The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216129	SOL-11.1-040490	SV-216129r603268_rule		Medium

Description
This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of the system and to communicate with local resources, such as a printer or file server. The remote device, when connected by a non-remote connection, becomes an extension of the information system allowing dual communications paths, such as split-tunneling, in effect allowing unauthorized external connections into the system. This is a split-tunneling requirement that can be controlled via the operating system by disabling interfaces.

Description

This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of the system and to communicate with local resources, such as a printer or file server. The remote device, when connected by a non-remote connection, becomes an extension of the information system allowing dual communications paths, such as split-tunneling, in effect allowing unauthorized external connections into the system. This is a split-tunneling requirement that can be controlled via the operating system by disabling interfaces.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-17367r372769_chk )
Determine if the "RestrictOutbound" profile is configured properly: # profiles -p RestrictOutbound info If the output is not: name=RestrictOutbound desc=Restrict Outbound Connections limitpriv=zone,!net_access this is a finding. For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile. # profiles -l [username] If the output does not include: [username]: RestrictOutbound this is a finding.

Check Text ( C-17367r372769_chk )

Determine if the "RestrictOutbound" profile is configured properly:

# profiles -p RestrictOutbound info

If the output is not:
name=RestrictOutbound
desc=Restrict Outbound Connections
limitpriv=zone,!net_access

this is a finding.

For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile.

# profiles -l [username]

If the output does not include:

[username]:
RestrictOutbound

this is a finding.

Fix Text (F-17365r372770_fix)
The root Role is required. Remove net_access privilege from users who may be accessing the systems externally. 1. Create an RBAC Profile with net_access restriction # profiles -p RestrictOutbound profiles:RestrictOutbound> set desc="Restrict Outbound Connections" profiles:RestrictOutbound> set limitpriv=zone,!net_access profiles:RestrictOutbound> exit 2. Assign the RBAC Profile to a user # usermod -P +RestrictOutbound [username] This prevents the user from initiating any outbound network connections.

Fix Text (F-17365r372770_fix)

The root Role is required.

Remove net_access privilege from users who may be accessing the systems externally.

1. Create an RBAC Profile with net_access restriction

# profiles -p RestrictOutbound
profiles:RestrictOutbound> set desc="Restrict Outbound Connections"
profiles:RestrictOutbound> set limitpriv=zone,!net_access
profiles:RestrictOutbound> exit

2. Assign the RBAC Profile to a user

# usermod -P +RestrictOutbound [username]

This prevents the user from initiating any outbound network connections.