The setuid and setgid flags have been disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15835	ESX0390	SV-16774r1_rule	IAAC-1 IAIA-1 IAIA-2	Medium

Description
During the ESX Server installation, several applications have the setuid and setgid flags set by default. These applications are initiated by or through the service console. Some of them provide facilities required for correct operation of the ESX Server host. Others are optional, but can make maintaining and troubleshooting the ESX Server and network easier. Disabling any of the required setgid or setuid applications will result in problems with ESX Server authentication and virtual machine operation; however optional setgid or setuid applications may be disabled.

Description

During the ESX Server installation, several applications have the setuid and setgid flags set by default. These applications are initiated by or through the service console. Some of them provide facilities required for correct operation of the ESX Server host. Others are optional, but can make maintaining and troubleshooting the ESX Server and network easier. Disabling any of the required setgid or setuid applications will result in problems with ESX Server authentication and virtual machine operation; however optional setgid or setuid applications may be disabled.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-16182r1_chk )
All the following setuid applications should have the setuid bit configured so that normal users may run the application with raised privileges. To verify the setuid bit is set (s), perform the following on the ESX Server service console: # find /sbin /usr/bin /bin /usr/lib/vmware/bin \ /usr/lib/vmware/bin-debug/ /usr/sbin –perm -4000 pam_timestamp_check pwdb_chkpwd unix_chkpwd crontab passwd su vmkload_app vmware-vmx vmkload_app vmware-vmx vmware-authd If the setuid bit is not set on these applications, this is a finding. OR # find /sbin –perm -4000 pam_timestamp_check pwdb_chkpwd unix_chkpwd # find /usr/bin –perm -4000 crontab passwd # find /bin –perm -4000 su # find /usr/lib/vmware/bin/ -perm -4000 vmkload_app vmware-vmx # find /usr/lib/vmware/bin-debug/ -perm -4000 vmkload_app vmware-vmx # find /usr/sbin/ -perm -4000 vmware-authd If the setuid bit is not set on these applications, this is a finding.

Check Text ( C-16182r1_chk )

All the following setuid applications should have the setuid bit configured so that normal users may run the application with raised privileges.

To verify the setuid bit is set (s), perform the following on the ESX Server service console:

# find /sbin /usr/bin /bin /usr/lib/vmware/bin \ /usr/lib/vmware/bin-debug/ /usr/sbin –perm -4000
pam_timestamp_check
pwdb_chkpwd
unix_chkpwd
crontab
passwd
su
vmkload_app
vmware-vmx
vmkload_app
vmware-vmx
vmware-authd

If the setuid bit is not set on these applications, this is a finding.

OR

# find /sbin –perm -4000
pam_timestamp_check
pwdb_chkpwd
unix_chkpwd

# find /usr/bin –perm -4000
crontab
passwd

# find /bin –perm -4000
su

# find /usr/lib/vmware/bin/ -perm -4000
vmkload_app
vmware-vmx

# find /usr/lib/vmware/bin-debug/ -perm -4000
vmkload_app
vmware-vmx

# find /usr/sbin/ -perm -4000
vmware-authd

If the setuid bit is not set on these applications, this is a finding.

Fix Text (F-15785r1_fix)
Configure the setuid and setgid applications with the appropriate permissions.