3.7 Ensure there are no 'staff' writable files - exceptions must be in TSD and audit

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The system is audited for group staff writable files.

Rationale:

An audit should be performed on the system to search for files that can be modified by members of the group staff. As staff is the default group for user accounts any file that is writable via group staff is comparable to being writable by other aka world writable.

In a case - where this permission is required - the recommendation is to create a new group and appoint a group administrator.

The goal is no group staff writable files.

Solution

Review the currently mounted local filesystems using the following to find all world writable files on local JFS/JFS2 filesystems only:

find / ( -fstype jfs -o -fstype jfs2 ) -type f -perm -g+w -group staff -ls

Remedy any files in the list, e.g., chmod o-w {filename}

Document any files, and motivate why they are world writeable, and also add documentation re: when/why this exception ceases.

Default Value:

N/A

Additional Information:

The audit procedure does not verify remote file systems (e.g., NFS). The expectation is that these are being audited on the file (e.g., NFS) server - rather than on all clients.

See Also

https://workbench.cisecurity.org/benchmarks/7851