The operator must document all file system objects that have non-standard access control list settings.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-216204 | SOL-11.1-070260 | SV-216204r959010_rule | CCI-000366 | medium |
| Description | ||||
| Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files. | ||||
| STIG | Date | |||
| Solaris 11 X86 Security Technical Implementation Guide | 2025-05-05 | |||
Details
Check Text (C-216204r959010_chk)
The root role is required.
Identify all file system objects that have non-standard access control lists enabled.
# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -acl -ls
This command should return no output. If output is created, this is a finding.
If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.
Fix Text (F-17440r372995_fix)
The root role is required.
Remove ACLs that are not approved in the security policy.
For ZFS file systems, remove all extended ACLs with the following command:
# chmod A- [filename]
For UFS file systems
Determine the ACLs that are set on a file:
# getfacl [filename]
Remove any ACL configurations that are set:
# setfacl -d [ACL] [filename]