UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22607 GEN000000-SOL00620 SV-27022r1_rule ECLP-1 Medium
Description
Solaris zones have the capability to inherit elements of the global zone's filesystem, which reduces the amount storage required for a zone, but also limits the flexibility of the zone. The inherit-pkg-dir option defines which paths are shared between the zones. If set incorrectly, private information from the global zone could be made available to the non-global zone. This option must be set to none (for a whole-root non-global zone), the vendor-specified list of paths for sparse-root non-global zones, or a list specified by the SA for operational reasons which has been justified and documented with the IAO.
STIG Date
SOLARIS 10 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE 2017-12-18

Details

Check Text ( C-27953r1_chk )
If the system is not a global zone, this vulnerability is not applicable.
List the non-global zones on the system.
# zoneadm list -vi
List the configuration for each zone.
# zonecfg -z info
Check the inherit-pkg-dir lines. If no such lines exist, this is not a finding. If the lines contain only those defined for sparse root zones (/lib, /platform, /sbin, /usr), this is not a finding. Otherwise, this is a finding.
Fix Text (F-24289r1_fix)
Remove the inherit-pkg-dir lines or the directories not defined for sparse root zones.
# zonecfg -z remove inherit-pkg-dir=