : "System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 20 minutes. The data may be accessed with the sar command, or by reviewing the nightly report files named /var/adm/sa/sar*.
\n\nNote - The sys id must be added to /etc/cron.allow to run the system accounting commands."
 solution       : "Perform the following to implement the recommended state-
\n svcadm enable -r svc:/system/sar
\n EDITOR=ed crontab -e sys << END_ENTRIES \$a 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A . w q END_ENTRIES
\n chown sys:sys /var/adm/sa/*
\n chmod go-wx /var/adm/sa/*
\n\nNote - This data is only archived for one week before being automatically removed by the regular nightly cron job. Administrators may wish to archive the /var/adm/sa directory on a regular basis to preserve this data for longer periods.
\nThe sys account must be permitted to use the cron(1M) facility for system accounting to function properly. See Item 6.9 Restrict at/cron to Authorized Users."
file           : "/var/spool/cron/crontabs/sys"
 # Look at the crontab regex pattern for user 'sys'
 regex          : "^ *[^#]*/usr/lib/sa/sa2"
 expect         : "45 23.*/usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A"
</custom_item>

# 
# Note that DoD installations have much more stringent auditing requirements than those
# listed here. DoD guidelines require "flags:lo,ad,cc,fw,-fc,-fd,-fr" to be
# set in the audit_control file. Note that "-fr" in particular can cause extremely
# large audit trails to be generated.

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description 	: "4.9 Enable Kernel Level Auditing - Check audit condition is set to auditing"
 info		: "Level: 1\n"
 info           : "Kernel-level auditing provides information on commands and system calls that are executed on the local system. The audit trail may be reviewed with the praudit command. Note that enabling kernel-level auditing on Solaris disables the automatic mounting of external devices via the Solaris volume manager daemon (vold)."
 solution       : "Please refer to the CIS document, page 74 for the remediation steps for this check"
 cmd		: "/usr/sbin/auditconfig -getcond"
 expect		: "^audit\\s*condition\\s*=\\s*auditing"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "4.9 Enable Kernel Level Auditing - Check audit policies is set to arge,argv,cnt"
 info		: "Level: 1\n"
 info           : "Kernel-level auditing provides information on commands and system calls that are executed on the local system. The audit trail may be reviewed with the praudit command. Note that enabling kernel-level auditing on Solaris disables the automatic mounting of external devices via the Solaris volume manager daemon (vold)."
 solution       : "Please refer to the CIS document, page 74 for the remediation steps for this check"
 cmd		: "/usr/sbin/auditconfig -getpolicy"
 expect		: "^audit\\s*policies\\s*=\\s*arge,argv,cnt"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system      	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "4.9 Enable Kernel Level Auditing, Check if 'flags:lo,ad,cc' is set in /etc/security/audit_control."
 info		: "Level: 1\n"
 info           : "Kernel-level auditing provides information on commands and system calls that are executed on the local system. The audit trail may be reviewed with the praudit command. Note that enabling kernel-level auditing on Solaris disables the automatic mounting of external devices via the Solaris volume manager daemon (vold)."
 solution       : "Please refer to the CIS document, page 74 for the remediation steps for this check"
 file         	: "/etc/security/audit_control"
 regex        	: "^ *[^#]*flags:lo,ad,cc"
 expect       	: "flags:lo,ad,cc"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system      	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "4.9 Enable Kernel Level Auditing, Check if 'naflags:lo,ad,ex' is set in /etc/security/audit_control."
 info		: "Level: 1\n"
 info           : "Kernel-level auditing provides information on commands and system calls that are executed on the local system. The audit trail may be reviewed with the praudit command. Note that enabling kernel-level auditing on Solaris disables the automatic mounting of external devices via the Solaris volume manager daemon (vold)."
 solution       : "Please refer to the CIS document, page 74 for the remediation steps for this check"
 file         	: "/etc/security/audit_control"
 regex        	: "^ *[^#]*naflags:lo,ad,ex"
 expect       	: "naflags:lo,ad,ex"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system      	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "4.9 Enable Kernel Level Auditing, Check if 'minfree:20' is set in /etc/security/audit_control."
 info		: "Level: 1\n"
 info           : "Kernel-level auditing provides information on commands and system calls that are executed on the local system. The audit trail may be reviewed with the praudit command. Note that enabling kernel-level auditing on Solaris disables the automatic mounting of external devices via the Solaris volume manager daemon (vold)."
 solution       : "Please refer to the CIS document, page 74 for the remediation steps for this check"
 file         	: "/etc/security/audit_control"
 regex        	: "^ *[^#]*minfree:20"
 expect       	: "minfree:20"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system      	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "4.9 Enable Kernel Level Auditing, Check if 'root:lo,ad:no' is set in /etc/security/audit_user."
 info		: "Level: 1\n"
 info           : "Kernel-level auditing provides information on commands and system calls that are executed on the local system. The audit trail may be reviewed with the praudit command. Note that enabling kernel-level auditing on Solaris disables the automatic mounting of external devices via the Solaris volume manager daemon (vold)."
 solution       : "Please refer to the CIS document, page 74 for the remediation steps for this check"
 file         	: "/etc/security/audit_user"
 regex        	: "^ *[^#]*root:lo,ad:no"
 expect       	: "root:lo,ad:no"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
## 5.ob体育/Directory Permissions/Access
##
#

<custom_item>
 system      	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "5.1 Set daemon umask - Check if CMASK is set to 022 in /etc/default/init."
 info		: "Level: 1\n"
 info           : "The umask (1) utility overrides the file mode creation mask as specified by the CMASK value in the /etc/default/init file. The most permissive file permission is mode 666 (777 for executable files). The CMASK value subtracts from this value. For example, if CMASK is set to a value of 022, files created will have a default permission of 644 (755 for executables). See the umask (1) manual page for a more detailed description.
\n\nNote - There are some known bugs in the following daemons that are impacted by changing the CMASK parameter from its default setting: (Note: Current or future patches may have resolved these issues. Consult with your Oracle Support representative)
\n6299083 picld i initialise picld_door file with wrong permissions after JASS
\n4791006 ldap_cachemgr initialise i ldap_cache_door file with wrong permissions
\n6299080 nscd i initialise name_service_door file with wrong permissions after JASS
\nThe ldap_cachemgr issue has been fixed but the others are still unresolved. While not directly related to this, there is another issue related to 077 umask settings-
\n2125481 in.lpd failed to print files when the umask is set 077"
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/^CMASK=/ { $1 = 'CMASK=022' } { print }' init >init.new
\n mv init.new init
\n pkgchk -f -n -p /etc/default/init"
 file         	: "/etc/default/init"
 regex        	: "^ *[^#]*CMASK\\s*=.*"
 expect       	: "CMASK\\s*=\\s*022"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/init
#

<custom_item>
 system		: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "5.2 Restrict Set-UID on User Mounted Devices - Check if nosuid option is set in /etc/rmmount.conf."
 info		: "Level: 1\n"
 info           : "If the volume manager (vold) is enabled to permit users to mount external devices, the administrator can force these file systems to be mounted with the nosuid option to prevent users from bringing set-UID programs onto the system via CD-ROMs, floppy disks, USB drives or other removable media."
 solution       : "Perform the following to implement the recommended state-
\n if [ ! '`grep -v '^#' /etc/rmmount.conf |\ grep -- '-o nosuid'`' ]; then fs=`awk '($1 == 'ident') && ($2 != 'pcfs') \ { print $2 }' /etc/rmmount.conf` echo mount \* $fs -o nosuid >>/etc/rmmount.conf fi"
 file		: "/etc/rmmount.conf"
 regex		: "^ *[^#]*mount\\s*.*"
 expect		: "mount\\s*.*nosuid"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<item>
 name		: "find_world_writeable_directories"
 description	: "5.3 Set Sticky Bit on World Writable Directories"
 info		: "Level: 1\n"
 info           : "When the so-called sticky bit (set with chmod +t) is set on a directory, then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file)."
 solution       : "To set the sticky bit on a directory, run the following command-
 chmod +t [directory name]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

#
## 6.System Access, Authentication, and Authorization
##
#

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.2 Set SSH Protocol to 2 - Check if Protocol is set to 2 and not commented for client."
 info		: "Level: 1\n"
 info           : "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^Protocol/ { $2 = '2' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/ssh_config"
 regex          : "^ *[^#]*Protocol\\s*.*"
 expect         : "Protocol\\s*2$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.3 Disable SSH X11 Forwarding - Check if X11Forwarding is set to no and not commented for the server."
 info		: "Level: 1\n"
 info           : "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^ X11Forwarding / { $2 = 'no' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*X11Forwarding\\s*.*"
 expect         : "X11Forwarding\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.4 Set SSH MaxAuth Tries to 3 - Check if MaxAuthTries is set to 3 or lower and not commented for the server."
 info		: "Level: 1\n"
 info           : "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. The default value is 6.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^ MaxAuthTries/ { $2 = '3' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*MaxAuthTries\\s*[0-9]+$"
 expect         : "MaxAuthTries\\s*[0-3]$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.5 Set SSH MaxAuthTriesLog to 0 - Check if MaxAuthTriesLog is set to 0 and not commented for the server."
 info		: "Level: 1\n"
 info           : "The MaxAuthTriesLog parameter specifies the maximum number of failed authorization attempts before a syslog error message is generated. The default value is 3.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^ MaxAuthTriesLog/ { $2 = '0' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*MaxAuthTriesLog\\s*.*"
 expect         : "MaxAuthTriesLog\\s*0$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.6 Set SSH IgnoreRhosts to yes - Check if IgnoreRhosts is set to yes and not commented for the server."
 info		: "Level: 1\n"
 info           : "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^ IgnoreRhosts/ { $2 = 'yes' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config 
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*IgnoreRhosts\\s*.*"
 expect         : "IgnoreRhosts\\s*[Yy][Ee][Ss]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.7 Set SSH RhostsAuthentication to no - Check if RhostsAuthentication is set to no and not commented for the server."
 info		: "Level: 1\n"
 info           : "The RhostsAuthentication parameter specifies if authentication using rhosts or /etc/hosts.equiv is permitted. The default is no.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^RhostsAuthentication/ { $2 = 'no' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config 
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*RhostsAuthentication\\s*.*"
 expect         : "RhostsAuthentication\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.8 Set SSH RhostsRSAAuthentication to no - Check if RhostsRSAAuthentication is set to no and not commented for the server."
 info		: "Level: 1\n"
 info           : "The RhostsRSAAuthentication parameter specifies if rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is permitted. The default is no.
\nNote that this parameter only applies to SSH protocol version 1.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^ RhostsRSAAuthentication/ { $2 = 'no' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*RhostsRSAAuthentication\\s*.*"
 expect         : "RhostsRSAAuthentication\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.9 Disable SSH root Login - Check if PermitRootLogin is set to no and not commented for the server."
 info		: "Level: 1\n"
 info           : "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^PermitRootLogin/ { $2 = 'no' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*PermitRootLogin\\s*.*"
 expect         : "PermitRootLogin\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.1.10 Set SSH PermitEmptyPasswords to no - Check if PermitEmptyPasswords is set to no and not commented for the server"
 info		: "Level: 1\n"
 info           : "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings.
\n\nNote - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH."
 solution       : "Edit the /etc/ssh/sshd_config file to set the parameter as follows-
\n awk '/^PermitEmptyPasswords/ { $2 = 'no' } \ { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
\n /usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
\n /usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
\n /usr/sbin/svcadm restart svc:/network/ssh"
 file           : "/etc/ssh/sshd_config"
 regex          : "^ *[^#]*PermitEmptyPasswords\\s*.*"
 expect         : "PermitEmptyPasswords\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/ssh/sshd_config
# 

<custom_item>
 system        	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "6.2 Disable login: Prompts on Serial Ports - Check if x is added to the flag field for ttyb"
 info		: "Level: 1\n"
 info           : "The pmadm command provides service administration for the lower level of the Service Access Facility hierarchy and can be used to disable the ability to login on a particular port."
 solution       : "Perform the following to implement the recommended state-
\n pmadm -d -p zsmon -s ttya
\n pmadm -d -p zsmon -s ttyb"
 file         	: "/etc/saf/zsmon/_pmtab"
 regex        	: "^ *[^#]*ttyb:u[x]*:root:.+"
 expect       	: "ttyb:ux:root:.+"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "6.2 Disable login: Prompts on Serial Ports - Check if x is added to the flag field for ttya"
 info		: "Level: 1\n"
 info           : "The pmadm command provides service administration for the lower level of the Service Access Facility hierarchy and can be used to disable the ability to login on a particular port."
 solution       : "Perform the following to implement the recommended state-
\n pmadm -d -p zsmon -s ttya
\n pmadm -d -p zsmon -s ttyb"
 file         	: "/etc/saf/zsmon/_pmtab"
 regex        	: "^ *[^#]*ttya:u[x]*:root:.+"
 expect       	: "ttya:ux:root:.+"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type         	: FILE_CONTENT_CHECK
 description  	: "6.3 Disable 'nobody' Access for RPC Encryption Key Storage Service - Check if 'ENABLE_NOBODY_KEYS' is set to NO."
 info		: "Level: 1\n"
 info           : "The keyserv process, if enabled, stores user keys that are utilized with Sun's Secure RPC mechanism."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/ENABLE_NOBODY_KEYS=/ \ { $1 = 'ENABLE_NOBODY_KEYS=NO' } { print }' keyserv >keyserv.new
\n mv keyserv.new keyserv
\n pkgchk -f -n -p /etc/default/keyserv"
 file         	: "/etc/default/keyserv"
 regex        	: "^ *[^#]*ENABLE_NOBODY_KEYS.*"
 expect       	: "ENABLE_NOBODY_KEYS\\s*=\\s*[Nn][Oo]"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/keyserv
#



<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK_NOT
 description    : "6.4 Disable .rhosts Support in /etc/pam.conf"
 info		: "Level: 1\n"
 info           : "Used in conjunction with the BSD-style 'r-commands' (rlogin, rsh, rcp), .rhosts files implement a weak form of authentication based on the network address or host name of the remote computer (which can be spoofed by a potential attacker to exploit the local system)."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc
\n sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.new
\n mv pam.conf.new pam.conf
\n pkgchk -f -n -p /etc/pam.conf"
 file           : "/etc/pam.conf"
 regex          : "^ *[^#]*rhosts_auth.*"
 expect         : "pam_rhosts_auth"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/pam.conf
#

<if>
 <condition type: "and">
  <custom_item>
   system        	: "SunOS"
   type           	: FILE_CHECK
   description  	: "6.5 Restrict FTP Use - Check if file /etc/ftpd/ftpusers exists."
   info			: "Level: 1\n"
   info                 : "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP."
   solution             : "Add the system accounts to the /etc/ftpd/ftpusers file as shown below -
  \n cd /etc/ftpd
  \nfor user in adm bin daemon gdm listen lp noaccess \ nobody nobody4 nuucp postgres root smmsp svctag \ sys uucp webservd do echo $user >> ftpusers done
  \nsort -u ftpusers > ftpusers.new
  \n mv ftpusers.new ftpusers
  \n pkgchk -f -n -p /etc/ftpd/ftpusers"
   file 	        : "/etc/ftpd/ftpusers"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </condition>
 <then>
  <custom_item>
   system        	: "SunOS"
   type	        	: GRAMMAR_CHECK
   description  	: "6.5 Restrict FTP Use - Audit the list of users in /etc/ftpd/ftpusers."
   info			: "Level: 1\n"
   info                 : "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP."
   solution             : "Add the system accounts to the /etc/ftpd/ftpusers file as shown below -
   \ncd /etc/ftpd
   \nfor user in adm bin daemon gdm listen lp noaccess \ nobody nobody4 nuucp postgres root smmsp svctag \ sys uucp webservd do echo $user >> ftpusers done
   \nsort -u ftpusers > ftpusers.new
   \nmv ftpusers.new ftpusers
   \npkgchk -f -n -p /etc/ftpd/ftpusers"
   file         	: "/etc/ftpd/ftpusers"
   regex	     	: "root"
   regex	     	: "daemon"
   regex	     	: "bin"
   regex	     	: "sys"
   regex	     	: "adm"
   regex	     	: "lp"
   regex	     	: "uucp"
   regex	     	: "nuucp"
   regex	     	: "smmsp"
   regex	     	: "listen"
   regex	     	: "gdm"
   regex	     	: "webservd"
   regex	     	: "nobody"
   regex	     	: "noaccess"
   regex	     	: "nobody4"
   regex		: "postgres"
   regex		: "svctag"
   regex	     	: "^[#]+"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </then>
</if>

#
# pkgchk -f -n -p /etc/ftpd/ftpusers
#

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.6 Set Delay between Failed Login Attempts to 4."
 info		: "Level: 1\n"
 info           : "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the 'login incorrect' message when a bad password is provided."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/SLEEPTIME=/ { $1 = 'SLEEPTIME=4' } { print }' login >login.new
\n mv login.new login
\n pkgchk -f -n -p /etc/default/login"
 file           : "/etc/default/login"
 regex          : "^ *[^#]*SLEEPTIME.*"
 expect         : "SLEEPTIME\\s*=\\s*([4-9][0-9]*|[0-9][0-9]+)"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/login
# 

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.7 Set Default Screen Lock for CDE Users - Check if 'dtsession*saverTimeout' is set to 15."
 info		: "Level: 1\n"
 info           : "The default timeout for keyboard/mouse inactivity is 30 minutes before a password-protected screen saver is invoked by the CDE session manager."
 solution       : "Run the following commands to set the default inactivity timeout to a value appropriate for your environment.
\n for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir -m 755 -p $dir echo 'dtsession*saverTimeout: 15' >>$dir/sys.resources echo 'dtsession*lockTimeout: 15' >>$dir/sys.resources chown root:sys $dir/sys.resources chmod 444 $dir/sys.resources done"
 file           : "/usr/dt/config/*/sys.resources"
 regex          : "^ *[^#]*dtsession\\*saverTimeout:.*"
 expect         : "dtsession\\*saverTimeout:\\s+15"
 file_required	: NO
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.7 Set Default Screen Lock for CDE Users - Check if 'dtsession*lockTimeout:' is set to 15."
 info		: "Level: 1\n"
 info           : "The default timeout for keyboard/mouse inactivity is 30 minutes before a password-protected screen saver is invoked by the CDE session manager."
 solution       : "Run the following commands to set the default inactivity timeout to a value appropriate for your environment.
\n for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir -m 755 -p $dir echo 'dtsession*saverTimeout: 15' >>$dir/sys.resources echo 'dtsession*lockTimeout: 15' >>$dir/sys.resources chown root:sys $dir/sys.resources chmod 444 $dir/sys.resources done"
 file           : "/usr/dt/config/*/sys.resources"
 regex          : "^ *[^#]*dtsession\\*lockTimeout:.*"
 expect         : "dtsession\\*lockTimeout:\\s+15"
 file_required	: NO
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CHECK
 description    : "6.7 Set Default Screen Lock for CDE Users - Check if file permissions for files under /etc/dt/config/*/sys.resources are OK."
 info		: "Level: 1\n"
 info           : "The default timeout for keyboard/mouse inactivity is 30 minutes before a password-protected screen saver is invoked by the CDE session manager."
 solution       : "Run the following commands to set the default inactivity timeout to a value appropriate for your environment.
\n for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir -m 755 -p $dir echo 'dtsession*saverTimeout: 15' >>$dir/sys.resources echo 'dtsession*lockTimeout: 15' >>$dir/sys.resources chown root:sys $dir/sys.resources chmod 444 $dir/sys.resources done"
 file           : "/usr/dt/config/*/sys.resources"
 owner          : "root"
 group          : "sys"
 mask           : "333"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.8 Set Default Screen Lock for GNOME Users - Check if timeout is set to 0:15:00 in /usr/openwin/lib/app-defaults/XScreenSaver."
 info		: "Level: 1\n"
 info           : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password-protected screen saver is invoked by the Xscreensaver application used in the GNOME windowing environment.
\n\nNote - Presently, the file /usr/openwin/lib/app-defaults/XScreenSaver is not marked volatile, so the pkgchk command produces an error for this item. The following bug has been filed in relation to this-
\n6255740 XScreenSaver global property file should be marked as volatile"
 solution       : "Perform the following to implement the recommended state-
\n cd /usr/openwin/lib/app-defaults
\n awk '/^\*timeout:/ { $2 = '0:15:00' } /^\*lockTimeout:/ { $2 = '0:15:00' } /^\*lock:/ { $2 = 'True' } { print }' XScreenSaver >XScreenSaver.new
\n mv XScreenSaver.new XScreenSaver
\n pkgchk -f -n -p /usr/openwin/lib/app-defaults/XScreenSaver"
 file           : "/usr/openwin/lib/app-defaults/XScreenSaver"
 regex          : "^\\*timeout:\\s*.*"
 expect         : "^\\*timeout:\\s*0:15:00$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.8 Set Default Screen Lock for GNOME Users - Check if lockTimeout is set to 0:15:00 in /usr/openwin/lib/app-defaults/XScreenSaver."
 info		: "Level: 1\n"
 info           : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password-protected screen saver is invoked by the Xscreensaver application used in the GNOME windowing environment.
\n\nNote - Presently, the file /usr/openwin/lib/app-defaults/XScreenSaver is not marked volatile, so the pkgchk command produces an error for this item. The following bug has been filed in relation to this-
\n6255740 XScreenSaver global property file should be marked as volatile"
 solution       : "Perform the following to implement the recommended state-
\n cd /usr/openwin/lib/app-defaults
\n awk '/^\*timeout:/ { $2 = '0:15:00' } /^\*lockTimeout:/ { $2 = '0:15:00' } /^\*lock:/ { $2 = 'True' } { print }' XScreenSaver >XScreenSaver.new
\n mv XScreenSaver.new XScreenSaver
\n pkgchk -f -n -p /usr/openwin/lib/app-defaults/XScreenSaver"
 file           : "/usr/openwin/lib/app-defaults/XScreenSaver"
 regex          : "^\\*lockTimeout:\\s*.*"
 expect         : "^\\*lockTimeout:\\s*0:15:00"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.8 Set Default Screen Lock for GNOME Users - Check if lock is set to true in /usr/openwin/lib/app-defaults/XScreenSaver."
 info		: "Level: 1\n"
 info           : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password-protected screen saver is invoked by the Xscreensaver application used in the GNOME windowing environment.
\n\nNote - Presently, the file /usr/openwin/lib/app-defaults/XScreenSaver is not marked volatile, so the pkgchk command produces an error for this item. The following bug has been filed in relation to this-
\n6255740 XScreenSaver global property file should be marked as volatile"
 solution       : "Perform the following to implement the recommended state-
\n cd /usr/openwin/lib/app-defaults
\n awk '/^\*timeout:/ { $2 = '0:15:00' } /^\*lockTimeout:/ { $2 = '0:15:00' } /^\*lock:/ { $2 = 'True' } { print }' XScreenSaver >XScreenSaver.new
\n mv XScreenSaver.new XScreenSaver
\n pkgchk -f -n -p /usr/openwin/lib/app-defaults/XScreenSaver"
 file           : "/usr/openwin/lib/app-defaults/XScreenSaver"
 regex          : "^\\*lock:\\s*"
 expect         : "^\\*lock:\\s*([Tt][Rr][Uu][Ee])"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.10 Restrict root Login to System Console - Check if 'CONSOLE' in /etc/default/login is set to /dev/console."
 info		: "Level: 1\n"
 info           : "Privileged access to the system via the root account must be accountable to a particular user. The system console is supposed to be protected from unauthorized access and is the only location where it is considered acceptable to permit the root account to login directly, in the case of system emergencies. This is the default configuration for Solaris."
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/CONSOLE=/ { print 'CONSOLE=/dev/console'; next }; \ { print }' login >login.new
\n mv login.new login
\n pkgchk -f -n -p /etc/default/login"
 file           : "/etc/default/login"
 regex          : "^ *[^#]*CONSOLE\\s*=.*"
 expect         : "CONSOLE\\s*=\\s*/dev/console"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/login
#

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.11 Set Retry Limit for Account Lockout - Check if 'RETRIES' in /etc/default/login is set to 3."
 info		: "Level: 1\n"
 info           : "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command:passwd -u <username>"
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/RETRIES=/ { $1 = 'RETRIES=3' } { print }' login >login.new
\n mv login.new login
\n pkgchk -f -n -p /etc/default/login
\n cd /etc/security
\n awk '/LOCK_AFTER_RETRIES=/ \ { $1 = 'LOCK_AFTER_RETRIES=YES' } { print }' policy.conf >policy.conf.new
\n mv policy.conf.new policy.conf
\n pkgchk -f -n -p /etc/security/policy.conf
\nBe careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account-
\nusermod -K lock_after_retries=no oracle
\nBy default the root account is exempt from account lockout."
 file           : "/etc/default/login"
 regex          : "^ *[^#]*RETRIES\\s*=.*"
 expect         : "RETRIES\\s*=\\s*3"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/default/login
#

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "6.11 Set Retry Limit for Account Lockout, Check if 'LOCK_AFTER_RETRIES' in /etc/default/login is set to YES"
 info		: "Level: 1\n"
 info           : "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command:passwd -u <username>"
 solution       : "Perform the following to implement the recommended state-
\n cd /etc/default
\n awk '/RETRIES=/ { $1 = 'RETRIES=3' } { print }' login >login.new
\n mv login.new login
\n pkgchk -f -n -p /etc/default/login
\n cd /etc/security
\n awk '/LOCK_AFTER_RETRIES=/ \ { $1 = 'LOCK_AFTER_RETRIES=YES' } { print }' policy.conf >policy.conf.new
\n mv policy.conf.new policy.conf
\n pkgchk -f -n -p /etc/security/policy.conf
\nBe careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account-
\nusermod -K lock_after_retries=no oracle
\nBy default the root account is exempt from account lockout."
 file           : "/etc/security/policy.conf"
 regex          : "^ *[^#]*LOCK_AFTER_RETRIES\\s*=.*"
 expect         : "LOCK_AFTER_RETRIES\\s*=\\s*([Yy][Ee][Ss])" 
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# pkgchk -f -n -p /etc/security/policy.conf
# 

<if>
<condition type : "or">
<custom_item>
 system        	: "SunOS"
 type           : CMD_EXEC
 description    : "6.12 Set EEPROM Security Mode and Log Failed Access - Check if system is SPARC Note: This check is for SPARC only"
 info		: "Level: 1\n"
 info           : "Oracle SPARC systems support the use of a EEPROM password for the console."
 solution       : "See page 97 of the CIS document for remediation instructions."
 cmd            : "/usr/bin/uname -a"
 regex          : "([Ss][Pp][Aa][Rr][Cc])"
 expect         : "([Ss][Pp][Aa][Rr][Cc])"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
</condition>
<then>
<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "6.12 Set EEPROM Security Mode and Log Failed Access - SPARC only. Should *not* be 'security-mode=none'."
 info		: "Level: 1\n"
 info           : "Oracle SPARC systems support the use of a EEPROM password for the console."
 solution       : "See page 97 of the CIS document for remediation instructions."
 cmd		: "eeprom security-mode"
 expect 	: "^security-mode\\s*=\\s*(command|full)"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
</then>
</if>


#
# NOTE: By default the UFS file system is referenced, if you are running ZFS please change '/boot/' to '/rpool/boot/'.
<if>
 <condition type:"or">
  <custom_item>
   system        	: "SunOS"
   type           	: CMD_EXEC
   description    	: "6.13 Secure the GRUB Menu - Check if system is x86/x86_64 Note: This check is for x86/x86_64 only"
   info			: "Level: 1\n"
   info                 : "GRUB is a boot loader for x86/x64 based systems that permits loading an OS image from any location. Oracle x86 systems support the use of a GRUB Menu password for the console."
   solution             : "Perform the following to implement the recommended state-
\n   /boot/grub/bin/grub grub> md5crypt Password- [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)]
\nThe actual menu.lst file to be used varies depending upon whether ZFS or UFS is used as the root file system. If a ZFS filesystem is being used, then edit the file /rpool/boot/grub/menu.lst. Otherwise edit the file /boot/grub/menu.lst. Add the following line to the menu.lst file above the entries added by bootadm-
\npassword -md5 [enter md5 password string generated above]
\nNext, add the keyword lock to the Solaris failsafe boot entry as in the following example: title Solaris failsafe lock
\nLast, ensure the menu.lst file can only be read by the root user:
\n(UFS)
\nchmod 600 /boot/grub/menu.lst (ZFS)
\nchmod 600 /rpool/boot/grub/menu.lst"
   cmd            	: "/usr/bin/uname -a"
   regex          	: "i386"
   expect         	: "i386"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </condition>
 <then>
  <custom_item>
   system		: "SunOS"
   type           	: FILE_CONTENT_CHECK
   description    	: "6.13 Secure the GRUB Menu - Check if 'password' is set in /boot/grub/menu.lst. Note: This check only checks if password is set"
   info			: "Level: 1\n"
   info                 : "GRUB is a boot loader for x86/x64 based systems that permits loading an OS image from any location. Oracle x86 systems support the use of a GRUB Menu password for the console."
   solution             : "Perform the following to implement the recommended state-
\n   /boot/grub/bin/grub grub> md5crypt Password- [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)]
\nThe actual menu.lst file to be used varies depending upon whether ZFS or UFS is used as the root file system. If a ZFS filesystem is being used, then edit the file /rpool/boot/grub/menu.lst. Otherwise edit the file /boot/grub/menu.lst. Add the following line to the menu.lst file above the entries added by bootadm-
\npassword -md5 [enter md5 password string generated above]
\nNext, add the keyword lock to the Solaris failsafe boot entry as in the following example: title Solaris failsafe lock
\nLast, ensure the menu.lst file can only be read by the root user:
\n(UFS)
\nchmod 600 /boot/grub/menu.lst (ZFS)
\nchmod 600 /rpool/boot/grub/menu.lst"
   file           	: "/boot/grub/menu.lst"
   regex          	: "^ *[^#]*password -md5.*"
   expect         	: "password -md5 .+"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
  <custom_item>
   system       	: "SunOS"
   type           	: FILE_CONTENT_CHECK
   description    	: "6.13 Secure the GRUB Menu - Check if 'lock' command is set after failsafe section. Note: Please ensure 'lock' command is located after 'title Solaris failsafe' in file  /boot/grub/menu.lst. Nessus can only verify existence/non-existence of 'lock' command."
   info			: "Level: 1\n"
   info                 : "GRUB is a boot loader for x86/x64 based systems that permits loading an OS image from any location. Oracle x86 systems support the use of a GRUB Menu password for the console."
   solution             : "Perform the following to implement the recommended state-
\n   /boot/grub/bin/grub grub> md5crypt Password- [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)]
\nThe actual menu.lst file to be used varies depending upon whether ZFS or UFS is used as the root file system. If a ZFS filesystem is being used, then edit the file /rpool/boot/grub/menu.lst. Otherwise edit the file /boot/grub/menu.lst. Add the following line to the menu.lst file above the entries added by bootadm-
\npassword -md5 [enter md5 password string generated above]
\nNext, add the keyword lock to the Solaris failsafe boot entry as in the following example: title Solaris failsafe lock
\nLast, ensure the menu.lst file can only be read by the root user:
\n(UFS)
\nchmod 600 /boot/grub/menu.lst (ZFS)
\nchmod 600 /rpool/boot/grub/menu.lst"
   file           	: "/boot/grub/menu.lst"
   regex          	: "^ *[^#]*lock"
   expect         	: "lock$"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
  <custom_item>
   system       	: "SunOS"
   type           	: FILE_CHECK
   description    	: "6.13 Secure the GRUB Menu - should pass if /boot/grub/menu.lst permissions are OK."
   info			: "Level: 1\n"
   info                 : "GRUB is a boot loader for x86/x64 based systems that permits loading an OS image from any location. Oracle x86 systems support the use of a GRUB Menu password for the console."
   solution             : "Perform the following to implement the recommended state-
\n   /boot/grub/bin/grub grub> md5crypt Password- [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)]
\nThe actual menu.lst file to be used varies depending upon whether ZFS or UFS is used as the root file system. If a ZFS filesystem is being used, then edit the file /rpool/boot/grub/menu.lst. Otherwise edit the file /boot/grub/menu.lst. Add the following line to the menu.lst file above the entries added by bootadm-
\npassword -md5 [enter md5 password string generated above]
\nNext, add the keyword lock to the Solaris failsafe boot entry as in the following example: title Solaris failsafe lock
\nLast, ensure the menu.lst file can only be read by the root user:
\n(UFS)
\nchmod 600 /boot/grub/menu.lst (ZFS)
\nchmod 600 /rpool/boot/grub/menu.lst"
   file           	: "/boot/grub/menu.lst"
   mode           	: "600"
   see_also		: "https://www.cisecurity.org/tools2/solaris/CIS_Solaris_10_Benchmark_v5.0.0.pdf"
  </custom_item>
 </then>
</if>

#
## 7.User Accounts and Environments
##
#

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'daemon' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*daemon:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "daemon:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'bin' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*bin:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "bin:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'bin' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*bin:x:.*"
 expect         : "bin:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'nuucp' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*nuucp:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "nuucp:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>  
     
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'nuucp' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*nuucp:x:.*"
 expect         : "nuucp:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>           
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'smmsp' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*smmsp:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "smmsp:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>           
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'smmsp' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*smmsp:x:.*"
 expect         : "smmsp:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'gdm' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*gdm:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "gdm:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'gdm' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*gdm:x:.*"
 expect         : "gdm:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'listen' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*listen:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "listen:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>  
        
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'listen' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*listen:x:.*"
 expect         : "listen:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'webservd' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*webservd:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "webservd:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'webservd' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*webservd:x:.*"
 expect         : "webservd:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'nobody' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*nobody:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "nobody:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'nobody' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*nobody:x:.*"
 expect         : "nobody:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'noaccess' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*noaccess:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "noaccess:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'noaccess' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*noaccess:x:.*"
 expect         : "noaccess:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'nobody4' is locked."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*nobody4:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "nobody4:.*[LK].*[NP]*:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>  
        
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'nobody4' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*nobody4:x:.*"
 expect         : "nobody4:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>      

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'sys' disallows password login"
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*sys:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "sys:NP:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'adm' disallows password login"
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*adm:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "adm:NP:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type		: FILE_CONTENT_CHECK
 description	: "7.1 Disable System Accounts - should pass if the default shell for 'adm' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file		: "/etc/passwd"
 regex		: "^[\\s\\t]*adm:x:.*"
 expect		: "adm:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>            
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'lp' disallows password login."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
\n passwd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*lp:.*:.*:.*:.*:.*:.*:.*:"
 expect         : "lp:NP:.*:.*:.*:.*:.*:.*:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'lp' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
 \npasswd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*lp:x:.*"
 expect         : "lp:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - Ensure account 'uucp' disallows password login."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
 \npasswd -l [username]"
 file           : "/etc/shadow"
 regex          : "^[\\s\\t]*uucp:.*"
 expect         : "uucp:NP:.*"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>  
   
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.1 Disable System Accounts - should pass if the default shell for 'uucp' is set to /usr/bin/false."
 info		: "Level: 1\n"
 info           : "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell."
 solution       : "Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor are they able to use scheduled execution facilities such as cron. To lock an account, use the command-
 \npasswd -l [username]"
 file           : "/etc/passwd"
 regex          : "^[\\s\\t]*uucp:x:.*"
 expect         : "uucp:x:.+:/usr/bin/false"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>          

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check PASSLENGTH is set to 8"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*PASSLENGTH\\s*=.*"
 expect         : "PASSLENGTH\\s*=\\s*8$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check NAMECHECK is set to YES"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*NAMECHECK\\s*=.*"
 expect         : "NAMECHECK\\s*=\\s*(YES|Yes|yes)"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check HISTORY is set to 24"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*HISTORY\\s*=.*"
 expect         : "HISTORY\\s*=\\s*24$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system       	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check MINDIFF is set to 3"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*MINDIFF\\s*=.*"
 expect         : "MINDIFF\\s*=\\s*3$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - MINALPHA is set to 2"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*MINALPHA\\s*=.*"
 expect         : "MINALPHA\\s*=\\s*2$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check MINUPPER is set to 1"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*MINUPPER\\s*=.*"
 expect         : "MINUPPER\\s*=\\s*1$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check MINLOWER is set to 1"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*MINLOWER\\s*=.*"
 expect         : "MINLOWER\\s*=\\s*1$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - MINNONALPHA is set to 1"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*MINNONALPHA\\s*=.*"
 expect         : "MINNONALPHA\\s*=\\s*1$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check MAXREPEATS is set to 0"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*MAXREPEATS\\s*=.+"
 expect         : "MAXREPEATS\\s*=\\s*0$"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - WHITESPACE is set to YES"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*WHITESPACE\\s*=.*"
 expect         : "WHITESPACE\\s*=\\s*([Yy][Ee][Ss])"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check DICTIONDBDIR is set to /var/passwd"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*DICTIONDBDIR\\s*=.*"
 expect         : "DICTIONDBDIR\\s*=\\s*/var/passwd"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.3 Set Strong Password Creation Policies - Check DICTIONLIST is set to /usr/share/lib/dict/words"
 info		: "Level: 1\n"
 info           : "Password policies are designed to force users to make better password choices when selecting their passwords."
 solution       : "Please refer to the remediation steps on page 104 of the CIS document."
 file           : "/etc/default/passwd"
 regex          : "^ *[^#]*DICTIONLIST\\s*=.*"
 expect         : "DICTIONLIST\\s*=\\s*/usr/share/lib/dict/words"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.4 Set Default Group for root Account"
 info		: "Level: 1\n"
 info           : "For Solaris 9 and earlier, the default group for the root account is the 'other' group, which may be shared by many other accounts on the system. Solaris 10 has adopted GID 0 (group 'root') as default group for the root account."
 solution       : "Perform the following to implement the recommended state-
\n passmgmt -m -g 0 root"
 file           : "/etc/passwd"
 regex          : "root:x:0:.*"
 expect         : "root:x:0:0:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.5 Change Home Directory for root Account"
 info		: "Level: 1\n"
 info           : "By default, the Solaris OS root user's home directory is '/'.
\n\nNote - If the user logs into GNOME, the directories 'Desktop' and 'Documents' will also be created under /. Move these directories into /root, if they exist."
 solution       : "Perform the following to implement the recommended state-
\n mkdir -m 700 /root
\n mv -i /.?* /root/
\n passmgmt -m -h /root root"
 file           : "/etc/passwd"
 regex          : "root:x:0:0:Super-User:.*:.*"
 expect         : "root:x:0:0:Super-User:/root:.*"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CHECK
 description    : "7.5 Change Home Directory for root Account - Check /root permissions."
 info		: "Level: 1\n"
 info           : "By default, the Solaris OS root user's home directory is '/'.
\n\nNote - If the user logs into GNOME, the directories 'Desktop' and 'Documents' will also be created under /. Move these directories into /root, if they exist."
 solution       : "Perform the following to implement the recommended state-
\n mkdir -m 700 /root
\n mv -i /.?* /root/
\n passmgmt -m -h /root root"
 file           : "/root"
 mask		: "077"	
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.6 Set Default umask for Users, Check if 'UMASK' is set to 077."
 info		: "Level: 1\n"
 info           : "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
 solution       : "Please refer to the remediation steps on page 106 of the CIS document."
 file           : "/etc/default/login"
 regex          : "^ *[^#]*UMASK\\s*=.*"
 expect         : "UMASK\\s*=\\s*077"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.6 Set Default umask for Users - Check if 'umask' is set to 077 - Check /etc/profile."
 info		: "Level: 1\n"
 info           : "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
 solution       : "Please refer to the remediation steps on page 106 of the CIS document."
 file           : "/etc/profile"
 regex          : "^ *[^#]*umask.*"
 expect         : "umask 077"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.6 Set Default umask for Users - Check if 'umask' is set to 077 - Check /etc/.login."
 info		: "Level: 1\n"
 info           : "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
 solution       : "Please refer to the remediation steps on page 106 of the CIS document."
 file           : "/etc/.login"
 regex          : "^ *[^#]*umask"
 expect         : "umask 077"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.7 Set Default umask for FTP Users - Check if 'defumask' is set to 077."
 info		: "Level: 1\n"
 info           : "If FTP is permitted, set the umask value to apply to files created by the FTP server."
 solution       : "Please refer to the remediation steps on page 107 of the CIS document."
 file           : "/etc/ftpd/ftpaccess"
 regex          : "^ *[^#]*defumask.*"
 expect         : "defumask 077"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.8 Set 'mesg n' as Default for All Users in /etc/profile"
 info		: "Level: 1\n"
 info           : "The 'mesg n' command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device.
\n\nNote - Setting mesg n for all users may cause 'mesg- cannot change mode' to be displayed when using su - <user>."
 solution       : "Please refer to the remediation steps on page 108 of the CIS document."
 file           : "/etc/profile"
 regex          : "^ *[^#]*mesg.*"
 expect         : "mesg n"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK
 description    : "7.8 Set 'mesg n' as Default for All Users in /etc/.login"
 info		: "Level: 1\n"
 info           : "The 'mesg n' command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device.
\n\nNote - Setting mesg n for all users may cause 'mesg- cannot change mode' to be displayed when using su - <user>."
 solution       : "Please refer to the remediation steps on page 108 of the CIS document."
 file           : "/etc/.login"
 regex          : "^ *[^#]*mesg.*"
 expect         : "mesg n"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

#
# 9. System Maintenance
#

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "9.1 Check for Remote Consoles using 'consadm' command line utility"
 info		: "Level: 1\n"
 info           : "The consadm command can be used to select or display alternate console devices."
 solution       : "Perform the following to implement the recommended state-
\n /usr/sbin/consadm [-d device...]"
 cmd		: "/usr/sbin/consadm -p"
 expect		: ""
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK
 description    : "9.2 Verify System ob体育 Permissions - /etc/shadow ob体育 Permissions."
 info		: "Level: 1\n"
 info           : "The pkgchk command checks the accuracy of installed files as well as the integrity of directory structures and files."
 solution       : "To force the default setting, use the -f option as follows-
\n pkgchk -f -n -p /etc/shadow"
 file           : "/etc/shadow"
 owner          : "root"
 group          : "sys"
 mode           : "400"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK
 description    : "9.2 Verify System ob体育 Permissions - /etc/passwd ob体育 Permissions."
 info		: "Level: 1\n"
 info           : "The pkgchk command checks the accuracy of installed files as well as the integrity of directory structures and files."
 solution       : "To force the default setting, use the -f option as follows-
 \npkgchk -f -n -p /etc/shadow"
 file           : "/etc/passwd"
 owner          : "root"
 group          : "sys"
 mode           : "644"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : CMD_EXEC
 description    : "9.3 Ensure Password Fields are Not Empty - Verify no accounts are returned by 'logins -p'"
 info		: "Level: 1\n"
 info           : "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that PASSREQ=NO in /etc/default/login)."
 solution       : "Use the passwd -l command to lock accounts that are not permitted to execute commands (shown by *LK* in the password field). Use the passwd -N command for accounts that do not use a password to login but must execute commands (shown by NP in the password field)."
 cmd            : "/usr/bin/logins -p"
 expect         : ""
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK_NOT
 description    : "9.4 Verify No Legacy '+' Entries Exist in passwd, shadow, and group ob体育s - Check for passwd"
 info		: "Level: 1\n"
 info           : "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on Solaris systems, but may exist in files that have been imported from other platforms."
 solution       : "Delete these entries if they exist."
 file           : "/etc/passwd"
 regex          : "^[+]:"
 expect         : "^[+]:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK_NOT
 description    : "9.4 Verify No Legacy '+' Entries Exist in passwd, shadow, and group ob体育s - Check for shadow."
 info		: "Level: 1\n"
 info           : "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on Solaris systems, but may exist in files that have been imported from other platforms."
 solution       : "Delete these entries if they exist."
 file           : "/etc/shadow"
 regex          : "^[+]:"
 expect         : "^[+]:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>
 
<custom_item>
 system        	: "SunOS"
 type           : FILE_CONTENT_CHECK_NOT
 description    : "9.4 Verify No Legacy '+' Entries Exist in passwd, shadow, and group ob体育s - Check for group"
 info		: "Level: 1\n"
 info           : "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on Solaris systems, but may exist in files that have been imported from other platforms."
 solution       : "Delete these entries if they exist."
 file           : "/etc/group"
 regex          : "^[+]:"
 expect         : "^[+]:"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<item>
 name           : "passwd_zero_uid"
 description    : "9.5 Verify that no UID 0 accounts exist other than root"
 info		: "Level: 1\n"
 info           : "Any account with UID 0 has superuser privileges on the system."
 solution       : "Delete any other entries that are displayed.
\nFiner granularity access control for administrative access can be obtained by using Oracle's Role-Based Access Control (RBAC) system.
\nRBAC configurations can be monitored via the /etc/user_attr file to make sure that privileges are managed appropriately."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name           : "dot_in_root_path_variable"
 description    : "9.6 Ensure root PATH Integrity, No '.' In root's $PATH"
 info		: "Level: 1\n"
 info           : "The root user can execute any command on the system and could be fooled into executing programs unemotionally if the PATH is not set correctly."
 solution       : "Correct or justify any items discovered in the Audit step."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name    	: "writeable_dirs_in_root_path_variable"
 description    : "9.6 Ensure root PATH Integrity, No Group/World-Writable Directory In root's $PATH"
 info		: "Level: 1\n"
 info           : "The root user can execute any command on the system and could be fooled into executing programs unemotionally if the PATH is not set correctly."
 solution       : "Correct or justify any items discovered in the Audit step."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name           : "accounts_bad_home_permissions"
 description    : "9.7 Check Permissions on User Home Directories - Should Be Mode 750 or More Restrictive. Please audit the results of this check and take action in accordance with corporate policy."
 info	 	: "Level: 1\n"
 info           : "While the system administrator can establish secure permissions for users' home directories, the users can easily override these."
 solution       : "Making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy."
 mask           : "027"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK
 description    : "9.8 Check User Dot ob体育 Permissions. Please audit the results of this check and take action in accordance with corporate policy."
 info		: "Level: 1\n"
 info           : "While the system administrator can establish secure permissions for users' 'dot' files, the users can easily override these."
 solution       : "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy."
 file           : "~/.*"
 mask           : "0022"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK
 description    : "9.9 Check Permissions on User .netrc ob体育s. Please audit the results of this check and take action in accordance with corporate policy."
 info		: "Level: 1\n"
 info           : "While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these."
 solution       : "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc file permissions and determine the action to be taken in accordance with site policy."
 file           : "~/.netrc"
 mask           : "0077"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system        	: "SunOS"
 type           : FILE_CHECK_NOT
 description    : "9.10 Check for Presence of User .rhosts ob体育s"
 info		: "Level: 1\n"
 info           : "While no .rhosts files are shipped with Solaris, users can easily create them."
 solution       : "It may be useful to run this audit check and, if any users have .rhosts files, determine why they have them."
 file           : "~/.rhosts"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<item>
 name		: "passwd_invalid_gid"
 description	: "9.11 Check Groups in /etc/passwd"
 info		: "Level: 1\n"
 info           : "Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group."
 solution       : "Analyze the output of the Audit step above and perform the appropriate action to correct any discrepancies found."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "accounts_without_home_dir"
 description	: "9.12 Check That Users Are Assigned Home Directories"
 info		: "Level: 1\n"
 info           : "The /etc/passwd file defines a home directory that the user is placed in upon login. If there is no defined home directory, the user will be placed in '/' and will not be able to write any files or have local environment variables set."
 solution       : "Based on the results of the Audit script, perform the appropriate action for your environment (e.g. delete unneeded users or assign them a home directory)."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "passwd_duplicate_home"
 description	: "9.13 Check That Defined Home Directories Exist"
 info		: "Level: 1\n"
 info           : "Users can be defined to have a home directory in /etc/passwd, even if the directory does not actually exist."
 solution       : "If any users' home directories do not exist, create them and make sure the respective user owns the directory."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "accounts_bad_home_permissions"
 description	: "9.14 Check User Home Directory Ownership"
 info		: "Level: 1\n"
 info           : "The user home directory is space defined for the particular user to set local environment variables and to store personal files."
 solution       : "Change the ownership any home directories that are not owned by the defined user to the correct user."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "passwd_duplicate_uid"
 description	: "9.15 Check for Duplicate UIDs"
 info		: "Level: 1\n"
 info           : "Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field."
 solution       : "Based on the results of the script, establish unique UIDs and review all files owned by the shared UID to determine which UID they are supposed to belong to."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "group_duplicate_gid"
 description	: "9.16 Check for Duplicate GIDs"
 info		: "Level: 1\n"
 info           : "Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field."
 solution       : "Based on the results of the script, establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

# 9.17 Check That Reserved UIDs are Assigned to System Accounts - Unable to write audit check to verify this item; please refer
# to p130 in CIS Solaris 10 v5.1.0 benchmark for shell script to audit this item for compliance.
#

<item>
 name		: "passwd_duplicate_username"
 description	: "9.18 Check for Duplicate User Names"
 info		: "Level: 1\n"
 info           : "Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name."
 solution       : "Based on the results of the script, establish unique user names for the users. ob体育 ownerships will automatically reflect the change as long as the users have unique UIDs."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "group_duplicate_name"
 description	: "9.19 Check for Duplicate Group Names"
 info		: "Level: 1\n"
 info           : "Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name."
 solution       : "Based on the results of the script, establish unique names for the user groups. ob体育 group ownerships will automatically reflect the change as long as the groups have unique GIDs."
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK_NOT
 description    : "9.20 Check for presence of user .netrc files - Checks for the presence of .netrc files in home directories."
 info		: "Level: 1\n"
 info           : "The .netrc file contains data for logging into a remote host for file transfers via FTP."
 solution       : "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy."
 file           : "~/.netrc"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<custom_item>
 system         : "SunOS"
 type           : FILE_CHECK_NOT
 description    : "9.21 Check for presence of user .forward files - Checks for the presence of .forward files in home directories."
 info		: "Level: 1\n"
 info           : "The .forward file specifies an email address to forward the user's mail to."
 solution       : "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy."
 file           : "~/.forward"
 see_also       :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

<item>
 name		: "find_world_writeable_files"
 description	: "9.22 Find World Writable ob体育s"
 info		: "Level: 1\n"
 info          : "Unix-based systems support variable settings to control access to files. World writable files are the least secure. See the chmod(2) man page for more information."
 solution      : "Removing write access for the 'other' category (chmod o-w <filename>) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file."
 basedir	: "/"
 see_also      :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "find_suid_sgid_files"
 description	: "9.23 Find SUID/SGID System Executables"
 info		: "Level: 1\n"
 info          : "The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID/SGID program is to enable users to perform functions (such as changing their password) that require root privileges."
 solution      : "Ensure that no rogue set-UID programs have been introduced into the system. Digital signatures on Solaris set-UID binaries can be verified with the elfsign utility-
 elfsign verify -e /usr/bin/su"
 basedir	: "/"
 see_also      :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<item>
 name		: "find_orphan_files"
 description	: "9.24 Find Un-owned ob体育s and Directories"
 info		: "Level: 1\n"
 info          : "Sometimes when administrators delete users from the passwd file they neglect to remove all files owned by those users from the system."
 solution      : "Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. Note that the Solaris OS distribution is shipped with all files appropriately owned."
 basedir	: "/"
 see_also      :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</item>

<custom_item>
 system        	: "SunOS"
 type		: CMD_EXEC
 description	: "9.25 Find ob体育s and Directories with Extended Attributes. ob体育s will be displayed with an INFO tag if found"
 info		: "Level: 1\n"
 info          : "Extended attributes are implemented as files in a 'shadow' file system that is not generally visible via normal administration commands without special arguments."
 solution      : "Investigate any files found. Note that Solaris does not ship with files that have extended attributes."
 cmd		: "/usr/bin/find / \\( -fstype nfs -o -fstype cachefs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \\) -prune -o -xattr -print 2>&1"
 expect        : ""
 see_also      :"https://benchmarks.cisecurity.org/tools2/solaris/CIS_Oracle_Solaris_10_Benchmark_v5.1.0.pdf"
</custom_item>

</then>
<else>
<report type	: "WARNING" >
 description	:"Solaris 10 is not installed on target"
 info			:"Solaris 10 is not installed on target"
</report>
</else>
</if>

</check_type>