%NAMED001w
To disable the 'named' startup script, look for a script named
S*named, where '*' is a number, in the /etc/rc[123].d directories
on Solaris, or on the /etc/rc.d/rc[12345].d directories on Linux.
Rename the script so it no longer begins with the letter 'S'
(e.g., mv /etc/rc3.d/S72named /etc/rc3.d/disable_S72named)

%NAMED002f
To shutoff the 'named process' determine the startup script
that is starting the process (see %NAMED001w) and run it with
the "stop" option (e.g., /etc/rc3.d/S72named stop).  Or, determine 
the 'named' process ID using 'ps -ef' and then kill the process.

%RPC001w
To remove any of the following services from /etc/inetd.conf, place a
comment (#) at the beginning of the line containing the service.
Then either reboot the system or kill the running service's process.
Services: "rpc.ttdbserverd", "rpc.cmsd", "rpc.statd", "sadmind",
"rpc.mountd", "cachefsd", and "snmpXdmid".

%CORE001i
Unless you plan to review core files to determine why a program 
failed, the 'coredumpsize' in /etc/system should be set to zero 
to prevent the root partition from running out of space due to 
the creation of a core file.  To set this feature, add the line:
"set sys:coredumpsize=0" to the /etc/system file.

%CORE002i
Unless you plan to review core files to determine why a program 
failed, you should set a limit on the size of a core file using 
the PAM facility.  See the /etc/security/limits.conf file for more
information.

%CRON001i
Review the /etc/default/cron file and consider adding the 
'CRONLOG=YES' entry to enable the logging by the cron process 
to the /var/cron/log file.  See the 'cron' manpage for more
information.

%CRON002w
Set the /var/cron directory permission to 700 (e.g., become root
and execute: chmod 700 /var/cron)
						
%CRON003i
Setting the LIMIT parameter to a low value will prevent the cron log
from filling up its partition.  To set the limit to the recommended
size of 2MB or less, review the /etc/cron.d/logchecker and see whether 
it is setting a value for 'LIMIT' and modify or set it to be 2MB 
(e.g., LIMIT=2048).

%CRON004w
Since only root should have access to 'crontab', the access controls
should be set with only root in cron.allow and no cron.deny file
at all, or no cron.allow and no cron.deny files.  The use of both 
cron.allow and cron.deny is not recommended since these controls 
were not designed to be used together.  See the 'crontab' man page
for more information.

%CRON005w
Since only root should have access to 'at' or 'batch', the access 
controls should be set with only root in at.allow and no at.deny 
file at all, or no at.allow and no at.deny files.  The use of both 
at.allow and at.deny is not recommended since these controls were 
not designed to be used together. See the 'crontab' man page for 
more information.

%CRON006w
To ensure that only root has access to the cron facility on your 
system, a cron.allow file needs to exist with only one entry, 'root',
and no cron.deny file should exist.  Similarly, for the 'at' and 
'batch' facilities, an at.allow file needs to exist with only one 
entry, 'root', and no at.deny file should exist.  For more information 
on RBAC, see the 'auth_attr' man page.  To test whether a user has 
the ability to access 'cron' or 'at' without the corresponding 
'allow' and 'deny' files, execute '/usr/bin/auths username' where 
'username' is the name of a user.  If one of the priviledges returned 
is 'solaris.jobs.user', then that user has access to 'at', 'batch' 
and 'cron' facilities when no corresponding 'allow' or 'deny' files 
exist.

%APACHE001i
The startup script for the Apache web service is /etc/rc3.d/S50apache.
It can be disabled by renaming it, for example, to 'disable_S50apache'.
The startup script requires the apache configuration file 
/etc/apache/httpd.conf to exist.  If it does not, as in this case, the
apache server (httpd) will not start.  To be safe, disable the startup
script if you do not plan to run the apache web server.

%APACHE002f
To prevent the Apache startup script from starting the web service, 
rename the script 
(e.g., mv /etc/rc3.d/S50apache /etc/rc3.d/disable_S50apache).  
Then reboot your system and check to see if the httpd daemon is 
running (e.g., ps -ef | grep httpd).  If it is, it may have been 
started in another way.  Have a system administrator check the system 
to see how the httpd service is being started.  

%APACHE003f
To prevent the Apache startup script from ever starting the web service, 
rename the script 
(e.g., mv /etc/rc3.d/S50apache /etc/rc3.d/disable_S50apache). 

%APACHE004w
To prevent the Apache startup script from ever starting the web service, 
rename the script 
(e.g., mv /etc/rc.d/rc3.d/S50apache /etc/rc.d/rc3.d/disable_S50apache).

%APACHE005f
To prevent the Apache startup script from starting the web service, 
rename the script 
(e.g., mv /etc/rc.d/rc3.d/S50apache /etc/rc.d/rc3.d/disable_S50apache).  
Then reboot your system and check to see if the httpd daemon is 
running (e.g., ps -ef | grep httpd).  If it is, it may have been 
started in another way.  Have a system administrator check the system 
to see how the httpd service is being started. 

%DHCP001i
The DHCP startup script can be disabled by renaming the script: 
(e.g., mv /etc/rc3.d/S34dhcp /etc/rc3.d/disable_S34dhcp).

%DHCP002f
The DHCP startup script can be disabled by renaming  the script, 
(e.g., mv /etc/rc3.d/S34dhcp /etc/rc3.d/disable_S34dhcp).  After 
renaming the script, reboot the system and verify the 'in.dhcp'
service is no longer running (e.g., ps -ef | grep "in.dhcp").

%FTPD001w
To enable logging of ftp session connections and debug information,
make sure that 'in.ftpd' in the /etc/inet/inetd.conf file has the
'-l' and '-d' options.  Refer to the 'in.ftpd' man page for the
proper format for adding these options.  After adding these options,
check the /etc/syslog.conf file to make sure it is set up to log the 
debug information via the daemon.debug selector.  For more information,
see the syslog.conf man page.

%LOGIN001w
To enable logging of failed login attempts, create the file 
/var/adm/loginlog with owner=root, group=sys, and mode=600.

%LOGIN002i
To set a value of 3 or less, add the line 'RETRIES=n', where n is 3 or 
less, in the file /etc/default/login.

%NFS001f
To disable these daemons, first, as root, execute the startup script
with the "stop" option (e.g., /etc/rc3.d/S15nfs.server stop).
Then disable the NFS server daemon startup script so it no longer 
begins with an "S":
(e.g., mv /etc/rc3.d/S15nfs.server /etc/rc3.d/disable_S15nfs.server).

%NFS002w
To set the NFS_PORTMON variable, edit the /etc/system file and add 
this entry: 'set  nfssrv:nfs_portmon = 1'.

%NFS003w
The startup script for the NFS server service should be disabled 
so it never starts the NFS server daemons.  
(e.g., mv /etc/rc3.d/S15nfs.server /etc/rc3.d/disable_S15nfs.server).

%NFS004f
To disable these daemons, first, as root, execute the startup script
with the "stop" option (e.g., /etc/rc2.d/S73nfs.client stop).
Then disable the NFS client daemon startup script so it no longer 
begins with an "S":
(e.g., mv /etc/rc2.d/S73nfs.client /etc/rc2.d/disable_S73nfs.client).

%NFS005w
The startup script for the NFS client service should be disabled 
so it never starts the NFS client daemons.  
(e.g., mv /etc/rc2.d/S73nfs.client /etc/rc2.d/disable_S73nfs.client).

%RHOSTS001w
To disable rlogin, rsh or rexec authentication via rhosts, comment out 
the 'rlogin, 'rsh' or 'rexec' entries in the file /etc/pam.conf that use 
the 'pam_rhosts_auth' module.

%SENDMAIL001f  
In Solaris 8 and higher, sendmail is configured with the 
/etc/default/sendmail file.  In that file, the value of the variable 
'MODE" will determine how the sendmail daemon runs.  If 'MODE' equals 
'-bd', then it will start up as a mail server.  By setting the value
of 'MODE" to "", the sendmail daemon will run in 'queue' mode, meaning
it will handle mail being sent from your system but not act as a mail
server.  After making this change, reboot your system and check to 
see that sendmail is not running with the '-bd' option
(e.g., ps -ef | grep sendmail).  Also, check that sendmail is running
in "queue runner" mode.  If this is running, a process like
"sendmail -Ac -q15m" will be running.  It is possible this will not
send email from the system but instead queue it only.  To test this,
send an email from the system (use mailx or another mailer) and check
the queue directory /var/spool/clientmqueue.  If it is holding emails
then you will need to set up sendmail to run the server but in a 
secure way.  Refer to the following Sun administration document
http://docs.sun.com/db/doc/806/4076/6jd6amqt4?a=view and follow
the instructions under "How to Manage Mail Delivery by Using an
Alternative Configuration of sendmail.cf".  This is a task best
left to a system administrator.

%SENDMAIL002f  
To disable the sendmail service rename the startup script
(e.g., mv /etc/rc2.d/S88sendmail /etc/rc2.d/disable_S88sendmail)
and reboot your system and check to see that sendmail is not running 
with the '-bd' option (e.g., ps -ef | grep sendmail).
NOTE: Once the sendmail service is disabled the system will not be 
able to process email for sending.  If the crontab is not set up to
run sendmail occassionally using the '-q' option, this system will 
not be able to send email.  This is accomplished by placing sendmail 
with the '-q' option in root's crontab (/var/spool/cron/crontabs/root). 
This allows sendmail to run occassionally, in queue mode, to process 
and email that is spooled.

%SENDMAIL003i
To disable the sendmail service rename the startup script
(e.g., mv /etc/rc2.d/S88sendmail /etc/rc2.d/disable_S88sendmail).

%SNMP001f 
To disable this service, rename the SNMP service startup script
(e.g., mv /etc/rc3.d/S76snmpdx /etc/rc3.d/disable_S76snmpdx), then 
reboot the system and check to see that the 'snmpdx' process is no
longer running (e.g. ps -ef | grep snmpdx).  If you do not want
to reboot the system, you can kill the daemon and any associated
processes by executing the startup script with the "stop" option
(e.g., /etc/rc3.d/disable_S76snmpdx stop).

%SNMP002w
The startup script for this service is /etc/rc3.d/S76snmpdx, 
and can be disabled by renaming the script
(e.g., mv  /etc/rc3.d/S76snmpdx  /etc/rc3.d/disable_S76snmpdx).

%DMI001f
To prevent these from starting, rename the /etc/rc3.d/S77dmi startup 
script 
(e.g., mv /etc/rc3.d/S77d/etc/rc3.d/disable_S77dmimi) then reboot your 
system and verify the daemons are no longer running
(e.g., ps -ef | grep dmispd, and, ps -ef | grep snmpXdmid).

%DMI002w
The startup script can be disabled either by renaming it
(e.g., mv /etc/rc3.d/S77dmi /etc/rc3.d/disable_S77dmi).

%SULOG001i  
To enable 'su' to log 'su' attempts, create the file /var/adm/sulog 
with permission 600.

%WBEM001w
The wbem daemon may be running.  To ensure it is disabled,
become root and execute the startup script with the "stop" option
(e.g., /etc/rc2.d/S90wbem stop).  Then disable the 'wbem' startup
script by renaming it so it no longer begins with the letter "S"
(e.g., mv /etc/rc2.d/S90wbem /etc/rc2.d/disable_S90wbem).

%FTPD002i
To add the '022' umask specification, add the line 
'defumask 022' to the /etc/ftpd/ftpaccess file.

%FTPD003i
To add the '022' umask specification, add the line 
'UMASK=022' to the /etc/default/ftpd file.

%ISSUE001w
See the web site http://irm.cit.nih.gov/policy/warnbanners.html 
for information on banners for NIH computers.  Also, see the
man page for 'issue'.  Then create the /etc/motd and /etc/issue
files with owner 'root' and mode 644.

%ISSUE002w
Check the /etc/issue and /etc/motd files to determine why they
are so small.  Check for system information and remove any if found.
See the web site http://irm.cit.nih.gov/policy/warnbanners.html for 
information on banners for NIH computers.

%ISSUE003f
Check the /etc/issue and /etc/motd files and remove any system 
information they may contain.  See the web site 
http://irm.cit.nih.gov/policy/warnbanners.html for information 
on banners for NIH computers.

%ISSUE004w
Create the file /etc/issue.net with root owner and group permissions
and mode 644.  Edit the file and add an appropriate banner. See the 
web site http://irm.cit.nih.gov/policy/warnbanners.html for information 
on banners for NIH computers. 

%ISSUE005f
Check the /etc/issue.net file and remove all system information in 
the file.  See the web site 
http://irm.cit.nih.gov/policy/warnbanners.html for information on 
banners for NIH computers. 

%ISSUE006w
See the telnetd or ftpd 'man' page for more  information on setting up 
a banner for each of these  services.  See the web site 
http://irm.cit.nih.gov/policy/warnbanners.html for information on
banners for NIH computers.

%ISSUE007f
Check the files and remove any system information.  See the telnetd 
and ftpd 'man' pages for more information.  See the web site 
http://irm.cit.nih.gov/policy/warnbanners.html for information on
banners for NIH computers.

%LP001f 
To disable the LP service, rename the the startup script
(e.g., mv /etc/rc2.d/S80lp /etc/rc2.d/disable_S80lp) and reboot the 
system or kill the 'lpsched' daemon running on the system.

%LP002w
To prevent the LP service from starting rename the startup script
(e.g., mv /etc/rc2.d/S80lp /etc/rc2.d/disable_S80lp).

%LP004w
If the 'lp' cron job is legitimate, consider using root or an individual 
account instead.  If the cron job is not legitimate, the system may have 
been compromised since using the 'lp' account to gain access and run cron 
jobs is a known hacking method.

%LP005f
The "in.lpd" service can be disabled by commenting out the "in.lpd" line 
in /etc/inet/inetd.conf and rebooting the system.

%ROUTED001w
To prevent in.routed from supplying routing information, modify the 
file /etc/rc2.d/S69inet to execute in.routed with the '-q' option.

%ROUTED002w
To prevent the in.routed process from acting as a router, determine what 
is starting the in.routed process and either disable it or have it start 
in quiet mode (e.g., 'in.routed -q').

%ROUTED003w
Search the indicated startup scripts and determined if 'routed' is being
executed and if so, whether it is being executed with the '-q' option,
which starts 'routed' in quiet mode.

%SHADOW001w
To implement shadow passwords, see the man page for the 'pwconv' command.

%SHADOW002w
Change the ownership of /etc/shadow to 'root' 
(e.g., chown root /etc/shadow).

%SHADOW003w  
Change the group ownership to 'sys' (e.g., chgrp sys /etc/shadow).

%SHADOW004w
Change the mode of /etc/shadow to '600' (e.g., chmod 600 /etc/shadow).

%SHADOW005w
It is a good practice to set the 'inactivity' value to a reasonable 
length of time for your system.  Recommendations are anywhere from 
30 days to 90 days depending on the activity of the users on this 
system.  This feature prevents old accounts from remaining active
and becomming a source of entry for previous users or hackers.
To set the 'inactivity' value for an account, see the '-f' option
of the 'usermod' command.  This is not recommended for the root
account.

%SHADOW006w
Change the indicated passwords and continue to change them at least
every six months.

%TCP001w
To set the value of TCP_STRONG_ISS edit the file /etc/default/inetinit.
If 'TCP_STRONG_ISS' is already defined, change the value to '2'.
If 'TCP_STRONG_ISS' is not defined, add the line: 'TCP_STRONG_ISS=2'.

%TMP001w
To set the sticky bit, use 'chmod' to set the mode of /tmp to 1777
(e.g., chmod 1777 /tmp).

%SYSLOG001i
To improve security all notices of attempted authorization should 
be either logged, sent to the console for immediate review, or both.
Consider adding 'auth.notice' to /etc/syslog.conf.  Read the 'syslog.conf'
man page for more information.

%HOSTS001i
For better security, consider using a loghost for important system logs.
for more information, read the man page for 'syslog.conf'.

%SUSPEND001w
Setting the value of 'PERMS' in '/etc/default/sys-suspend' to '-' restricts 
this ability to the super-user only.  For more information see the openwin
man page for 'sys-suspend'.

%NSCD001w
The 'nscd' daemon can be stopped by executing the nscd startup script
with the stop option (e.g., /etc/rc2.d/S76nscd stop). The 'nscd' startup
script can be disabled by renaming it to a name that does not begin with 
the letter 'S' (e.g., mv /etc/rc2.d/S76nscd /etc/rc2.d/disable_S76nscd). 
If 'nscd' functionality is needed, typically due to running NIS or NIS+, 
then instead of stopping the nscd process and disabling the startup script,
the /etc/nscd.conf file should be configured to disable caching for the
'passwd', 'group', 'hosts', and in the case of Solaris 8 or higher, 
'ipnodes' files.  Caching can be disabled for each file by setting the 
'enable-cache' entry for each file in '/etc/nscd.conf' with a 'no' value.
For more information, see the 'nscd.conf' man page.

%NSCD002w
Caching can be disabled for each file by setting the 'enable-cache' entry 
for each file in '/etc/nscd.conf' with a 'no' value.  For more information, 
see the 'nscd.conf' man page.

%PRESERVE001w
To prevent this exploit, either disable the /etc/rc2.d/S80PRESERVE
and /etc/rc2.d/S89PRESERVE scripts to prevent the expreserve utility 
from starting, 
(e.g., mv /etc/rc2.d/S80PRESERVE/etc/rc2.d/disable_S80PRESERVE),
or remove the ability of /usr/lib/expreserve to execute by removing its
execute mode bits (e.g., /usr/bin/chmod a-x /usr/lib/expreserve).  Once 
expreserve is disabled, files being edited by vi(1) or ex(1) will be lost 
if the session terminiates abnormally.  It is recommended that files be 
saved often.

%STACK001w
Add the line 'set noexec_user_stack=1' to the /etc/system 
file.  Also, to enable logging of attempts to execute code on 
the stack, add the line 'set noexec_user_stack_log=1' to the 
/etc/system file.  The machine will then need to be rebooted 
to effect the change.
NOTE: Setting 'set noexec_user_stack=1' in /etc/system may 
prevent some programs from running.  Consider removing this
line if any programs are affected.

%KEYSERV001w
Disabling the 'nobody' UID access to secure RPC on a Solaris 9 system 
is done by setting the 'ENABLE_NOBODY_KEYS' parameter in the 
/etc/default/keyserv file to 'NO'.  This can also be disabled by starting 
the 'keyserv' command with the '-d' option.  See '%KEYSERV002w for
more information on starting 'keyserv' with the '-d' option.  It is 
recommended that both the ENABLE_NOBODY_KEYS parameter be set to 'NO'
AND 'keyserv' be started with the -d option to prevent secure protocols
from using 'nobody' keys.

%KEYSERV002w
Disabling the nobody UID access ensures no private keys are generated
for 'nobody'. Prior to Solaris 9 this is done by adding the '-d' option 
to the 'keyserv' command in the /etc/init.d/rpc file.

%PASSWD001i
The recommended value for the maximum time a password is valid
is 23 weeks (or 180 days).  
For Solaris:
  Set the value of 'MAXWEEKS' in /etc/default/passwd to at most '23'
  (e.g., MAXWEEKS=23).  See the 'passwd' man page for more information.
For Linux:
  Set the value of 'PASS_MAX_DAYS' in /etc/login.defs to at most '180'
  (e.g., PASS_MAX_DAYS    180).  NOTE: a tab character should be 
  used between 'PASS_MAX_DAYS' and the value.  See the '/etc/login.defs'
  file for more information.

%PASSWD002w
The recommended value for the minumum length of a PASSWORD IS '6'.
For Solaris:
  Set the value of 'PASSLENGTH' in /etc/default/passwd to '6'
  (e.g., PASSLENGTH=6).  See the 'passwd' man page for more information.
For Linux:
  Set the value of 'PASS_MIN_LEN' in /etc/login.defs to '6'
  (e.g., PASS_MIN_LEN    5).  NOTE: a tab character should be 
  used between 'PASS_MIN_LEN' and the value.  See the '/etc/login.defs'
  file for more information.

%PASSWD003w
Review the systems PAM configuration (the files in the /etc/pam.d 
directory or, if /etc/pam.d does not exist, the /etc/pam.conf file.
Check for the 'passwd' service and refer to the 'pam.conf' man page
for instructions on how to apply the 'pam_cracklib.so' module.  Make
sure that the module exists on your system by looking for the 
'pam_cracklib.so' file in /lib/security.

%ADMIN001w
Review the administrative account(s) found to have a blank or valid 
login shell and consider changing each shell to an invalid shell such 
as /bin/false.

%FTPUSERS001w
Create the /etc/ftpusers file (owner=root, group=sys, mode=644)
and add the following account names to the file, one account name 
per line: root daemon bin sys adm lp uucp nuucp listen nobody 
noaccess nobody4 news smtp hpdb guest.

%FTPUSERS002w
Add the indicated administrative accounts to the /etc/ftpusers
file, one account name per line.

%SSH001w
If the ssh version is a vulnerable version, update your ssh 
installation to the latest release.

%SSH002w
If you are running a vulnerable version, update your ssh installation 
to the latest release.

%SHELLS001w
Create the file /etc/shells with owner 'root', group owner 'sys',
and mode 644.  Then review your /etc/passwd file for the shells
being used by the listed users (field 7 of each line in the 
/etc/passwd file.  Enter these shell file names into the /etc/shells
file, one shell per line.  Below is an example of a /etc/shells file:
/bin/csh
/usr/bin/ksh
/bin/ksh
/bin/tcsh
/sbin/sh

%INETD001w
First determine where /usr/sbin/inetd is being started.  For Solaris
this will be in the startup script area, such as /etc/rc2.d/S72inetsvc.
Search the /etc/rc*.d directories for '/usr/sbin/inetd' being executed.
Once you have found the startup script, add the '-t' option for 
'/usr/sbin/inetd'.  Refer to the 'inetd' man page for the proper way to
implement the '-t' option.  Reboot the system and verify the inetd process
is now running with the -t option (e.g., ps -ef | grep inetd).  Also
check that 'daemon.notice' logging is enabled in /etc/syslog.conf.  If
it is not, add it.  See the syslog.conf man page for more information
on adding 'daemon.notice' logging.