Title

All system command files must have mode 0755 or less permissive. (Cat II impact)

Discussion

Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.

Check Content

Open a terminal session and enter the following command to verify command file permissions. find /bin /sbin /usr/bin /usr/sbin -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all group or world-writable files. If any file listed is world or group-writable (either or both of the two lowest order digits contain a "2", "3", "6", or "7"), this is a finding.

Fix Text

Open a terminal session and enter the following command to change the mode for system command files to remove group and world write permissions. # chmod go-w <path/filename>

Additional Identifiers

Rule ID: SV-37987r2_rule

Vulnerability ID: V-794

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.