Verify that System Executables Have Restrictive Permissions
An XCCDF Rule
Description
System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
Rationale
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
- ID
- xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
done
Remediation - Ansible
- name: Read list of world and group writable system executables
ansible.builtin.command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin
/usr/libexec -perm /022 -type f
register: world_writable_library_files
changed_when: false
failed_when: false