Title

Access to a domain console via telnet must be restricted to the local host. (Cat II impact)

Discussion

Telnet is an insecure protocol.

Check Content

This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this check does not apply. Determine if vnsd is in use. # svcs vntsd STATE STIME FMRI online Oct_08 svc:/ldoms/vntsd:default If the state is not "online", this is not applicable. Determine if a role has been created for domain console access. # cat /etc/user_attr | grep solaris.vntsd.consoles rolename::::type=role;auths=solaris.vntsd.consoles;profiles=All;roleauth=role If a role for "vntsd.consoles" is not established, this is a finding.

Fix Text

The root role is required. This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this action does not apply. Create a password-controlled role that has the solaris.vntsd.consoles authorization, which permits access to all domain consoles. # roleadd -A solaris.vntsd.consoles [role-name] # passwd [role-name] Assign the new role to a user. # usermod -R [role-name] [username]

Additional Identifiers

Rule ID: SV-216348r603267_rule

Vulnerability ID: V-216348

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.