The systems physical devices must not be assigned to non-global zones.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216476	SOL-11.1-100030	SV-216476r603267_rule		Medium

Description
Solaris non-global zones can be assigned physical hardware devices. This increases the risk of such a non-global zone having the capability to compromise the global zone.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-17712r371510_chk )
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi \| grep -v global List the configuration for each zone. # zonecfg -z [zonename] info \| grep dev Check for device lines. If such a line exists and is not approved by security, this is a finding.

Check Text ( C-17712r371510_chk )

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

List the non-global zones on the system.

# zoneadm list -vi | grep -v global

List the configuration for each zone.

# zonecfg -z [zonename] info | grep dev

Check for device lines. If such a line exists and is not approved by security, this is a finding.

Fix Text (F-17710r371511_fix)
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Remove all device assignments from the non-global zone. # pfexec zonecfg -z [zone] delete device [device]