Check: GEN003380
SUSE Linux Enterprise Server v11 for System z STIG:
GEN003380
(in versions v1 r12 through v1 r9)
Title
The at daemon must not execute programs in, or subordinate to, world-writable directories. (Cat II impact)
Discussion
If "at" programs are located in, or subordinate, to world-writable directories, they become vulnerable to removal and replacement by malicious users or system intruders.
Check Content
List any "at" jobs on the system. Procedure: # ls /var/spool/at /var/spool/atjobs For each "at" job, determine which programs are executed by "at." Procedure: # more <at job file> Check the directory containing each program executed by "at" for world-writable permissions. Procedure: # ls -la <at program file directory> If "at" executes programs in world-writable directories, this is a finding.
Fix Text
Remove the world-writable permission from directories containing programs executed by "at". Procedure: # chmod o-w <at program directory>
Additional Identifiers
Rule ID: SV-45669r1_rule
Vulnerability ID: V-989
Group Title: GEN003380
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000225 |
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned organizational tasks. |
Controls
| Number | Title |
|---|---|
| AC-6 |
Least Privilege |