%NAMED001w
A 'named' startup script was found on your system.  This indicates 
your system may be running a Domain Name Service (DNS).  If the
system should not be acting as a DNS server, the startup script
should be disabled, whether the service is actually starting or
not, to prevent it from starting in the future due to a 
configuration change.

%NAMED002f
A 'named' daemon was found running on your system.  This indicates 
your system is running a Domain Name Service (DNS).  If your system 
should be acting as a DNS then this is ok as long as this service
has been checked for security and is up-to-date on patches.  If your 
system is not acting as a DNS, then this service can be a vulnerability
and should be removed from the system.

%RPC001w
The indicated RPC service was found running on the system.
This RPC service has been prone to attack and should only
be run if necessary.  If you need to run this service, make sure 
the system is up-to-date on patches.  If you do not need to
be running this service, remove it.

%CORE001i
Core dump size is not set to zero in /etc/system. When a program 
terminates due to the receipt of a signal (crashes), the core image 
is written to a file called 'core' in  the process's  working  
directory.  If the core file is written into the root partition, the 
root partition could fill up preventing the system from continuing
to operate.  Unless you plan to review core files to determine
why a program failed, the 'coredumpsize' in /etc/system should
be set to zero to prevent the root partition from running out of 
space due to the creation of a core file.

%CORE002i
Core dump size is not set to zero in the PAM configuration. 
When a program terminates due to the receipt of a signal (crashes),
the core image is written to a file called 'core' in  the process's  
working directory.  If the core file is written into the root 
partition, the root partition could fill up preventing the system 
from continuing to operate. 

%CRON001i
CRONLOG entry not found or misconfigured in /etc/default/cron.
The 'CRONLOG=YES' entry in /etc/default/cron enables the logging 
by the cron process to the /var/cron/log file.  Without this entry 
logging will not occur preventing the use of the logs for 
diagnostic purposes when cron fails.

%CRON002w
The permissions for /var/cron are not secure.
The cron log directory /var/cron should have permissions 700 
(drwx------) to allow reading and writing only by root."
						
%CRON003i
The LIMIT parameter in /etc/cron.d/logchecker is not set to a reasonable
level. The cron log is rotated according to the parameters in the 
/etc/cron.d/logchecker file.  The 'LIMIT' parameter determines the maximum 
size the log file is allowed to get before it is rotated.  This should be 
kept less then 2MB.  Without a limit, the log will continue to grow and 
could eventually become so big that it fills up the partition.  Setting 
the LIMIT parameter to a low value will prevent this.  

%CRON004w
The cron.allow and cron.deny files are used as access controls for
'crontab'.  Access is allowed for a user if the user's name is in 
cron.allow.  If a cron.allow file does not exist, but a cron.deny does,
all users are allowed access except for those listed in the cron.deny file.
If neither cron.allow and cron.deny exist, access is restricted to the 
superuser.  

%CRON005w
The at.allow and at.deny files are used as access controls for the 'at' 
and 'batch' utilities.  Access is allowed for a user if the user's name 
is in at.allow.  If a at.allow file does not exist but a at.deny file does,
all users are allowed access except for those listed in the at.deny file.
If neither at.allow and at.deny exist, access is restricted to the superuser.

%CRON006w
The at.allow and at.deny files are used as access controls for the 'at' 
and 'batch' facilities.  Similarly, the cron.allow and cron.deny files are
used as access controls for the crontab facility.  Beginning with 
Solaris 8 (version 1/01), Solaris has Role-based Access Control (RBAC) 
which allows non-root users to be granted priviledges without becoming root.
The default RBAC configuration gives priviledge to all users for access to 
these commands if both the respective 'allow' and 'deny' files do not exist.
Before the inclusion of RBAC, only root would have had access.  

%APACHE001i
One or more Apache web server scripts were FOUND in rc*.d directories 
but not configured to start. Solaris 8 and newer systems include the 
Apache web server as a service. Unless you intend for this service to 
run it should be disabled.  

%APACHE002f
One or more Apache web server scripts were found in the rc*.d directories 
and are configured to start.  Solaris 8 and newer systems include the 
Apache web server as a service.  If you do not need a web service running 
this should be disabled.

%APACHE003f
A httpd daemon was found running!  Solaris 8 and newer systems include 
the Apache web server as a service.  An httpd daemon is a likely target 
for hackers and is likely to be exploitable now or in the future.  

%APACHE004w
One or more Apache web server startup scripts was FOUND enabled in the 
/etc/rc.d/rc*.d startup script directory.  If you do not need a web 
service these scripts should be disabled to prevent the web server from 
starting now or in the future.  You should also check to see if a web 
server is running and if it is, reboot the system after the startup scripts
have been disabled.

%APACHE005f
The Apache Web Service daemon (httpd) was found running on the system.
An httpd daemon is a likely target for hackers and is likely to be 
exploited in the future.  If you do not need a web service running, this 
should be disabled by renaming the apache startup scripts and reboot the
system. 

%DHCP001i
A DHCP server startup script (S34dhcp) was found in the /etc/rc3.d directory.
A DHCP daemon was not found to be running, however, unless this UNIX system 
is to provide DHCP service it is recommended the service be disabled.  The 
startup script can be disabled by renaming the script, for example, 
to 'disable_S34dhcp'.

%DHCP002f
A DHCP server was found running on this system.  The server is
'in.dhcpd' and should not be running unless this system is acting
as a DHCP server.  The startup script can be disabled by renaming 
the script, for example, to 'disable_S34dhcp'.  After renaming the script,
reboot the system.

%LOGIN001w
The file /var/log/loginlog does NOT exist.  Without the 
/var/adm/loginlog file in place, no logging of failed login attempts 
will be done.

%LOGIN002i
The value of 'RETRIES' in /etc/default/login should have a value of 3 
or less to discourage attempts to guess an account and password 
multiple times to gain entry to the system.  The default number of 
retries is 5. To set a value of 3 or less, add the line 'RETRIES=n', 
where n is 3 or less, in the file /etc/default/login.

%NFS001f
The NFS daemons 'nfsd' and/or 'mountd' were found running on this 
system.  Unless this system is acting as an NFS server these should
be disabled.  To disable these daemons, disable the NFS startup
script for the NFS server daemons.

%NFS002w
The PORTMON value is either not set or not set to '1' in /etc/system.
If the  NFS_PORTMON  variable  is  set,  then  clients  are required 
to use privileged ports (ports <IPPORT_RESERVED) in order to get NFS 
services. This variable is equal to zero by  default.  This  variable
has been moved from the "nfs" module to the "nfssrv" module.

%NFS003w
A NFS server startup script was found enabled on the system.  Unless
this system is to be a NFS server, the startup script should be
disabled to prevent it from starting.  If a NFS server daemon is not
running, the startup script should still be disabled to prevent a
future configuration change from allowing it to start the NFS server
daemons.

%NFS004f
The NFS daemons 'lockd' and/or 'statd' were found running on this 
system.  Unless this system is acting as an NFS client these should
be disabled.  To disable these daemons, disable the NFS startup
script for the NFS client daemons.

%NFS005w
A NFS client startup script was found enabled on the system.  Unless
this system is to be a NFS client, the startup script should be
disabled to prevent it from starting.  If NFS client daemons are not
running, the startup script should still be disabled to prevent a
future configuration change from allowing it to start the NFS client
daemons.

%RHOSTS001w
The rlogin, rsh or rexec authentication via rhosts ENABLED in 
/etc/pam.conf.  The Pluggbale Authentication Module (PAM) provides
authentication functionality for various services.  The 'rlogin'
and 'rsh' services should not be used since they are not secure
services.  The PAM module 'pam_rhosts_auth' allows authentication
based on an rhosts entry.  To disable rlogin, rsh or rexec
authentication via rhosts, comment out the 'rlogin, 'rsh' or 'rexec'
entries in the file /etc/pam.conf that use the 'pam_rhosts_auth' 
module.

%SENDMAIL001f
The sendmail daemon has been found running on your system in a mode
designed to act as a mail server.  This means the service is available 
to accept mail sent from other systems.  The sendmail service has been
a target of network attacks and should only be run if the system is acting
as a mail server.  

%SENDMAIL002f
The sendmail daemon has been found running on your system in a mode
designed to act as a mail server.  This means the service is available 
to accept mail sent from other systems.  The sendmail service has been
a target of network attacks and should only be run if the system is acting
as a mail server.  The startup script for the sendmail service is 
/etc/rc2.d/S88sendmail.  Unless this system is a mail server, this service
should be disabled.  

%SENDMAIL003i
The startup script for sendmail was found in the '/etc/rc.d' directories.
Unless this system is to provide Sendmail service it is recommended the 
service be disabled.  Even if the Sendmail service is not starting due
to other configurations, it is recommended the script be disabled to
prevent a future configuration change from allowing this script to start
the Sendmail service.

%SNMP001f
A SNMP daemon was found running on this system.  Unless this system 
is to provide SNMP service it is recommended the service be disabled.

%SNMP002w
Unless this UNIX system is to provide SNMP service it is recommended 
the service be disabled.  One or more SNMP service startup scripts were
found and may be starting the service.  To ensure it is not started in 
it is recommended that the SNMP service startup script be disabled.

%DMI001f
A DMI daemon, either 'dmispd' or 'snmpXdmid', was found running on this
system.  These are the Solstice  Enterprise Agent  Desktop Management 
Interface daemons.  Unless you need to be running this package it is 
recommended that you not run these.

%DMI002w
The DMI service startup script was found (/etc/rc3.d/S77dmi) but no
daemons appear to be running.  This is the Solstice  Enterprise Agent  
Desktop Management Interface package.  It maps the  SNMP requests  
forwarded  by  the   Master Agent   (snmpdx(1M))  into one  or  more  
equivalent  DMI  requests.   This service should not be running unless 
necessary.  Even though its daemons are not running, the startup
script should be disabled to prevent its starting in the future.

%SULOG001i
The '/var/adm/sulog' file was not found. The sulog file is a record of 
all attempts by users on the system to  execute the 'su' command.  
Without the log file 'su' cannot log attempted usage.  This is 
important to review should a security comprimise be suspected.  

%WBEM001w
The Web-based Enterprise Management's (wbem) startup script (S90wbem)
was found in the /etc/rc2.d directory.  Unless this service is 
intended to run on this system it should be disabled.

%FTPD001w
The in.ftpd is NOT being started with either the '-l' option, the -d option,
or both.  The 'in.ftpd' service allows other systems to connect to this 
system via ftp.  This is due to 'in.ftpd' existing in the 
'/etc/inet/inetd.conf' file.  Without the '-l' option, in.ftpd will not 
log connections.  Without the '-d' option, 'in.ftpd' will not log debugging 
information.  To enable logging of ftp connections and debugging information,
add the '-l' and '-d' options to 'in.ftpd' in the /etc/inet/inetd.conf file.
Also, check the /etc/syslog.conf file to make sure it is set up to log the 
debug information via the daemon.debug selector.  For more information, see 
the syslog.conf man page.

%FTPD002i
The file /etc/ftpd/ftpaccess contains the specifications for the 
Internet File Transfer Protocal (ftpd) and should contain a 
specification for the value of the umask which it uses to create
files during PUT operations.  The umask should be 022.

%FTPD003i
The file /etc/default/ftpd contains the specifications for the 
Internet File Transfer Protocal (ftpd) and should contain a 
specification for the value of the umask which it uses to create
files  during PUT operations.  The umask should be 022.

%ISSUE001w
The files /etc/issue and /etc/motd are used to display a banner at login.
The absense of /etc/issue or /etc/motd indicates this machine may not 
display a banner at login.  All government computers must display a banner
at login. 

%ISSUE002w
The files /etc/issue and /etc/motd are used to display a banner at login.  
The indicated file is less than 250 bytes indicating the file may simply 
contain system information and not a warning.  System information should 
not be included in a banner since it could give hackers valuable 
information to use in an attack. 

%ISSUE003f
The files /etc/issue and /etc/motd are used to display a banner at login.
The indicated file was found to contain key system specific words which 
might mean the banner contains system information.  System information 
should not be included in a banner since it could give hackers valuable 
information to use in an attack.

%ISSUE004w
The file /etc/issue.net was not found.  This file is used by Linux to
display a banner when a connection via telnet occurs.  All government 
computers must display a banner at login.  Even if telnetd is disabled, 
a /etc/issue.net file should exist with an appropriate banner in the 
event that telnetd is enabled in the future.

%ISSUE005f
The file /etc/issue.net is used to display a banner at when  telnet
connection is made.  The file was found to contain key system specific 
words which might mean the banner contains system information.  System 
information should not be included in a banner since it could give hackers 
valuable information to use in an attack.  Even if telnetd is disabled, 
a /etc/issue.net file should not contain system information in the 
event that telnetd is enabled in the future.

%ISSUE006w
The files /etc/default/telnetd and /etc/default/ftpd can contain banner 
information to be displayed when they allow a connection. The absense of 
/etc/default/telnetd or /etc/default/ftpd, or the absense of a 'BANNER='
line in either file, indicates this machine may not display a banner when 
a connection is made. 

%ISSUE007f
The files /etc/default/telnetd and /etc/default/ftpd can contain banner 
information to be displayed when they allow a connection. The indicated 
file's banner information was found to contain key system specific words 
which might mean the banner contains system information.  System 
information should not be included in a banner since it could give hackers
valuable information to use in an attack. 

%LP001f
The LP daemon was found running on this system.  The daemon is a print 
service started by a script. Unless the system is acting as a print 
server, this should be disabled.

%LP002w
One or more scripts to start the LP service were found.
Unless this system is a print server the LP service should not be 
started.

%LP004w
The account 'lp' should not be used to run cron jobs, which are 
typically run by root or individual users.  If the 'lp' cron job is 
legitimate, consider using root or an individual account instead.  

%LP005f
The "in.lpd" service was found in /etc/inetd.conf.  Unless the system
is acting as a print server, this should be disabled.

%ROUTED001w
in.routed is invoked at boot time to manage the network routing
tables.  When invoked with the '-q' option, in.routed will listen 
for, but not supply, routing information.

%ROUTED002w
The in.routed process is running but not in quiet mode.  This means 
your system is acting as a router by passing routing information 
to other systems.

%ROUTED003w
The 'routed' service has a startup script in the '/etc/rc.d' directory.
You should determine whether it is set up to start the routed daemon in
quiet mode.

%SHADOW001w
A /etc/shadow file was not found.  The /etc/shadow file is an 
access-restricted ASCII system file that stores users' encrypted 
passwords and related information.  This provides security for 
the /etc/passwd file. 

%SHADOW002w
The /etc/shadow file should only be owned by 'root'.

%SHADOW003w
The /etc/shadow file should have group ownership of 'sys'.  

%SHADOW004w
The /etc/shadow file should have mode 600 to protect it against 
viewing by non-root users.

%SHADOW005w
The 'inactivity field' of the /etc/shadow file shows the indicated
accounts have inactivity duration times either not set or greater than 
180 days. The seventh field in the /etc/shadow file indicates the 
number of days of inactivity for that account before it is automatically 
locked.  If the field is blank, then the account can remain inactive 
forever without being automatically locked.  All user accounts should
have inactivity fields set to prevent a user account which is no longer
in use from continuing to remain active after a period of inactivity.

%SHADOW006w
An active account was found with a local password that has not been 
changed for over six months.  This was determined by examining the 3rd 
field in the /etc/shadow file.  Passwords should be changed regularly.  
The older a password becomes, the more prone it is to being discovered.
It is a best practice to not allow a password to go unchanged for more
than six months.

%TCP001w
The file /etc/default/inetinit contains a setting named'TCP_STRONG_ISS'.
This setting defines the TCP initial sequence number generation 
parameters.  There are three possible settings:
0 = Old-fashioned sequential initial sequence number generation.
1 = Improved sequential generation, with random variance in increment.
2 = RFC 1948 sequence number generation, unique-per-connection-ID.
The /etc/default/inetinit file was either not found or the 
TCP_STRONG_ISS value was not set or set to something other than '2'.
A value of '2' for TCP_STRONG_ISS causes the system to use a better
algorithm for randomizing the initial TCP sequence numbers making 
it difficult for hackers to predict TCP sequence number information
which could be used in an attack.

%TMP001w
The /tmp directory is use by both users and system programs for the 
creation of temporary files used by the programs.  Without the 
'sticky bit' set, any user can delete or modify a file in /tmp.  
This can be used by hackers to manipulate running programs.

%SYSLOG001i
The absense of an entry for 'auth.notice' in /etc/syslog.conf means 
that authentication notices from the authorization system 
(login, su, and others) will not be logged or sent to the console.

%HOSTS001i
The loghost allows the system to send logs to another system, 
identified as 'loghost' in the /etc/inet/hosts file,  thereby
increasing the security of the system by preventing the removal
of log files.  

%SUSPEND001w
The PERM setting in '/etc/default/sys-suspend' should be set to '-' 
which restricts the execution of /usr/openwin/bin/sys-suspend to 
the super-user.  Allowing non-super-user access to this command 
would allow the ability  for non-super-users to shutdown the system.  

%NSCD001w
The Name Service Caching Daemon (nscd) was found running on this system.
'nscd' is a process that provides a cache for the 'passwd', 'group', 
'hosts', and on Solaris 8 and newer, 'ipnodes' files.  To increase 
security , it is recommended that nscd daemon be stopped and prevented
from running.

%NSCD002w
The Name Service Caching Daemon (nscd) is a process that provides a 
cache for the 'passwd', 'group', 'hosts', and for Solaris 8 and newer,
'ipnodes' files.  To increase security , it is recommended that 
caching be disabled for these files in the nscd configuration file
(/etc/nscd.conf).  If the 'nscd' process is not running then there is
no security vulnerability but it is still worth disabling caching in
/etc/nscd.conf in case the 'nscd' process is started in the future.

%PRESERVE001w
Expreserve is a utility that preserves the state of a file being edited
by vi(1) or ex(1) when an edit session terminates abnormally or when 
the system crashes. Expreserve has a vulnerability that allows users 
to overwrite any file on the system. By exploiting this vulnerability, 
users with access to an account on the system can readily gain root 
privileges.

%STACK001w
The 'noexec_user_stack' is a useful kernel module that restricts
execution of code on the stack and can provide protection against
buffer overflows to the stack.  This makes buffer overflow attacks,
a common form of hacking, more difficult to achieve. 

%KEYSERV001w
Keyserv is a daemon used for storing the private encryption keys
of each user logged into the system.  If the user has not properly 
authenticated to Secure RPC, then their private key is not available.
If the 'ENABLE_NOBODY_KEYS' parameter in the /etc/default/keyserv 
file is set to 'YES', or not set at all, secure protocols will attempt to 
use the 'nobody' user's private key instead to compute a magic phrase 
which can be easily recovered by an attacker. 

%KEYSERV002w
Keyserv is a daemon used for storing the private encryption keys
of each user logged into the system.  If the user has not properly 
authenticated to Secure RPC, then their private key is not available.
If keyserv is not started with the '-d' option, secure protocols
will attempt to use the 'nobody' user's private key instead
to compute a magic phrase which can be easily recovered by an attacker.

%PASSWD001i
The file '/etc/default/passwd' for Solaris systems and '/etc/login.defs'
for Linux systems defines how passwords are managed on the system.  The
value for the variable for the maximum time a password is valid (MAXWEEKS
in /etc/default/passwd on Solaris, and PASS_MAX_DAYS in /etc/login.defs
on Linux) is either not set or is greater than the recommended 23 weeks 
(180 days).  Having the system disable passwords after a given time 
ensures that old accounts eventually become disabled and thus not become
an avenue for hacker attack.

%PASSWD002w
The value for the variable for the minumum length of a password 
allowed by the system ('PASSLENGTH' in /etc/default/passwd on Solaris, 
and 'PASS_MIN_LEN' in /etc/login.defs on Linux) is not set or is less 
than the recommended value of '6'.

%PASSWD003w
The PAM facility is not configured to use the 'pam_cracklib.so' module.
This module provides for checking password updates from various services.
By having the 'pam_cracklib' module, newly changed passwords will be
assessed for their strength.  This check was done specifically for the
'passwd' service.

%ADMIN001w
Certain administrative accounts typically do not require the ability 
to login to the system and so to enhance security these accounts should 
not have valid login shells.  If the 'shell' field (field number 7) 
in /etc/passwd is blank, the system will default to /usr/bin/sh.  In 
other words, a blank shell field means the account has the valid 
/usr/bin/sh login shell. 

%FTPUSERS001w
The file /etc/ftpusers is missing.  This file is an ascii file,
which is read by in.ftpd and lists users for whom ftp login 
priviledges are disallowed.  Unless ftp is completely disabled 
on this system, the /etc/ftpusers file should be present and 
contain administrative account names (one account per line) to 
disallow administrative users access via ftp.

%FTPUSERS002w
The indicated administrative accounts are not in the /etc/ftpusers
file.  All administrative accounts should be in this file (one
account name per line) to disallow ftp access by these 
administrative accounts.  If ftp service is not set up on this 
system then this is not a problem.  

%SSH001w
An 'sshd' daemon was found running on your system but the 'ssh' 
program was not found to determine the version of ssh running.  
Find the 'ssh' executable and execute 'ssh -V' which will return 
the version of the ssh you are running.  If the version is OpenSSH 
version 3.3 or earlier, or SSH Secure Shell from 'SSH Communication 
Security' version 3.00 or earlier, it is considered vulnerable to 
various exploits which are dependent upon which version you are
running. 

%SSH002w
Some versions of SSH have been found to contain vulnerabilities.
These include:
   -OpenSSH versions 3.3 and earlier.
   -SSH Communications Security, Inc. (non-commercial) version 3.0.0 
    and earlier.

%SHELLS001w
The file /etc/shells file contains a list of the shells on the system.
It should be owned by root and not user or group writable (mode 644).  
Applications use this file to determine whether a shell is valid.  
Without /etc/shells, any program can be used in the /etc/passwd file 
to represent a user shell.  It is best practice to register user shells 
in the /etc/shells file.

%INETD001w
The inetd service is running without the '-t' option.  The '-t'
option for inetd instructs inetd  to trace the incoming connections
for all of its TCP services.  It does this by logging the client's
IP address and TCP port  number, along  with  the  name  of  the service, 
using the  syslog facility.  UDP  services  can  not be traced.  When
tracing is enabled, inetd  uses the syslog facility code 'daemon'
and 'notice' priority level.  If you use the '-t' option you should
check that 'daemon.notice' logging is enabled in /etc/syslog.conf.

