Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22607 | GEN000000-SOL00620 | SV-27022r1_rule | ECLP-1 | Medium |
Description |
---|
Solaris zones have the capability to inherit elements of the global zone's filesystem, which reduces the amount storage required for a zone, but also limits the flexibility of the zone. The inherit-pkg-dir option defines which paths are shared between the zones. If set incorrectly, private information from the global zone could be made available to the non-global zone. This option must be set to none (for a whole-root non-global zone), the vendor-specified list of paths for sparse-root non-global zones, or a list specified by the SA for operational reasons which has been justified and documented with the IAO. |
STIG | Date |
---|---|
Solaris 10 SPARC Security Technical Implementation Guide | 2013-01-10 |
Check Text ( C-27953r1_chk ) |
---|
If the system is not a global zone, this vulnerability is not applicable. List the non-global zones on the system. # zoneadm list -vi List the configuration for each zone. # zonecfg -z Check the inherit-pkg-dir lines. If no such lines exist, this is not a finding. If the lines contain only those defined for sparse root zones (/lib, /platform, /sbin, /usr), this is not a finding. Otherwise, this is a finding. |
Fix Text (F-24289r1_fix) |
---|
Remove the inherit-pkg-dir lines or the directories not defined for sparse root zones. # zonecfg -z |