The root user must not own the logon session for an application requiring a continuous display.

From SOLARIS 10 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE

Part of GEN000520

Associated with IA controls: PESL-1

Associated with: CCI-000225

SV-769r2_rule The root user must not own the logon session for an application requiring a continuous display.

Vulnerability discussion

If an application is providing a continuous display and is running with root privileges, unauthorized users could interrupt the process and gain root access to the system.

Check content

If there is an application running on the system continuously in use (such as a network monitoring application), ask the SA what the name of the application is. Execute the following to determine which user owns the process(es) associated with the application. If the owner is root, this is a finding. # ps -ef | more

Fix text

Configure the system so the owner of a session requiring a continuous screen display, such as a network management display, is not root. Ensure the display is also located in a secure, controlled access area. Document and justify this requirement. Ensure the terminal and keyboard for the display (or workstation) are secure from all but authorized personnel by maintaining them in a secure area, in a locked cabinet where a swipe card, or other positive forms of identification, must be used to gain entry.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer