Title

System start-up files must only execute programs owned by a privileged UID or an application. (Cat II impact)

Discussion

System start-up files executing programs owned by other than root (or another privileged user) or an application indicating the system may have been compromised.

Check Content

Determine the programs executed by system start-up files. Determine the ownership of the executed programs. # cat /etc/rc*/* /etc/init.d/* | more # ls -l <executed program> Alternatively: # for FILE in `egrep -r "/" /etc/rc.* /etc/init.d|awk '/^.*[^\/][0-9A-Za-z_\/]*/{print $2}'|egrep "^/"|sort|uniq`;do if [ -e $FILE ]; then stat -L -c '%U:%n' $FILE;fi;done This provides a list of files referenced by initialization scripts and their associated UIDs. If any file is run by an initialization file and is not owned by root, sys, bin, or in rare cases, an application account, this is a finding.

Fix Text

Change the ownership of the file executed from system startup scripts to root, bin, sys, or other. # chown root <executed file>

Additional Identifiers

Rule ID: SV-45092r1_rule

Vulnerability ID: V-4091

Group Title: GEN001700

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.