STIGQter: STIG Summary: Solaris 10 X86 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.

DISA Rule

SV-227540r603266_rule

Vulnerability Number

V-227540

Group Title

SRG-OS-000016

Rule Version

GEN000000-SOL00180

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-000032 - The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Weight

10

Fix Recommendation

Restore the ASET configuration to vendor default and only modify the portions of the configuration designated as customizable.

Check Contents

Determine if ASET is being used.
# crontab -l | grep aset

Check the configuration of ASET.
# more /usr/aset/asetenv

OR

Check that asetenv has not been modified since installation.
# pkgchk SUNWast

If there are any changes below the following two lines that are not comments, this is a finding.

# Don't change from here on down ... #
# there shouldn't be any reason to. #

In addition, if any of the following lines do not match, this is a finding.

TASKS="firewall env sysconf usrgrp tune cklist eeprom"
CKLISTPATH_LOW=${ASETDIR}/tasks:#${ASETDIR} \
/util:${ASETDIR}/masters:/etc
CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin: \
/usr/sbin:/usr/ucblib
YPCHECK=false
PERIODIC_SCHEDULE="0 0 * * *"
UID_ALIASES=${ASETDIR}/masters/uid_aliases

(The default asetenv file can be found on the Solaris installation media.)

Vulnerability Number

V-227540

Documentable

False

Rule Version

GEN000000-SOL00180

Severity Override Guidance

Determine if ASET is being used.
# crontab -l | grep aset

Check the configuration of ASET.
# more /usr/aset/asetenv

OR

Check that asetenv has not been modified since installation.
# pkgchk SUNWast

If there are any changes below the following two lines that are not comments, this is a finding.

# Don't change from here on down ... #
# there shouldn't be any reason to. #

In addition, if any of the following lines do not match, this is a finding.

TASKS="firewall env sysconf usrgrp tune cklist eeprom"
CKLISTPATH_LOW=${ASETDIR}/tasks:#${ASETDIR} \
/util:${ASETDIR}/masters:/etc
CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin: \
/usr/sbin:/usr/ucblib
YPCHECK=false
PERIODIC_SCHEDULE="0 0 * * *"
UID_ALIASES=${ASETDIR}/masters/uid_aliases

(The default asetenv file can be found on the Solaris installation media.)

Check Content Reference

M

Target Key

4061

Comments