Skip to content

Verify that System Executables Have Root Ownership

An XCCDF Rule

Description

System executables are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
$ sudo chown root FILE

Rationale

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

ID
xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Severity
Medium
References
Updated



Remediation - Ansible

- name: Read list of system executables without root ownership
  command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/
    /usr/libexec \! -user root
  register: no_root_system_executables
  changed_when: false
  failed_when: false

Remediation - Shell Script

find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \