UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The limitpriv zone option must be set to the vendor default or less permissive.


Overview

Finding ID Version Rule ID IA Controls Severity
V-47895 SOL-11.1-100020 SV-60767r3_rule Low
Description
Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the ability for a non-global zone to compromise the global zone.
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2017-03-02

Details

Check Text ( C-50331r3_chk )
This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

List the non-global zones on the system.

# zoneadm list -vi | grep -v global

From the output list of non-global zones found, determine if any are Kernel zones.

# zoneadm list -cv | grep [zonename] | grep solaris-kz

Exclude any Kernel zones found from the list of local zones.

List the configuration for each zone.

# zonecfg -z [zonename] info |grep limitpriv

If the output of this command has a setting for limitpriv and it is not:
limitpriv: default

this is a finding.
Fix Text (F-51507r1_fix)
This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

The Zone Security profile is required:

Change the "limitpriv" setting to default.

# pfexec zonecfg -z [zone] set limitpriv=default