Title

All network services daemon files must not have extended ACLs. (Cat II impact)

Discussion

Restricting permission on daemons will protect them from unauthorized modification and possible system compromise.

Check Content

Verify network services daemon files have no extended ACLs. # ls -la /usr/sbin # ls -la /usr/bin If the permissions include a "+", the file has an extended ACL and this is a finding. NOTE: Network daemons not residing in these directories (such as httpd or sshd) must also be checked for the correct permissions. A way to locate network daemons, such as httpd and sshd, is with the ps command. # ps -ef | egrep '(sshd|httpd)'

Fix Text

Remove the extended ACL from the file. # chmod A- [file with extended ACL]

Additional Identifiers

Rule ID: SV-226488r603265_rule

Vulnerability ID: V-226488

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.