There is no documented baseline of the default setuid and setgid files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16379	SUN0330	SV-17372r1_rule	ECSC-1	Medium

Description
There are programs that have setuid and setgid flags set within the Sun Ray server. Setuid is a flag that allows an application to temporarily change the permissions of the user running the application by setting the effective user ID to the program owner’s user ID. Setgid is a flag that allows an application to temporarily change the permissions of the group running the application by setting the effective group ID to the program owner’s group ID. aseline of these applications will ensure that any unauthorized modifications to these files will detected. Several programs on the Sun Ray server have setuid and setgid flags installed by default. Disabling any of the setgid or setuid applications will result in problems with the Sun Ray system. Furthermore, having a documented baseline of these applications will ensure that any unauthorized modifications to these files will be detected.

Description

There are programs that have setuid and setgid flags set within the Sun Ray server. Setuid is a flag that allows an application to temporarily change the permissions of the user running the application by setting the effective user ID to the program owner’s user ID. Setgid is a flag that allows an application to temporarily change the permissions of the group running the application by setting the effective group ID to the program owner’s group ID. aseline of these applications will ensure that any unauthorized modifications to these files will detected. Several programs on the Sun Ray server have setuid and setgid flags installed by default. Disabling any of the setgid or setuid applications will result in problems with the Sun Ray system. Furthermore, having a documented baseline of these applications will ensure that any unauthorized modifications to these files will be detected.

STIG	Date
Sun Ray 4 STIG	2015-04-02

Details

Check Text ( C-17267r1_chk )
On the Sun Ray server perform the following: # find /opt –perm -4000 If the result does not return the following output only, this is a finding. /opt/SUNWut/lib/utrcmd /opt/SUNWut/lib/utguiauth /opt/SUNWut/lib/utprefs-helper /opt/SUNWut/lib/utdomount /opt/SUNWut/bin/utaudio /opt/SUNWut/bin/utxconfig # find /opt –perm -2000 If the result does not return the following output only, this is a finding. /opt/SUNuttsc/lib/uttsc-bin Ensure the documented setuid and setgid match the output above. If not, this is a finding.

Check Text ( C-17267r1_chk )

On the Sun Ray server perform the following:
# find /opt –perm -4000

If the result does not return the following output only, this is a finding.

/opt/SUNWut/lib/utrcmd
/opt/SUNWut/lib/utguiauth
/opt/SUNWut/lib/utprefs-helper
/opt/SUNWut/lib/utdomount
/opt/SUNWut/bin/utaudio
/opt/SUNWut/bin/utxconfig

# find /opt –perm -2000

If the result does not return the following output only, this is a finding.

/opt/SUNuttsc/lib/uttsc-bin

Ensure the documented setuid and setgid match the output above. If not, this is a finding.

Fix Text (F-16415r1_fix)
Document the setuid and setgid files on the Sun Ray system.