Title

The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones. (Cat II impact)

Discussion

Solaris zones have the capability to inherit elements of the global zone's filesystem, which reduces the amount storage required for a zone, but also limits the flexibility of the zone. The inherit-pkg-dir option defines which paths are shared between the zones. If set incorrectly, private information from the global zone could be made available to the non-global zone. This option must be set to none (for a whole-root non-global zone), the vendor-specified list of paths for sparse-root non-global zones, or a list specified by the SA for operational reasons which has been justified and documented with the IAO.

Check Content

If the system is not a global zone, this vulnerability is not applicable. List the non-global zones on the system. # zoneadm list -vi List the configuration for each zone. # zonecfg -z <zone> info Check the inherit-pkg-dir lines. If no such lines exist, this is not a finding. If the lines contain only those defined for sparse root zones (/lib, /platform, /sbin, /usr), this is not a finding. Otherwise, this is a finding.

Fix Text

Remove the inherit-pkg-dir lines or the directories not defined for sparse root zones. # zonecfg -z <zone> remove inherit-pkg-dir=<somedir>

Additional Identifiers

Rule ID: SV-226427r603265_rule

Vulnerability ID: V-226427

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.