Information
Access Control can be managed by a judicious arrangement of file system DAC controls. Legacy AIX Role based management relies on careful assignment of 'Other' to group escalation, followed by Group membership to EUID for the remaining privilege requirement - where the object owner (or super-user access) is able to access any resources needed to complete a task or function.
Rationale:
The baseline is to have a point that can be used to very system integrity - the file system DAC permissions are 'as installed' by OEM.
Should you make local changes to OEM, be sure to create a second list to verify the desired settings (and perhaps verify a specific delta).
Impact:
An example:
# find / -fstype jfs2 -type f ! -size 0 -perm -u+s -perm -o+x -ls | awk '{ print $6, $5, $3, $11 }' | sort
audit root -r-sr-xr-x /usr/sbin/lsaudit
bin root -r-sr-xr-x /usr/bin/getconf
bin root -r-sr-xr-x /usr/bin/iostat
bin root -r-sr-xr-x /usr/bin/ipcs
bin root -r-sr-xr-x /usr/bin/mesg
bin root -r-sr-xr-x /usr/bin/rdist
bin root -r-sr-xr-x /usr/bin/rexec
bin root -r-sr-xr-x /usr/bin/rlogin
bin root -r-sr-xr-x /usr/bin/vmstat
bin root -r-sr-xr-x /usr/lib/mh/slocal
bin root -r-sr-xr-x /usr/sbin/arp.atm
bin root -r-sr-xr-x /usr/sbin/atmstat
bin root -r-sr-xr-x /usr/sbin/atmstat.batm
bin root -r-sr-xr-x /usr/sbin/atmstat.chrm
bin root -r-sr-xr-x /usr/sbin/atmsvcd
bin root -r-sr-xr-x /usr/sbin/atmvcstat
bin root -r-sr-xr-x /usr/sbin/entstat
bin root -r-sr-xr-x /usr/sbin/entstat.bent
bin root -r-sr-xr-x /usr/sbin/entstat.ethchan
bin root -r-sr-xr-x /usr/sbin/entstat.goent
bin root -r-sr-xr-x /usr/sbin/entstat.gxent
bin root -r-sr-xr-x /usr/sbin/entstat.hea
bin root -r-sr-xr-x /usr/sbin/entstat.kngent
bin root -r-sr-xr-x /usr/sbin/entstat.ment
bin root -r-sr-xr-x /usr/sbin/entstat.phxent
bin root -r-sr-xr-x /usr/sbin/entstat.scent
bin root -r-sr-xr-x /usr/sbin/entstat.vent
bin root -r-sr-xr-x /usr/sbin/entstat.vioent
bin root -r-sr-xr-x /usr/sbin/entstat.vnic
bin root -r-sr-xr-x /usr/sbin/fcstat
bin root -r-sr-xr-x /usr/sbin/hdlcstat
bin root -r-sr-xr-x /usr/sbin/ibstat
bin root -r-sr-xr-x /usr/sbin/muxatmd
bin root -r-sr-xr-x /usr/sbin/netstat
bin root -r-sr-xr-x /usr/sbin/quota
bin root -r-sr-xr-x /usr/sbin/repquota
bin root -r-sr-xr-x /usr/sbin/rmsock
bin root -r-sr-xr-x /usr/sbin/rnicstat
bin root -r-sr-xr-x /usr/sbin/rsct/bin/ctstrtcasd
bin root -r-sr-xr-x /usr/sbin/rsct/bin/nlssrc_c
bin root -r-sr-xr-x /usr/sbin/tokstat
bin root -r-sr-xr-x /usr/sbin/tokstat.cstok
cron root -r-sr-sr-x /usr/bin/at
cron root -r-sr-sr-x /usr/bin/crontab
mail root -r-sr-sr-x /usr/bin/bellmail
printq root -r-sr-sr-x /usr/bin/enq
printq root -r-sr-sr-x /usr/lib/lpd/pio/etc/piodmgrsu
printq root -r-sr-xr-x /usr/lib/lpd/pio/etc/pioout
security root -r-sr-xr-x /usr/bin/chcore
security root -r-sr-xr-x /usr/bin/lscore
security root -r-sr-xr-x /usr/bin/newgrp
security root -r-sr-xr-x /usr/bin/pagdel
security root -r-sr-xr-x /usr/bin/paginit
security root -r-sr-xr-x /usr/bin/paglist
security root -r-sr-xr-x /usr/bin/passwd
security root -r-sr-xr-x /usr/bin/pwdadm
security root -r-sr-xr-x /usr/bin/setgroups
security root -r-sr-xr-x /usr/bin/setsenv
security root -r-sr-xr-x /usr/bin/shell
security root -r-sr-xr-x /usr/bin/su
security root -r-sr-xr-x /usr/bin/yppasswd
security root -r-sr-xr-x /usr/sbin/getty
security root -r-sr-xr-x /usr/sbin/login
security root -r-sr-xr-x /usr/sbin/lsuser
security root -r-sr-xr-x /usr/sbin/tsm
sys root -r-sr-xr-x /usr/bin/errpt
sys root -r-sr-xr-x /usr/lib/trcload
system root -r-sr-s--x /usr/sbin/mailq
system root -r-sr-s--x /usr/sbin/newaliases
system root -r-sr-s--x /usr/sbin/sendmail
system root -r-sr-s--x /usr/sbin/sendmail_nonssl
system root -r-sr-s--x /usr/sbin/sendmail_ssl
system root -r-sr-sr-x /usr/bin/confsrc
system root -r-sr-sr-x /usr/sbin/lsresource
system root -r-sr-xr-x /opt/IBMinvscout/bin/invscoutClient_PartitionID
system root -r-sr-xr-x /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
system root -r-sr-xr-x /sbin/helpers/jfs2/backbyinode
system root -r-sr-xr-x /sbin/helpers/jfs2/restbyinode
system root -r-sr-xr-x /usr/bin/capture
system root -r-sr-xr-x /usr/bin/chkey
system root -r-sr-xr-x /usr/bin/ftp
system root -r-sr-xr-x /usr/bin/logout
system root -r-sr-xr-x /usr/bin/rcp
system root -r-sr-xr-x /usr/bin/remsh
system root -r-sr-xr-x /usr/bin/rm_mlcache_file
system root -r-sr-xr-x /usr/bin/rsh
system root -r-sr-xr-x /usr/bin/ruptime
system root -r-sr-xr-x /usr/bin/rwho
system root -r-sr-xr-x /usr/bin/script
system root -r-sr-xr-x /usr/bin/telnet
system root -r-sr-xr-x /usr/bin/tftp
system root -r-sr-xr-x /usr/bin/tn
system root -r-sr-xr-x /usr/bin/tn3270
system root -r-sr-xr-x /usr/bin/traceroute
system root -r-sr-xr-x /usr/bin/utftp
system root -r-sr-xr-x /usr/lib/boot/tftp
system root -r-sr-xr-x /usr/lpp/X11/bin/msmitpasswd
system root -r-sr-xr-x /usr/lpp/bos/inst_root/sbin/helpers/jfs2/backbyinode
system root -r-sr-xr-x /usr/lpp/bos/inst_root/sbin/helpers/jfs2/restbyinode
system root -r-sr-xr-x /usr/lpp/diagnostics/bin/diagrpt
system root -r-sr-xr-x /usr/sbin/arp
system root -r-sr-xr-x /usr/sbin/arp.ib
system root -r-sr-xr-x /usr/sbin/backbyinode
system root -r-sr-xr-x /usr/sbin/fdformat
system root -r-sr-xr-x /usr/sbin/format
system root -r-sr-xr-x /usr/sbin/frcactrl
system root -r-sr-xr-x /usr/sbin/fuser
system root -r-sr-xr-x /usr/sbin/invscout
system root -r-sr-xr-x /usr/sbin/keyenvoy
system root -r-sr-xr-x /usr/sbin/lparsetres
system root -r-sr-xr-x /usr/sbin/lquerylv
system root -r-sr-xr-x /usr/sbin/lquerypv
system root -r-sr-xr-x /usr/sbin/lqueryvg
system root -r-sr-xr-x /usr/sbin/lqueryvgs
system root -r-sr-xr-x /usr/sbin/lscfg
system root -r-sr-xr-x /usr/sbin/lscons
system root -r-sr-xr-x /usr/sbin/lslv
system root -r-sr-xr-x /usr/sbin/lsmcode
system root -r-sr-xr-x /usr/sbin/lspath
system root -r-sr-xr-x /usr/sbin/lspv
system root -r-sr-xr-x /usr/sbin/lsrset
system root -r-sr-xr-x /usr/sbin/lsslot
system root -r-sr-xr-x /usr/sbin/lsvg
system root -r-sr-xr-x /usr/sbin/lsvgfs
system root -r-sr-xr-x /usr/sbin/mknod
system root -r-sr-xr-x /usr/sbin/mount
system root -r-sr-xr-x /usr/sbin/mtrace
system root -r-sr-xr-x /usr/sbin/ndp
system root -r-sr-xr-x /usr/sbin/nfsstat
system root -r-sr-xr-x /usr/sbin/ping
system root -r-sr-xr-x /usr/sbin/portmir
system root -r-sr-xr-x /usr/sbin/restbyinode
system root -r-sr-xr-x /usr/sbin/sliplogin
system root -r-sr-xr-x /usr/sbin/timedc
system root -r-sr-xr-x /usr/sbin/umount
system root -r-sr-xr-x /usr/sbin/unmount
system root -rwsr-xr-x /usr/lib/perf/libperfstat_updt_dictionary
system root -rwsr-xr-x /usr/lpp/X11/Xamples/bin/xload
system root -rwsr-xr-x /usr/lpp/X11/bin/aixterm
system root -rwsr-xr-x /usr/lpp/X11/bin/xlock
system root -rwsr-xr-x /usr/lpp/X11/bin/xterm
uucp uucp -r-sr-xr-x /usr/bin/cu
uucp uucp -r-sr-xr-x /usr/bin/uucp
uucp uucp -r-sr-xr-x /usr/bin/uuname
uucp uucp -r-sr-xr-x /usr/bin/uuq
uucp uucp -r-sr-xr-x /usr/bin/uusnap
uucp uucp -r-sr-xr-x /usr/bin/uustat
uucp uucp -r-sr-xr-x /usr/bin/uux
uucp uucp -r-sr-xr-x /usr/sbin/uucp/uucico
uucp uucp -r-sr-xr-x /usr/sbin/uucp/uusched
uucp uucp -r-sr-xr-x /usr/sbin/uucp/uuxqt
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.