Navigate

Check: GEN001640

SUSE Linux Enterprise Server v11 for System z STIG: GEN001640 (in versions v1 r12 through v1 r9)

Title

Run control scripts must not execute world-writable programs or scripts. (Cat I impact)

Discussion

World-writable files could be modified accidentally or maliciously to compromise system integrity.

Check Content

Check the permissions on the files or scripts executed from system startup scripts to see if they are world-writable. Procedure: # more <startup script> # ls -lL <script or executable referenced by startup script> Alternatively, obtain a list of all world-writable files on the system and check system startup scripts to determine if any are referenced. Procedure: # find / -perm -0002 -type f | grep –v ‘^/proc’ > wwlist If any system startup script executes any file or script that is world-writable, this is a finding.

Fix Text

Remove the world-writable permission from programs or scripts executed by run control scripts. Procedure: # chmod o-w <program or script executed from run control script>

Additional Identifiers

Rule ID: SV-45068r1_rule

Vulnerability ID: V-910

Group Title: GEN001640

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000225	The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-6	Least Privilege