# OSSEC Linux Audit - (C) 2017 OSSEC Project # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE # # [Application name] [any or all] [reference] # type:; # # Type can be: # - f (for file or directory) # - p (process running) # - d (any file inside the directory) # # Additional values: # For the registry , use "->" to look for a specific entry and another # "->" to look for the value. # For files, use "->" to look for a specific value in the file. # # Values can be preceeded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true). # CIS Checks for Solaris 11 # Based on Center for Internet Security Benchmark for Solaris 11 Benchmark v1.1.0 https://workbench.cisecurity.org/benchmarks/410 # $home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; # # #2.1 Disable Local-only Graphical Login Environment [CIS - Solaris 11 Configuration - 2.1 Disable Local-only Graphical Login Environment] [any] [https://workbench.cisecurity.org/benchmarks/410] p:gdm; p:cde; # # #2.2 Configure sendmail Service for Local-Only Mode [CIS - Solaris 11 Configuration - 2.2 Configure sendmail Service for Local-Only Mode] [any] [https://workbench.cisecurity.org/benchmarks/410] p:!/etc/mail/local.cf; # # #2.3 Disable RPC Encryption Key [CIS - Solaris 11 Configuration - 2.3 Disable RPC Encryption Key] [any] [https://workbench.cisecurity.org/benchmarks/410] p:keyserv; # # #2.4 Disable NIS Server Services [CIS - Solaris 11 Configuration - 2.4 Disable NIS Server Services] [any] [https://workbench.cisecurity.org/benchmarks/410] p:ypserv; p:ypbind; p:ypxfr; p:rpc.yppasswdd; p:rpc.ypupdated; f:/etc/init.d/nis; # # #2.5 Disable NIS Client Services [CIS - Solaris 11 Configuration - 2.5 Disable NIS Client Services] [any] [https://workbench.cisecurity.org/benchmarks/410] p:ypserv; p:ypbind; p:ypxfr; p:rpc.yppasswdd; p:rpc.ypupdated; f:/etc/init.d/nis; # # #2.6 Disable Kerberos TGT Expiration Warning [CIS - Solaris 11 Configuration - 2.6 Disable Kerberos TGT Expiration Warning] [any] [https://workbench.cisecurity.org/benchmarks/410] p:ktkt_warnd; # # #2.7 Disable Generic Security Services (GSS) [CIS - Solaris 11 Configuration - 2.7 Disable Generic Security Services (GSS)] [any] [https://workbench.cisecurity.org/benchmarks/410] p:gssd; # # #2.8 Disable Removable Volume Manager [CIS - Solaris 11 Configuration - 2.8 Disable Removable Volume Manager] [any] [https://workbench.cisecurity.org/benchmarks/410] p:smserverd; # # #2.9 Disable automount Service [CIS - Solaris 11 Configuration - 2.9 Disable automount Service] [any] [https://workbench.cisecurity.org/benchmarks/410] p:automountd; # # #2.10 Disable Apache Service [CIS - Solaris 11 Configuration - 2.10 Disable Apache Service] [any] [https://workbench.cisecurity.org/benchmarks/410] p:apache; p:httpd; # # #2.11 Disable Local-only RPC Port Mapping Service [CIS - Solaris 11 Configuration - 2.11 Disable Local-only RPC Port Mapping Service] [any] [https://workbench.cisecurity.org/benchmarks/410] p:rpcbind; # # #2.12 Configure TCP Wrappers [CIS - Solaris 11 Configuration - 2.12 Configure TCP Wrappers] [any] [https://workbench.cisecurity.org/benchmarks/410] f:!/etc/hosts.allow; f:!/etc/hosts.deny; # # #2.13 Disable Telnet Service [CIS - Solaris 11 Configuration - 2.13 Disable Telnet Service] [any] [https://workbench.cisecurity.org/benchmarks/410] p:telnetd; # # #3.1 Restrict Core Dumps to Protected Directory [CIS - Solaris 11 Configuration - 3.1 Restrict Core Dumps to Protected Directory] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/coreadm.conf -> !r:^COREADM_GLOB_PATTERN\p\.+; f:/etc/coreadm.conf -> !r:^COREADM_GLOB_CONTENT\pdefault; f:/etc/coreadm.conf -> !r:^COREADM_INIT_PATTERN\pcore; f:/etc/coreadm.conf -> !r:^COREADM_INIT_CONTENT\pdefault; f:/etc/coreadm.conf -> !r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno; f:/etc/coreadm.conf -> !r:^COREADM_PROC_ENABLED\pno; f:/etc/coreadm.conf -> !r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno; f:/etc/coreadm.conf -> !r:^COREADM_PROC_SETID_ENABLED\pno; f:/etc/coreadm.conf -> !r:^COREADM_GLOB_LOG_ENABLED\pyes; # # #3.2 Enable Stack Protection [CIS - Solaris 11 Configuration - 3.2 Enable Stack Protection] [any] [https://workbench.cisecurity.org/benchmarks/410] f:!/etc/system; f:/etc/system -> !r:^\s*\t*noexec_user_stack\p1; f:/etc/system -> !r:^# && r:\s*\t*noexec_user_stack\p0; f:/etc/system -> !r:^\s*\t*noexec_user_stack_log\p1; f:/etc/system -> !r:^# && r:\s*\t*noexec_user_stack_log\p0; # # #3.3 Enable Strong TCP Sequence Number Generation [CIS - Solaris 11 Configuration - 3.3 Enable Strong TCP Sequence Number Generation] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/inetinit -> !r:^TCP_STRONG_ISS\p2; f:/etc/default/inetinit -> !r:^# && r:TCP_STRONG_ISS\p1; # # #4.1 Create CIS Audit Class [CIS - Solaris 11 Configuration - 4.1 Create CIS Audit Class] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/security/audit_class -> !r:0x\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d:cis:\.+; # # #4.2 Enable Auditing of Incoming Network Connections [CIS - Solaris 11 Configuration - 4.2 Enable Auditing of Incoming Network Connections] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/security/audit_event -> !r:^\d+:AUE_ACCEPT:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_CONNECT:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKACCEPT:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKCONNECT:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_inetd_connect:\.+cis\.*; # # #4.3 Enable Auditing of File Metadata Modification Events [CIS - Solaris 11 Configuration - 4.3 Enable Auditing of File Metadata Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/security/audit_event -> !r:^\d+:AUE_CHMOD:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_CHOWN:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_FCHOWN:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_FCHMOD:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_LCHOWN:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_ACLSET:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_FACLSET:\.+cis\.*; # # #4.4 Enable Auditing of Process and Privilege Events [CIS - Solaris 11 Configuration - 4.4 Enable Auditing of Process and Privilege Events] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/security/audit_event -> !r:^\d+:AUE_CHROOT:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETREUID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETREGID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_FCHROOT:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_PFEXEC:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETUID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_NICE:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETGID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETEGID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETEUID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETPRIV:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETSID:\.+cis\.*; f:/etc/security/audit_event -> !r:^\d+:AUE_SETPGID:\.+cis\.*; # # #4.5 Configure Solaris Auditing [CIS - Solaris 11 Configuration - 4.5 Configure Solaris Auditing] [any] [https://workbench.cisecurity.org/benchmarks/410] d:/var/spool/cron/crontabs -> !r:/usr/sbin/audit -n; # # #5.1 Default Service File Creation Mask [CIS - Solaris 11 Configuration - 5.1 Default Service File Creation Mask] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/profile -> !r:^umask\s*\d\d\d; # # #6.2 Disable "nobody" Access for RPC Encryption Key Storage Service [CIS - Solaris 11 Configuration - 6.2 Disable "nobody" Access for RPC Encryption Key Storage Service] [any] [https://workbench.cisecurity.org/benchmarks/410] f!:/etc/default/keyserv; f:/etc/default/keyserv -> !r:^ENABLE\.NOBODY\.KEYS\pNO; f:/etc/default/keyserv -> !r:^# && r:ENABLE\.NOBODY\.KEYS\pYES; # # #6.3 Disable X11 Forwarding for SSH [CIS - Solaris 11 Configuration - 6.3 Disable X11 Forwarding for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s*no; f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s*yes; # # #6.4 Limit Consecutive Login Attempts for SSH [CIS - Solaris 11 Configuration - 6.4 Limit Consecutive Login Attempts for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s*3; f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries\s*3\d+; # # #6.5 Disable Rhost-based Authentication for SSH [CIS - Solaris 11 Configuration - 6.5 Disable Rhost-based Authentication for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s*yes; f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s*no; # # #6.6 Disable root login for SSH [CIS - Solaris 11 Configuration - 6.6 Disable root login for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s*no; f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s*yes; # # #6.7 Blocking Authentication Using Empty/Null Passwords for SSH [CIS - Solaris 11 Configuration - 6.7 Blocking Authentication Using Empty/Null Passwords for SSH] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s*no; f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s*yes; # # #6.8 Disable Host-based Authentication for Login-based Services [CIS - Solaris 11 Configuration - 6.8 Disable Host-based Authentication for Login-based Services] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/pam.conf -> !r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1; f:/etc/pam.conf -> !r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1; # # #6.9 Restrict FTP Use [CIS - Solaris 11 Configuration - 6.9 Restrict FTP Use] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ftpd/ftpusers -> !r:^root; f:/etc/ftpd/ftpusers -> !r:^daemon; f:/etc/ftpd/ftpusers -> !r:^bin; f:/etc/ftpd/ftpusers -> !r:^sys; f:/etc/ftpd/ftpusers -> !r:^adm; f:/etc/ftpd/ftpusers -> !r:^uucp; f:/etc/ftpd/ftpusers -> !r:^nuucp; f:/etc/ftpd/ftpusers -> !r:^smmsp; f:/etc/ftpd/ftpusers -> !r:^listen; f:/etc/ftpd/ftpusers -> !r:^gdm; f:/etc/ftpd/ftpusers -> !r:^lp; f:/etc/ftpd/ftpusers -> !r:^webservd; f:/etc/ftpd/ftpusers -> !r:^postgres; f:/etc/ftpd/ftpusers -> !r:^svctag; f:/etc/ftpd/ftpusers -> !r:^openldap; f:/etc/ftpd/ftpusers -> !r:^unknown; f:/etc/ftpd/ftpusers -> !r:^aiuser; f:/etc/ftpd/ftpusers -> !r:^nobody; f:/etc/ftpd/ftpusers -> !r:^nobody4; f:/etc/ftpd/ftpusers -> !r:^noaccess; # # #6.10 Set Delay between Failed Login Attempts to 4 [CIS - Solaris 11 Configuration - 6.10 Set Delay between Failed Login Attempts to 4] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/login -> !r:^SLEEPTIME\p4; f:/etc/default/login -> !r:^# && r:SLEEPTIME\p4\d; # # #6.11 Remove Autologin Capabilities from the GNOME desktop [CIS - Solaris 11 Configuration - 6.11 Remove Autologin Capabilities from the GNOME desktop] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/pam.conf -> !r:^# && r:gdm-autologin; # # #6.12 Set Default Screen Lock for GNOME Users [CIS - Solaris 11 Configuration - 6.12 Set Default Screen Lock for GNOME Users] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*timeout:\s*\t*0:10:00; f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*locktimeout:\s*\t*0:00:00; f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*lock:\s*\t*true; # # #6.13 Restrict at/cron to Authorized Users [CIS - Solaris 11 Configuration - 6.13 Restrict at/cron to Authorized Users] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/cron.d/cron.deny; f:/etc/cron.d/at.deny; f:!/etc/cron.d/cron.allow; f:/etc/cron.d/cron.allow -> !r:^root$; f:!/etc/cron.d/at.allow; f:/etc/cron.d/at.allow -> !r:^# && r:\w; # # #6.14 Restrict root Login to System Console [CIS - Solaris 11 Configuration - 6.14 Restrict root Login to System Console] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/login -> !r:^CONSOLE\p/dev/console; # # #6.15 Set Retry Limit for Account Lockout [CIS - Solaris 11 Configuration - 6.14 Restrict root Login to System Console] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/login -> !r:^RETRIES\p3; f:/etc/default/login -> !r:^# && r:RETRIES\p3\d; f:/etc/security/policy.conf -> !r:^LOCK_AFTER_RETRIES\pyes; f:/etc/security/policy.conf -> !r:^# && r:LOCK_AFTER_RETRIES\pno; # # #6.17 Secure the GRUB Menu (Intel) [CIS - Solaris 11 Configuration - 6.17 Secure the GRUB Menu (Intel)] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/rpool/boot/grub/menu.lst -> !r:^password\s*--md5; # # #7.1 Set Password Expiration Parameters on Active Accounts [CIS - Solaris 11 Configuration - 7.1 Set Password Expiration Parameters on Active Accounts] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/passwd -> !r:^maxweeks\p13; f:/etc/default/passwd -> !r:^# &&r:maxweeks\p13\d; f:/etc/default/passwd -> !r:^minweeks\p1; f:/etc/default/passwd -> !r:^# &&r:minweeks\p1\d; f:/etc/default/passwd -> !r:^warnweeks\p4; f:/etc/default/passwd -> !r:^# &&r:warnweeks\p4\d; # # #7.2 Set Strong Password Creation Policies [CIS - Solaris 11 Configuration - 7.2 Set Strong Password Creation Policies] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/passwd -> !r:^passlength\p8; f:/etc/default/passwd -> !r:^# && r:passlength\p8\d; f:/etc/default/passwd -> !r:^namecheck\pyes; f:/etc/default/passwd -> !r:^# && r:namecheck\pno; f:/etc/default/passwd -> !r:^history\p10; f:/etc/default/passwd -> !r:^# && r:history\p10\d; f:/etc/default/passwd -> !r:^mindiff\p3; f:/etc/default/passwd -> !r:^# && r:mindiff\p3\d; f:/etc/default/passwd -> !r:^minalpha\p2; f:/etc/default/passwd -> !r:^# && r:minalpha\p2\d; f:/etc/default/passwd -> !r:^minupper\p1; f:/etc/default/passwd -> !r:^# && r:minupper\p1\d; f:/etc/default/passwd -> !r:^minlower\p1; f:/etc/default/passwd -> !r:^# && r:minlower\p1\d; f:/etc/default/passwd -> !r:^minnonalpha\p1; f:/etc/default/passwd -> !r:^# && r:minnonalpha\p1\d; f:/etc/default/passwd -> !r:^maxrepeats\p0; f:/etc/default/passwd -> !r:^# && r:maxrepeats\p0\d; f:/etc/default/passwd -> !r:^whitespace\pyes; f:/etc/default/passwd -> !r:^# && r:whitespace\pno; f:/etc/default/passwd -> !r:^dictiondbdir\p/var/passwd; f:/etc/default/passwd -> !r:^dictionlist\p/usr/share/lib/dict/words; # # #7.3 Set Default umask for users [CIS - Solaris 11 Configuration - 7.3 Set Default umask for users] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/login -> !r:^umask\p027|^umask\p077; f:/etc/default/login -> !r:^# && r:umask\p026; f:/etc/default/login -> !r:^# && r:umask\p022; # # #7.4 Set Default File Creation Mask for FTP Users [CIS - Solaris 11 Configuration - 7.4 Set Default File Creation Mask for FTP Users] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/proftpd.conf -> !r:^umask\s*027; f:/etc/proftpd.conf -> !r:^# && r:umask\s*026; f:/etc/proftpd.conf -> !r:^# && r:umask\s*022; # # #7.5 Set "mesg n" as Default for All Users [CIS - Solaris 11 Configuration - 7.5 Set "mesg n" as Default for All Users] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/.login -> !r:^mesg\s*n; f:/etc/profile -> !r:^mesg\s*n; # # #8.1 Create Warnings for Standard Login Services [CIS - Solaris 11 Configuration - 8.1 Create Warnings for Standard Login Services] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/issue -> r:SunOS; f:/etc/issue -> r:Oracle; f:/etc/issue -> r:solaris; f:/etc/issue -> !r:Authorized users only. All activity may be monitored and reported; f:/etc/motd -> r:SunOS; f:/etc/motd -> r:Oracle; f:/etc/motd -> r:solaris; f:/etc/motd -> !r:Authorized users only. All activity may be monitored and reported; # # #8.2 Enable a Warning Banner for the SSH Service [CIS - Solaris 11 Configuration - 8.2 Enable a Warning Banner for the SSH Service] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/ssh/sshd_config -> !r:^Banner\s*/etc/issue; # # #8.3 Enable a Warning Banner for the GNOME Service [CIS - Solaris 11 Configuration - 8.3 Enable a Warning Banner for the GNOME Service] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/gdm/Init/Default -> !r:^/usr/bin/zenity\s\.; # # #8.4 Enable a Warning Banner for the FTP service [CIS - Solaris 11 Configuration - 8.4 Enable a Warning Banner for the FTP service] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/proftpd.conf -> !r:^DisplayConnect\s+/etc/issue; # # #8.5 Check that the Banner Setting for telnet is Null [CIS - Solaris 11 Configuration - 8.5 Check that the Banner Setting for telnet is Null] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/default/telnetd -> !r:^# && r:BANNER=\.; f:/etc/default/telnetd -> !r:BANNER=$; # # #9.3 Verify System Account Default Passwords [CIS - Solaris 11 Configuration - 9.3 Verify System Account Default Passwords] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/shadow -> r:daemon && !r::NL:|:NP:; f:/etc/shadow -> r:lp && !r::NL:|:NP:; f:/etc/shadow -> r:adm && !r::NL:|:NP:; f:/etc/shadow -> r:bin && !r::NL:|:NP:; f:/etc/shadow -> r:gdm && !r::\p*LK\p*:; f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:; f:/etc/shadow -> r:nobody && !r::\p*LK\p*:; f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:; f:/etc/shadow -> r:openldap && !r::\p*LK\p*:; f:/etc/shadow -> r:unknown && !r::\p*LK\p*:; f:/etc/shadow -> r:webservd && !r::\p*LK\p*:; f:/etc/shadow -> r:mysql && !r::NL:|:NP:; f:/etc/shadow -> r:nuuc && !r::NL:|:NP:; f:/etc/shadow -> r:postgres && !r::NL:|:NP:; f:/etc/shadow -> r:smmsp && !r::NL:|:NP:; f:/etc/shadow -> r:sys && !r::NL:|:NP:; f:/etc/shadow -> r:uucp && !r::NL:|:NP:; f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:; f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:; f:/etc/shadow -> r:dladm && !r::\p*LK\p*:; f:/etc/shadow -> r:ftp && !r::\p*LK\p*:; f:/etc/shadow -> r:netadm && !r::\p*LK\p*:; f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:; f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:; f:/etc/shadow -> r:svctag && !r::\p*LK\p*:; f:/etc/shadow -> r:xvm && !r::\p*LK\p*:; f:/etc/shadow -> r:upnp && !r::NL:|:NP:; f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:; # # #9.4 Ensure Password Fields are Not Empty [CIS - Solaris 11 Configuration - 9.4 Ensure Password Fields are Not Empty] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/shadow -> r:\.+::\.+\w+\.*$; # # #9.5 Verify No UID 0 Accounts Exist Other than root [CIS - Solaris 11 Configuration - 9.5 Verify No UID 0 Accounts Exist Other than root] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/passwd -> !r:^root && r::\.:0:\.*; # # #9.6 Ensure root PATH Integrity [CIS - Solaris 11 Configuration - Ensure root PATH Integrity] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/profile -> r:.; f:/etc/environment -> r:.; f:/.profile -> r:.; f:/.bash_profile -> r:.; f:/.bashrc -> r:.; f:/etc/profile -> r:::; f:/etc/environment -> r:::; f:/.profile -> r:::; f:/.bash_profile -> r:::; f:/.bashrc -> r:::; f:/etc/profile -> r::$; f:/etc/environment -> r::$; f:/.profile -> r::$; f:/.bash_profile -> r::$; f:/.bashrc -> r::$; # # #9.10 Check for Presence of User .rhosts Files [CIS - Solaris 11 Configuration - 9.10 Check for Presence of User .rhosts Files] [any] [https://workbench.cisecurity.org/benchmarks/410] d:$home_dirs -> ^.rhosts$; # # #9.12 Check That Users Are Assigned Home Directories [CIS - Solaris 11 Configuration - 9.12 Check That Users Are Assigned Home Directories] [any] [https://workbench.cisecurity.org/benchmarks/410] f:/etc/passwd -> \w+:\.*:\d*:\d*:\.*:\S+:\.*; # # #9.20 Check for Presence of User .netrc Files [CIS - Solaris 11 Configuration - 9.20 Check for Presence of User .netrc Files] [any] [https://workbench.cisecurity.org/benchmarks/410] d:$home_dirs -> ^.netrc$; # # #9.21 Check for Presence of User .forward Files [CIS - Solaris 11 Configuration - 9.21 Check for Presence of User .forward Files] [any] [https://workbench.cisecurity.org/benchmarks/410] d:$home_dirs -> ^.forward$; # # #