STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-216130r603268_rule
V-216130
SRG-OS-000027
SOL-11.1-040500
CAT III
10
Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.
The Project Management profile is required.
For each user requiring concurrent session restrictions, add the user to the special user.[username] project where [username] is the user's account username where [MAX] is equal to the organizational requirement.
# pfexec projadd -K 'project.max-tasks=(privileged,[MAX],deny)' user.[username]
Determine the project membership for the user.
# projects [username]
If the user is a member of any projects other than default, group.[groupname], or user.[username], remove that project from the user's account.
The root role is required.
# pfedit /etc/user_attr
Locate the line containing the user's username. Remove any project=[projectname] entries from the fifth field.
# pfedit /etc/project
Locate the line containing the user's username in a project other than default, group.[groupname], or user.[username], and remove the user from the project's entry or entries from the fourth field.
Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.
For each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username.
# projects [username] | grep user
If the output does not include the project user.[username], this is a finding.
Determine the project membership for the user.
# projects [username]
If the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding.
Determine whether the max-tasks resource control is enabled properly.
# projects -l user.[username] | grep attribs
If the output does not include the text:
attribs: project.max-tasks=(privileged,[MAX],deny)
where [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.
V-216130
False
SOL-11.1-040500
Identify the organizational requirements for maximum number of sessions and which users must be restricted. If there are no requirements to limit concurrent sessions, this item does not apply.
For each user requiring concurrent session restrictions, determine if that user is in the user.[username] project where [username] is the user's account username.
# projects [username] | grep user
If the output does not include the project user.[username], this is a finding.
Determine the project membership for the user.
# projects [username]
If the user is a member of any project other than default, group.[groupname], or user.[username], this is a finding.
Determine whether the max-tasks resource control is enabled properly.
# projects -l user.[username] | grep attribs
If the output does not include the text:
attribs: project.max-tasks=(privileged,[MAX],deny)
where [MAX] is the organization-defined maximum number of concurrent sessions, this is a finding.
M
4021