DISA STIGS Viewer

The operator must document all file system objects that have non-standard access control list settings.

Overview

Finding ID Version Rule ID IA Controls Severity
V-216204 SOL-11.1-070260 SV-216204r959010_rule   Medium
Description
Access Control Lists allow an object owner to expand permissions on an object to specific users and groups in addition to the standard permission model. Non-standard Access Control List settings can allow unauthorized users to modify critical files.
STIG Date
Solaris 11 X86 Security Technical Implementation Guide 2025-05-05

Details

Check Text (C-17442r372994_chk)
The root role is required.

Identify all file system objects that have non-standard access control lists enabled.

# find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs \
-o -fstype ctfs -o -fstype mntfs -o -fstype objfs \
-o -fstype proc \) -prune -o -acl -ls

This command should return no output. If output is created, this is a finding.

If the files are approved to have ACLs by organizational security policy, document the files and the reason that ACLs are required.
Fix Text (F-17440r372995_fix)
The root role is required.

Remove ACLs that are not approved in the security policy.

For ZFS file systems, remove all extended ACLs with the following command:

# chmod A- [filename]

For UFS file systems

Determine the ACLs that are set on a file:

# getfacl [filename]

Remove any ACL configurations that are set:

# setfacl -d [ACL] [filename]