Check: GEN002440
SUSE Linux Enterprise Server v11 for System z STIG:
GEN002440
(in versions v1 r12 through v1 r9)
Title
The owner, group-owner, mode, ACL and location of files with the setgid bit set must be documented using site-defined procedures. (Cat II impact)
Discussion
All files with the setgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation, security problems can result if setgid is assigned to programs allowing reading and writing of files, or shell escapes.
Check Content
List all setgid files on the system. Procedure: # find / -perm -2000 -exec ls -l {} \; | more Note: Executing these commands may result in large listings of files; the output may be redirected to a file for easier analysis. Ask the SA or IAO if files with the sgid bit set have been documented. If any undocumented file has its sgid bit set, this is a finding.
Fix Text
Document the files with the sgid bit set or unset the sgid bit on the executable.
Additional Identifiers
Rule ID: SV-45192r1_rule
Vulnerability ID: V-802
Group Title: GEN002440
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000368 |
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |