STIGQter STIGQter: STIG Summary: Solaris 11 SPARC Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.

DISA Rule

SV-216366r603267_rule

Vulnerability Number

V-216366

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-040490

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The root Role is required.

Remove net_access privilege from users who may be accessing the systems externally.

1. Create an RBAC Profile with net_access restriction

# profiles -p RestrictOutbound
profiles:RestrictOutbound> set desc="Restrict Outbound Connections"
profiles:RestrictOutbound> set limitpriv=zone,!net_access
profiles:RestrictOutbound> exit


2. Assign the RBAC Profile to a user

# usermod -P +RestrictOutbound [username]

This prevents the user from initiating any outbound network connections.

Check Contents

Determine if the "RestrictOutbound" profile is configured properly:

# profiles -p RestrictOutbound info

If the output is not:
name=RestrictOutbound
desc=Restrict Outbound Connections
limitpriv=zone,!net_access

this is a finding.


For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile.

# profiles -l [username]

If the output does not include:

[username]:
RestrictOutbound

this is a finding.

Vulnerability Number

V-216366

Documentable

False

Rule Version

SOL-11.1-040490

Severity Override Guidance

Determine if the "RestrictOutbound" profile is configured properly:

# profiles -p RestrictOutbound info

If the output is not:
name=RestrictOutbound
desc=Restrict Outbound Connections
limitpriv=zone,!net_access

this is a finding.


For users who are not allowed external network access, determine if a user is configured with the "RestrictOutbound" profile.

# profiles -l [username]

If the output does not include:

[username]:
RestrictOutbound

this is a finding.

Check Content Reference

M

Target Key

4022

Comments