Check: GEN002420
Solaris 10 SPARC STIG:
GEN002420
(in versions v2 r4 through v1 r19)
Title
Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option. (Cat II impact)
Discussion
The "nosuid" mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system that does not contain approved setuid files. Executing setuid files from untrusted file systems, or file systems that do not contain approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check Content
Check /etc/vfstab and verify the "nosuid" mount option is used on any user filesystem (such as /export/home) or filesystems mounted from removable media or network shares. # cat /etc/vfstab Check zfs filesystems for setuid mounts. #zfs get setuid
Fix Text
Use the following procedure for UFS filesystems. Edit /etc/vfstab and add the "nosuid" mount option to any user filesystem (such as /export/home) or filesystems mounted from removable media or network shares. Use the following procedure for ZFS filesystems. # zfs setuid = off < file system >
Additional Identifiers
Rule ID: SV-220036r854394_rule
Vulnerability ID: V-220036
Group Title: SRG-OS-000368
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
Controls
Number | Title |
---|---|
CM-7 (2) |
Prevent Program Execution |