UCF STIG Viewer Logo

All network services daemon files must not have extended ACLs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22313 GEN001190 SV-26360r1_rule ECLP-1 Medium
Description
Restricting permission on daemons will protect them from unauthorized modification and possible system compromise.
STIG Date
SOLARIS 9 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE 2015-10-01

Details

Check Text ( C-27463r1_chk )
Verify network services daemon files have no extended ACLs.
# ls -la /usr/sbin
# ls -la /usr/bin
If the permissions include a "+", the file has an extended ACL and this is a finding.
NOTE: Network daemons not residing in these directories (such as httpd or sshd) must also be checked for the correct permissions.

A way to locate network daemons, such as httpd and sshd, is with the ps command.
# ps -ef | egrep '(sshd|httpd)'
Fix Text (F-23543r1_fix)
Remove the extended ACL from the file.
# getfacl [file with extended ACL]
Remove each ACE returned.
# setfacl -d [ACE] [file with extended ACL]