Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15835 | ESX0390 | SV-16774r1_rule | IAAC-1 IAIA-1 IAIA-2 | Medium |
Description |
---|
During the ESX Server installation, several applications have the setuid and setgid flags set by default. These applications are initiated by or through the service console. Some of them provide facilities required for correct operation of the ESX Server host. Others are optional, but can make maintaining and troubleshooting the ESX Server and network easier. Disabling any of the required setgid or setuid applications will result in problems with ESX Server authentication and virtual machine operation; however optional setgid or setuid applications may be disabled. |
STIG | Date |
---|---|
VMware ESX 3 Server | 2016-05-13 |
Check Text ( C-16182r1_chk ) |
---|
All the following setuid applications should have the setuid bit configured so that normal users may run the application with raised privileges. To verify the setuid bit is set (s), perform the following on the ESX Server service console: # find /sbin /usr/bin /bin /usr/lib/vmware/bin \ /usr/lib/vmware/bin-debug/ /usr/sbin –perm -4000 pam_timestamp_check pwdb_chkpwd unix_chkpwd crontab passwd su vmkload_app vmware-vmx vmkload_app vmware-vmx vmware-authd If the setuid bit is not set on these applications, this is a finding. OR # find /sbin –perm -4000 pam_timestamp_check pwdb_chkpwd unix_chkpwd # find /usr/bin –perm -4000 crontab passwd # find /bin –perm -4000 su # find /usr/lib/vmware/bin/ -perm -4000 vmkload_app vmware-vmx # find /usr/lib/vmware/bin-debug/ -perm -4000 vmkload_app vmware-vmx # find /usr/sbin/ -perm -4000 vmware-authd If the setuid bit is not set on these applications, this is a finding. |
Fix Text (F-15785r1_fix) |
---|
Configure the setuid and setgid applications with the appropriate permissions. |