Title

The systems physical devices must not be assigned to non-global zones. (Cat II impact)

Discussion

Solaris non-global zones can be assigned physical hardware devices. This increases the risk of such a non-global zone having the capability to compromise the global zone.

Check Content

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global List the configuration for each zone. # zonecfg -z [zonename] info | grep dev Check for device lines. If such a line exists and is not approved by security, this is a finding.

Fix Text

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Zone Security profile is required: Remove all device assignments from the non-global zone. # pfexec zonecfg -z [zone] delete device [device]

Additional Identifiers

Rule ID: SV-216476r959010_rule

Vulnerability ID: V-216476

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.