Title

System start-up files must only execute programs owned by a privileged UID or an application. (Cat II impact)

Discussion

System start-up files executing programs owned by other than root (or another privileged user) or an application indicates the system may have been compromised.

Check Content

Determine the programs executed by system start-up files. Determine the ownership of the executed programs. # cat /etc/rc* /etc/init.d/* | more Check the ownership of every program executed by the system start-up files. # ls -l <executed program> If any executed program is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.

Fix Text

Change the ownership of the file executed from system startup scripts to root, bin, or sys. # chown root <executed file>

Additional Identifiers

Rule ID: SV-226544r603265_rule

Vulnerability ID: V-226544

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.