6.1.2 Create baseline of executables that require a specific group for elevation to a different EUID (not scored)

Information

Access Control can be managed by a judicious arrangement of file system DAC controls. Legacy AIX Role based management relies on careful assignment of 'Other' to group escalation, followed by Group membership to EUID for the remaining privilege requirement - where the object owner (or super-user access) is able to access any resources needed to complete a task or function.

Rationale:

The baseline is to have a point that can be used to very system integrity - the file system DAC permissions are 'as installed' by OEM.

Should you make local changes to OEM, be sure to create a second list to verify the desired settings (and perhaps verify a specific delta).

Impact:

An example:

# find / -fstype jfs2 -type f ! -size 0 ! -perm -o+x -perm -u+s -ls | awk '{ print $6, $5, $3, $11 }' | sort

adm root -r-sr-s--- /usr/bin/acctctl

adm root -r-sr-s--- /usr/bin/acctras

adm root -r-sr-x--- /sbin/helpers/jfs2/diskusg

adm root -r-sr-x--- /usr/lib/sa/sadc

adm root -r-sr-x--- /usr/lpp/bos/inst_root/sbin/helpers/jfs2/diskusg

adm root -r-sr-x--- /usr/sbin/acct/accton

adm root -r-sr-x--- /usr/sbin/diskusg

adm root -r-sr-xr-- /usr/sbin/perf/diag_tool/getschedparms

adm root -r-sr-xr-- /usr/sbin/perf/diag_tool/getvmparms

audit root -r-sr-x--- /usr/sbin/audit

audit root -r-sr-x--- /usr/sbin/auditbin

audit root -r-sr-x--- /usr/sbin/auditcat

audit root -r-sr-x--- /usr/sbin/auditconv

audit root -r-sr-x--- /usr/sbin/auditmerge

audit root -r-sr-x--- /usr/sbin/auditpr

audit root -r-sr-x--- /usr/sbin/auditselect

audit root -r-sr-x--- /usr/sbin/auditstream

audit root -r-sr-x--- /usr/sbin/watch

cron root -r-s--S--- /usr/sbin/cron

printq root -r-sr-s--- /usr/bin/chque

printq root -r-sr-s--- /usr/bin/chquedev

printq root -r-sr-s--- /usr/bin/mkque

printq root -r-sr-s--- /usr/bin/mkquedev

printq root -r-sr-s--- /usr/bin/rmque

printq root -r-sr-s--- /usr/bin/rmquedev

printq root -r-sr-s--- /usr/sbin/lpd

printq root -r-sr-s--- /usr/sbin/qdaemon

printq root -r-sr-x--- /usr/lib/lpd/digest

printq root -r-sr-x--- /usr/lib/lpd/pio/etc/piomkpq

printq root -r-sr-x--- /usr/lib/lpd/rembak

security root -r-sr-x--- /usr/bin/chgroup

security root -r-sr-x--- /usr/bin/chrole

security root -r-sr-x--- /usr/bin/chsec

security root -r-sr-x--- /usr/bin/chuser

security root -r-sr-x--- /usr/bin/lssec

security root -r-sr-x--- /usr/bin/mkgroup

security root -r-sr-x--- /usr/bin/mkrole

security root -r-sr-x--- /usr/bin/mkuser

security root -r-sr-x--- /usr/bin/pwdck

security root -r-sr-x--- /usr/bin/sysck

security root -r-sr-x--- /usr/bin/tcbck

security root -r-sr-x--- /usr/bin/usrck

security root -r-sr-x--- /usr/sbin/chtcb

security root -r-sr-x--- /usr/sbin/grpck

security root -r-sr-x--- /usr/sbin/mkpasswd

security root -r-sr-x--- /usr/sbin/rmgroup

security root -r-sr-x--- /usr/sbin/rmrole

security root -r-sr-x--- /usr/sbin/rmuser

shutdown root -r-sr-x--- /usr/sbin/exec_shutdown

shutdown root -r-sr-x--- /usr/sbin/fastboot

shutdown root -r-sr-x--- /usr/sbin/reboot

snapp root -r-sr-x--- /usr/sbin/snappd

system root -r-sr-s--- /usr/lib/semutil

system root -r-sr-s--- /usr/sbin/srcd

system root -r-sr-s--- /usr/sbin/srcmstr

system root -r-sr-x--- /usr/bin/filemon

system root -r-sr-x--- /usr/bin/fileplace

system root -r-sr-x--- /usr/bin/fileplacej2

system root -r-sr-x--- /usr/bin/netpmon

system root -r-sr-x--- /usr/lpp/diagnostics/bin/Dctrl

system root -r-sr-x--- /usr/lpp/diagnostics/bin/diagTasksWebSM

system root -r-sr-x--- /usr/lpp/diagnostics/bin/diagela_exec

system root -r-sr-x--- /usr/lpp/diagnostics/bin/diaggetrto

system root -r-sr-x--- /usr/lpp/diagnostics/bin/diagrto

system root -r-sr-x--- /usr/lpp/diagnostics/bin/diagsetrto

system root -r-sr-x--- /usr/lpp/diagnostics/bin/uesensor

system root -r-sr-x--- /usr/lpp/diagnostics/bin/update_flash

system root -r-sr-x--- /usr/lpp/diagnostics/bin/update_manage_flash

system root -r-sr-x--- /usr/lpp/diagnostics/bin/uspchrp

system root -r-sr-x--- /usr/lpp/diagnostics/bin/usysfault

system root -r-sr-x--- /usr/lpp/diagnostics/bin/usysident

system root -r-sr-x--- /usr/lpp/diagnostics/bin/utape

system root -r-sr-x--- /usr/sbin/allocp

system root -r-sr-x--- /usr/sbin/cfgmgr

system root -r-sr-x--- /usr/sbin/chcod

system root -r-sr-x--- /usr/sbin/chcons

system root -r-sr-x--- /usr/sbin/chdev

system root -r-sr-x--- /usr/sbin/chpath

system root -r-sr-x--- /usr/sbin/devinstall

system root -r-sr-x--- /usr/sbin/diag_exec

system root -r-sr-x--- /usr/sbin/extendvg

system root -r-sr-x--- /usr/sbin/getlvcb

system root -r-sr-x--- /usr/sbin/getlvname

system root -r-sr-x--- /usr/sbin/getvgname

system root -r-sr-x--- /usr/sbin/gsclvmd

system root -r-sr-x--- /usr/sbin/invscoutd

system root -r-sr-x--- /usr/sbin/ipl_varyon

system root -r-sr-x--- /usr/sbin/lchangelv

system root -r-sr-x--- /usr/sbin/lchangepv

system root -r-sr-x--- /usr/sbin/lchangevg

system root -r-sr-x--- /usr/sbin/lchlvcopy

system root -r-sr-x--- /usr/sbin/lcreatelv

system root -r-sr-x--- /usr/sbin/ldeletelv

system root -r-sr-x--- /usr/sbin/ldeletepv

system root -r-sr-x--- /usr/sbin/lextendlv

system root -r-sr-x--- /usr/sbin/lmigratelv

system root -r-sr-x--- /usr/sbin/lmigratepp

system root -r-sr-x--- /usr/sbin/lreducelv

system root -r-sr-x--- /usr/sbin/lresynclp

system root -r-sr-x--- /usr/sbin/lresynclv

system root -r-sr-x--- /usr/sbin/lvaryoffvg

system root -r-sr-x--- /usr/sbin/lvaryonvg

system root -r-sr-x--- /usr/sbin/lvgenmajor

system root -r-sr-x--- /usr/sbin/lvgenminor

system root -r-sr-x--- /usr/sbin/lvrelmajor

system root -r-sr-x--- /usr/sbin/lvrelminor

system root -r-sr-x--- /usr/sbin/mkdev

system root -r-sr-x--- /usr/sbin/mklvcopy

system root -r-sr-x--- /usr/sbin/mkpath

system root -r-sr-x--- /usr/sbin/mkvg

system root -r-sr-x--- /usr/sbin/pdelay

system root -r-sr-x--- /usr/sbin/pdisable

system root -r-sr-x--- /usr/sbin/penable

system root -r-sr-x--- /usr/sbin/phold

system root -r-sr-x--- /usr/sbin/pshare

system root -r-sr-x--- /usr/sbin/pstart

system root -r-sr-x--- /usr/sbin/putlvcb

system root -r-sr-x--- /usr/sbin/putlvodm

system root -r-sr-x--- /usr/sbin/redefinevg

system root -r-sr-x--- /usr/sbin/rmdev

system root -r-sr-x--- /usr/sbin/rmpath

system root -r-sr-x--- /usr/sbin/swap

system root -r-sr-x--- /usr/sbin/swapoff

system root -r-sr-x--- /usr/sbin/swapon

system root -r-sr-x--- /usr/sbin/swcons

system root -r-sr-x--- /usr/sbin/switch.prt

system root -r-sr-x--- /usr/sbin/synclvodm

system root -r-sr-x--- /usr/sbin/tellclvmd

system root -r-sr-x--- /usr/sbin/uucpd

system root -r-sr-x--- /usr/sbin/varyonvg

system root -r-sr-xr-- /usr/sbin/inetd

system root -r-sr-xr-- /usr/sbin/krlogind

system root -r-sr-xr-- /usr/sbin/krshd

system root -r-sr-xr-- /usr/sbin/named9

system root -r-sr-xr-- /usr/sbin/route

system root -r-sr-xr-- /usr/sbin/rwhod

system root -r-sr-xr-- /usr/sbin/talkd

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Unix

Control ID: e851359ae97af6ab9760e050ccd2837e8e3f8e033dbe4567994403d43bae0811