Verify that System Executables Have Root Ownership
An XCCDF Rule
Description
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the
root
user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
Rationale
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
- ID
- xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Read list of system executables without root ownership
command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/
/usr/libexec \! -user root
register: no_root_system_executables
changed_when: false
failed_when: false
Remediation - Shell Script
find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \