UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system's boot loader configuration file(s) must not have extended ACLs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22585 GEN008740 SV-26985r2_rule Medium
Description
File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. If extended ACLs are present on the system's boot loader configuration file(s), these files may be vulnerable to unauthorized access or modification, which could compromise the system's boot process.
STIG Date
Solaris 10 x86 Security Technical Implementation Guide 2018-06-29

Details

Check Text ( C-27927r2_chk )
This check applies to the global zone only. Determine the type zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

On systems that have a ZFS root, the active menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset.

On systems that have a UFS root, the active menu.lst file is typically located at /boot/grub/menu.lst. To locate the active GRUB menu, use the bootadm command with the list-menu option:

# bootadm list-menu

Check the permissions of the menu.lst file.

Procedure:
# ls -lL /pool-name/boot/grub/menu.lst
or
# ls -lL /boot/grub/menu.lst

If the permissions of the menu.lst file contain "+", an extended ACL is present, and this is a finding.
Fix Text (F-24249r2_fix)
If the file with the extended ACL resides on a UFS filesystem:
# getfacl /boot/grub/menu.lst

Remove each ACE from the file.
# setfacl -r [ACE] /boot/grub/menu.lst

If the file with the extended ACL resides on a ZFS filesystem:
# chmod A- /pool-name/boot/grub/menu.lst