Title

Access to a logical domain console must be restricted to authorized users. (Cat II impact)

Discussion

A logical domain is a discrete, logical grouping with its own operating system, resources, and identity within a single computer system. Access to the logical domain console provides system-level access to the OBP of the domain.

Check Content

The root role is required. This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this check does not apply. Determine if the vntsd service is online. # pfexec svcs vntsd If the service is not "online", this is not applicable. Check the status of the vntsd authorization property. # svcprop -p vntsd/authorization vntsd If the state is not true, this is a finding.

Fix Text

The root role is required. This action applies only to the control domain. Determine the domain that you are currently securing. # virtinfo Domain role: LDoms control I/O service root The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain. If the current domain is not the control domain, this action does not apply. Configure the vntsd service to require authorization. # svccfg -s vntsd setprop vntsd/authorization = true The vntsd service must be restarted for the changes to take effect. # svcadm restart vntsd

Additional Identifiers

Rule ID: SV-216349r603267_rule

Vulnerability ID: V-216349

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.