Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216441 | SOL-11.1-070260 | SV-216441r603267_rule | Medium |
Description |
---|
Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files. |
STIG | Date |
---|---|
Solaris 11 SPARC Security Technical Implementation Guide | 2021-05-28 |
Check Text ( C-17677r371411_chk ) |
---|
The root role is required. Identify all file system objects that have non-standard access control lists enabled. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -acl -ls This command should return no output. If output is created, this is a finding. If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required. |
Fix Text (F-17675r371412_fix) |
---|
The root role is required. Remove ACLs that are not approved in the security policy. For ZFS file systems, remove all extended ACLs with the following command: # chmod A- [filename] For UFS file systems Determine the ACLs that are set on a file: # getfacl [filename] Remove any ACL configurations that are set: # setfacl -d [ACL] [filename] |