The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-227553 | GEN000000-SOL00620 | SV-227553r603266_rule | Medium |
| Description |
|---|
| Solaris zones have the capability to inherit elements of the global zone's filesystem, which reduces the amount storage required for a zone, but also limits the flexibility of the zone. The inherit-pkg-dir option defines which paths are shared between the zones. If set incorrectly, private information from the global zone could be made available to the non-global zone. This option must be set to none (for a whole-root non-global zone), the vendor-specified list of paths for sparse-root non-global zones, or a list specified by the SA for operational reasons which has been justified and documented with the IAO. |
| STIG | Date |
|---|---|
| Solaris 10 X86 Security Technical Implementation Guide | 2022-09-07 |
Details
| Check Text ( C-29715r488192_chk ) |
|---|
| If the system is not a global zone, this vulnerability is not applicable. List the non-global zones on the system. # zoneadm list -vi List the configuration for each zone. # zonecfg -z Check the inherit-pkg-dir lines. If no such lines exist, this is not a finding. If the lines contain only those defined for sparse root zones (/lib, /platform, /sbin, /usr), this is not a finding. Otherwise, this is a finding. |
| Fix Text (F-29703r488193_fix) |
|---|
| Remove the inherit-pkg-dir lines or the directories not defined for sparse root zones. # zonecfg -z |