Verify that system commands are protected from unauthorized access

An XCCDF Rule

Description

System commands are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:

$ sudo chmod 755 FILE

Rationale

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

ID: xccdf_org.ssgproject.content_rule_file_permissions_system_commands_dirs
Severity: Medium
References: CCI-001499

CM-5(6) CM-5(6).1

SRG-OS-000259-GPOS-00100

SLES-15-010357

SV-234840r622137_rule

CCE-85738-3
Updated: about 1 year ago

- name: Retrieve the system command files and protect them from unautorized access
  command: find -L {{ item }} -perm /022 -type f -exec chmod go-w '{}' \;
  with_items:
  - /bin
  - /sbin
  - /usr/bin  - /usr/sbin
  - /usr/local/bin
  - /usr/local/sbin
  changed_when: false
  failed_when: false
  check_mode: false
  tags:
  - CCE-85738-3
  - DISA-STIG-SLES-15-010357
  - NIST-800-53-CM-5(6)
  - NIST-800-53-CM-5(6).1
  - file_permissions_system_commands_dirs
  - medium_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy


DIRS="/bin /sbin /usr/bin usr/sbin /usr/local/bin /usr/local/sbin"
for dirPath in $DIRS; do
	find -L "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
done

Verify that system commands are protected from unauthorized access

Description

Rationale

Remediation - Ansible

Remediation - Shell Script