Title

The setuid and setgid flags have been disabled. (Cat II impact)

Discussion

During the ESX Server installation, several applications have the setuid and setgid flags set by default. These applications are initiated by or through the service console. Some of them provide facilities required for correct operation of the ESX Server host. Others are optional, but can make maintaining and troubleshooting the ESX Server and network easier. Disabling any of the required setgid or setuid applications will result in problems with ESX Server authentication and virtual machine operation; however optional setgid or setuid applications may be disabled.

Check Content

All the following setuid applications should have the setuid bit configured so that normal users may run the application with raised privileges. To verify the setuid bit is set (s), perform the following on the ESX Server service console: # find /sbin /usr/bin /bin /usr/lib/vmware/bin \ /usr/lib/vmware/bin-debug/ /usr/sbin –perm -4000 pam_timestamp_check pwdb_chkpwd unix_chkpwd crontab passwd su vmkload_app vmware-vmx vmkload_app vmware-vmx vmware-authd If the setuid bit is not set on these applications, this is a finding. OR # find /sbin –perm -4000 pam_timestamp_check pwdb_chkpwd unix_chkpwd # find /usr/bin –perm -4000 crontab passwd # find /bin –perm -4000 su # find /usr/lib/vmware/bin/ -perm -4000 vmkload_app vmware-vmx # find /usr/lib/vmware/bin-debug/ -perm -4000 vmkload_app vmware-vmx # find /usr/sbin/ -perm -4000 vmware-authd If the setuid bit is not set on these applications, this is a finding.

Fix Text

Configure the setuid and setgid applications with the appropriate permissions.

Additional Identifiers

Rule ID: SV-16774r1_rule

Vulnerability ID: V-15835

Group Title: The setuid and setgid flags have been disabled.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.