Access to a domain console via telnet must be restricted to the local host.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-216348 | SOL-11.1-040315 | SV-216348r959010_rule | CCI-000366 | medium |
| Description | ||||
| Telnet is an insecure protocol. | ||||
| STIG | Date | |||
| Solaris 11 SPARC Security Technical Implementation Guide | 2025-05-05 | |||
Details
Check Text (C-216348r959010_chk)
This action applies only to the control domain.
Determine the domain that you are currently securing.
# virtinfo
Domain role: LDoms control I/O service root
The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.
If the current domain is not the control domain, this check does not apply.
Determine if vnsd is in use.
# svcs vntsd
STATE STIME FMRI
online Oct_08 svc:/ldoms/vntsd:default
If the state is not "online", this is not applicable.
Determine if a role has been created for domain console access.
# cat /etc/user_attr | grep solaris.vntsd.consoles
rolename::::type=role;auths=solaris.vntsd.consoles;profiles=All;roleauth=role
If a role for "vntsd.consoles" is not established, this is a finding.
Fix Text (F-17582r371133_fix)
The root role is required. This action applies only to the control domain.
Determine the domain that you are currently securing.
# virtinfo
Domain role: LDoms control I/O service root
The current domain is the control domain, which is also an I/O domain, the service domain, and a root I/O domain.
If the current domain is not the control domain, this action does not apply.
Create a password-controlled role that has the solaris.vntsd.consoles authorization, which permits access to all domain consoles.
# roleadd -A solaris.vntsd.consoles [role-name]
# passwd [role-name]
Assign the new role to a user.
# usermod -R [role-name] [username]