Title

The owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures. (Cat II impact)

Discussion

All files with the setgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation, security problems can result if setgid is assigned to programs that allow reading and writing of files, or shell escapes.

Check Content

Locate all setgid files on the system. Procedure: # find / -perm -2000 If the ownership, permissions, location, and ACLs of all files with the setgid bit set are not documented, this is a finding.

Fix Text

All files with the setgid bit set will be documented in the system baseline and authorized by the Information Systems Security Officer. Locate all setgid files with the following command. find / -perm -2000 -exec ls -lLd {} \; Ensure setgid files are part of the operating system software, documented application software, documented utility software, or documented locally developed software. Ensure none are text files or shell programs.

Additional Identifiers

Rule ID: SV-226581r603265_rule

Vulnerability ID: V-226581

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.