The operator must document all file system objects that have non-standard access control list settings.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216204	SOL-11.1-070260	SV-216204r603268_rule		Medium

Description
Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-17442r372994_chk )
The root role is required. Identify all file system objects that have non-standard access control lists enabled. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -acl -ls This command should return no output. If output is created, this is a finding. If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.

Check Text ( C-17442r372994_chk )

The root role is required.

Identify all file system objects that have non-standard access control lists enabled.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -acl -ls

This command should return no output. If output is created, this is a finding.

If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.

Fix Text (F-17440r372995_fix)
The root role is required. Remove ACLs that are not approved in the security policy. For ZFS file systems, remove all extended ACLs with the following command: # chmod A- [filename] For UFS file systems Determine the ACLs that are set on a file: # getfacl [filename] Remove any ACL configurations that are set: # setfacl -d [ACL] [filename]