On Fri, Jul 28, 2017 at 3:46 PM, Joshua M. Clulow <[email protected]> wrote:
> On 27 July 2017 at 23:23, Joven Sabanal <[email protected]> wrote: > > We are doing vulnerability scan on our Zone virtual machine and we found > vulnerabilities that need to resolve in order to pass the security scan. We > are using Nexpose Community vulnerability scanner and the following are the > vulnerabilities detected: > > > > Oracle Solaris 11 Unsupported Point Release > > For item 1, it's recommendation is to download latest Solaris 11. > > This is SmartOS, an illumos distribution which is unrelated to Oracle > Solaris 11. The scanner appears to be incorrectly identifying the > operating system, which is not a good start for a tool like this. > Yes, the scanner detecting the kernel as Solaris. > > > Solaris Loginlog Undefined > > Solaris Core Files Unprotected > > Solaris Unrestricted crontab Access > > User home directory mode unsafe > > For items 2 - 5, I apply what's indicated on the vulnerabilities > recommendation but even applying it and rebooted the VM, it's still not > resolve. > > This list is extremely vague so it's hard to make any concrete > recommendations. What is the exact check that's being done for each > item in the list? > > Please see below: *Solaris Loginlog Undefined* - *Enable Login Logging* - *Configuration remediation steps* - Create */var/adm/loginlog*: - *touch /var/adm/loginlog* - *chown root:sys /var/adm/loginlog* - *chmod 0600 /var/adm/loginlog* - Next, set *SYSLOG_FAILED_LOGINS* in */etc/default/login* to 0, and run: - *logadm -w connlog -C 13 /var/adm/loginlog* *Solaris Core Files Unprotected* - *Set Dedicated Directory For Core Files* - *Configuration remediation steps* - It is recommended that you designate a protected directory to store all core files: - *mkdir -p /var/core* - *chown root:root /var/core * - *chmod 0700 /var/core * - *coreadm -g /var/core/core_%n_%f_%u_%g_%t_%p \ * - *-e log -e global -e global-setid \ * - *-d process -d proc-setid * - *coreadm -u* *Solaris Unrestricted crontab* - *Restrict access to crontab* - *Configuration remediation steps* - It is recommended that you switch to a white-list of approved crontab users. In most circumstances, only the administrator requires this access. Note that restricting crontab access will still allow existing cron jobs from all users to execute. - *cd /etc/cron.d * - *rm -f cron.deny at.deny * - *echo root > cron.allow * - *echo root > at.allow * - *chown root:sys cron.allow at.allow* *User home directory mode unsafe* - *Restrict User's home directory mode* - *Configuration remediation steps* - Restrict the user home directory mode to at most 750 using the command: - *chmod 750 userDir* Thanks and regards Joven D. ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
