OpenControls Logo

STIG Viewer

The nobody access for RPC encryption key storage service must be disabled.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-216350SOL-11.1-040320SV-216350r959010_ruleCCI-000366medium
Description
If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.
STIGDate
Solaris 11 SPARC Security Technical Implementation Guide2025-05-05

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · 3 · disa_xccdf · related

Details

Check Text (C-216350r959010_chk)

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. Determine if "nobody" access for keyserv is enabled. # grep "^ENABLE_NOBODY_KEYS=" /etc/default/keyserv If the output of the command is not: ENABLE_NOBODY_KEYS=NO this is a finding.

Fix Text (F-17584r462488_fix)

Determine if the rpc-authdes package is installed: # pkg list solaris/legacy/security/rpc-authdes If the output of this command is: pkg list: no packages matching 'solaris/legacy/security/rpc-authdes' installed no further action is required. The root role is required. Modify the /etc/default/keyserv file. # pfedit /etc/default/keyserv Locate the line: #ENABLE_NOBODY_KEYS=YES Change it to: ENABLE_NOBODY_KEYS=NO