STIGQter: STIG Summary: Solaris 10 X86 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The system's boot loader configuration file(s) must not have extended ACLs.

DISA Rule

SV-220127r603266_rule

Vulnerability Number

V-220127

Group Title

SRG-OS-000480

Rule Version

GEN008740

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

If the file with the extended ACL resides on a UFS filesystem:
# getfacl /boot/grub/menu.lst

Remove each ACE from the file.
# setfacl -r [ACE] /boot/grub/menu.lst

If the file with the extended ACL resides on a ZFS filesystem:
# chmod A- /pool-name/boot/grub/menu.lst

Check Contents

This check applies to the global zone only. Determine the type zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

On systems that have a ZFS root, the active menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset.

On systems that have a UFS root, the active menu.lst file is typically located at /boot/grub/menu.lst. To locate the active GRUB menu, use the bootadm command with the list-menu option:

# bootadm list-menu

Check the permissions of the menu.lst file.

Procedure:
# ls -lL /pool-name/boot/grub/menu.lst
or
# ls -lL /boot/grub/menu.lst

If the permissions of the menu.lst file contain "+", an extended ACL is present, and this is a finding.

The system's boot loader configuration file(s) must not have extended ACLs.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments