Title

All valid SUID/SGID files must be documented. (Cat III impact)

Discussion

There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate.

Check Content

The root role is required. # find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \ -o -fstype ctfs -o -fstype mntfs -o -fstype objfs \ -o -fstype proc \) -prune -o -type f -perm -4000 -o \ -perm -2000 -print Output should only be Solaris-provided files and approved customer files. Solaris-provided SUID/SGID files can be listed using the command: # pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example: # elfsign verify -e /usr/bin/su elfsign: verification of /usr/bin/su passed. This message indicates that the binary is properly signed. If non-vendor provided or non-approved files are included in the list, this is a finding.

Fix Text

The root role is required. Determine the existence of any set-UID programs that do not belong on the system, and work with the owners (or system administrator) to determine the best course of action in accordance with site policy.

Additional Identifiers

Rule ID: SV-216198r603268_rule

Vulnerability ID: V-216198

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.