5.3 Special Permissions Management - suid, sgid, acl, and trusted-bit files and programs

Information

The system is audited for both suid and sgid files and programs.

Rationale:

An audit should be performed on the system to search for the presence of both suid and sgid files and programs. In order to prevent these files from being potentially exploited the suid and sgid permissions should be removed wherever possible.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Review the currently mounted filesystems:

mount

Un-mount all non-local filesystems and cdrom media:

unmount <mount point>

If there are non-local filesystems which cannot be un-mounted, use the following to find all suid and sgid files on local JFS/JFS2 filesystems only:

find / ( -fstype jfs -o -fstype jfs2 ) ( -perm -04000 -o -perm -02000 ) -type f -ls

If all non-local filesystems have been un-mounted:

find / ( -perm -04000 -o -perm -02000 ) -type f -ls

Review the files and where possible, use the chmod command to remove the appropriate suid or sgid bits:

chmod u-s <file>
chmod g-s <file>

Default Value:

N/A

Additional Information:

Reversion:

Use the chmod command to re-instate the suid and sgid bits to the relevant files:

chmod u+s <file>

chmod g+s <file>

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: c847eba123b025a2ba3c757884e41b82711b465fecdd10fc2b11b232340c9b70