6.1.3 Create baseline of executables that elevate directly to a new EUID (not scored)

Information

Access Control can be managed by a judicious arrangement of file system DAC controls. Legacy AIX Role based management relies on careful assignment of 'Other' to group escalation, followed by Group membership to EUID for the remaining privilege requirement - where the object owner (or super-user access) is able to access any resources needed to complete a task or function.

Rationale:

The baseline is to have a point that can be used to very system integrity - the file system DAC permissions are 'as installed' by OEM.

Should you make local changes to OEM, be sure to create a second list to verify the desired settings (and perhaps verify a specific delta).

Impact:

An example:

# find / -fstype jfs2 -type f ! -size 0 -perm -u+s -perm -o+x -ls | awk '{ print $6, $5, $3, $11 }' | sort

audit root -r-sr-xr-x /usr/sbin/lsaudit

bin root -r-sr-xr-x /usr/bin/getconf

bin root -r-sr-xr-x /usr/bin/iostat

bin root -r-sr-xr-x /usr/bin/ipcs

bin root -r-sr-xr-x /usr/bin/mesg

bin root -r-sr-xr-x /usr/bin/rdist

bin root -r-sr-xr-x /usr/bin/rexec

bin root -r-sr-xr-x /usr/bin/rlogin

bin root -r-sr-xr-x /usr/bin/vmstat

bin root -r-sr-xr-x /usr/lib/mh/slocal

bin root -r-sr-xr-x /usr/sbin/arp.atm

bin root -r-sr-xr-x /usr/sbin/atmstat

bin root -r-sr-xr-x /usr/sbin/atmstat.batm

bin root -r-sr-xr-x /usr/sbin/atmstat.chrm

bin root -r-sr-xr-x /usr/sbin/atmsvcd

bin root -r-sr-xr-x /usr/sbin/atmvcstat

bin root -r-sr-xr-x /usr/sbin/entstat

bin root -r-sr-xr-x /usr/sbin/entstat.bent

bin root -r-sr-xr-x /usr/sbin/entstat.ethchan

bin root -r-sr-xr-x /usr/sbin/entstat.goent

bin root -r-sr-xr-x /usr/sbin/entstat.gxent

bin root -r-sr-xr-x /usr/sbin/entstat.hea

bin root -r-sr-xr-x /usr/sbin/entstat.kngent

bin root -r-sr-xr-x /usr/sbin/entstat.ment

bin root -r-sr-xr-x /usr/sbin/entstat.phxent

bin root -r-sr-xr-x /usr/sbin/entstat.scent

bin root -r-sr-xr-x /usr/sbin/entstat.vent

bin root -r-sr-xr-x /usr/sbin/entstat.vioent

bin root -r-sr-xr-x /usr/sbin/entstat.vnic

bin root -r-sr-xr-x /usr/sbin/fcstat

bin root -r-sr-xr-x /usr/sbin/hdlcstat

bin root -r-sr-xr-x /usr/sbin/ibstat

bin root -r-sr-xr-x /usr/sbin/muxatmd

bin root -r-sr-xr-x /usr/sbin/netstat

bin root -r-sr-xr-x /usr/sbin/quota

bin root -r-sr-xr-x /usr/sbin/repquota

bin root -r-sr-xr-x /usr/sbin/rmsock

bin root -r-sr-xr-x /usr/sbin/rnicstat

bin root -r-sr-xr-x /usr/sbin/rsct/bin/ctstrtcasd

bin root -r-sr-xr-x /usr/sbin/rsct/bin/nlssrc_c

bin root -r-sr-xr-x /usr/sbin/tokstat

bin root -r-sr-xr-x /usr/sbin/tokstat.cstok

cron root -r-sr-sr-x /usr/bin/at

cron root -r-sr-sr-x /usr/bin/crontab

mail root -r-sr-sr-x /usr/bin/bellmail

printq root -r-sr-sr-x /usr/bin/enq

printq root -r-sr-sr-x /usr/lib/lpd/pio/etc/piodmgrsu

printq root -r-sr-xr-x /usr/lib/lpd/pio/etc/pioout

security root -r-sr-xr-x /usr/bin/chcore

security root -r-sr-xr-x /usr/bin/lscore

security root -r-sr-xr-x /usr/bin/newgrp

security root -r-sr-xr-x /usr/bin/pagdel

security root -r-sr-xr-x /usr/bin/paginit

security root -r-sr-xr-x /usr/bin/paglist

security root -r-sr-xr-x /usr/bin/passwd

security root -r-sr-xr-x /usr/bin/pwdadm

security root -r-sr-xr-x /usr/bin/setgroups

security root -r-sr-xr-x /usr/bin/setsenv

security root -r-sr-xr-x /usr/bin/shell

security root -r-sr-xr-x /usr/bin/su

security root -r-sr-xr-x /usr/bin/yppasswd

security root -r-sr-xr-x /usr/sbin/getty

security root -r-sr-xr-x /usr/sbin/login

security root -r-sr-xr-x /usr/sbin/lsuser

security root -r-sr-xr-x /usr/sbin/tsm

sys root -r-sr-xr-x /usr/bin/errpt

sys root -r-sr-xr-x /usr/lib/trcload

system root -r-sr-s--x /usr/sbin/mailq

system root -r-sr-s--x /usr/sbin/newaliases

system root -r-sr-s--x /usr/sbin/sendmail

system root -r-sr-s--x /usr/sbin/sendmail_nonssl

system root -r-sr-s--x /usr/sbin/sendmail_ssl

system root -r-sr-sr-x /usr/bin/confsrc

system root -r-sr-sr-x /usr/sbin/lsresource

system root -r-sr-xr-x /opt/IBMinvscout/bin/invscoutClient_PartitionID

system root -r-sr-xr-x /opt/IBMinvscout/bin/invscoutClient_VPD_Survey

system root -r-sr-xr-x /sbin/helpers/jfs2/backbyinode

system root -r-sr-xr-x /sbin/helpers/jfs2/restbyinode

system root -r-sr-xr-x /usr/bin/capture

system root -r-sr-xr-x /usr/bin/chkey

system root -r-sr-xr-x /usr/bin/ftp

system root -r-sr-xr-x /usr/bin/logout

system root -r-sr-xr-x /usr/bin/rcp

system root -r-sr-xr-x /usr/bin/remsh

system root -r-sr-xr-x /usr/bin/rm_mlcache_file

system root -r-sr-xr-x /usr/bin/rsh

system root -r-sr-xr-x /usr/bin/ruptime

system root -r-sr-xr-x /usr/bin/rwho

system root -r-sr-xr-x /usr/bin/script

system root -r-sr-xr-x /usr/bin/telnet

system root -r-sr-xr-x /usr/bin/tftp

system root -r-sr-xr-x /usr/bin/tn

system root -r-sr-xr-x /usr/bin/tn3270

system root -r-sr-xr-x /usr/bin/traceroute

system root -r-sr-xr-x /usr/bin/utftp

system root -r-sr-xr-x /usr/lib/boot/tftp

system root -r-sr-xr-x /usr/lpp/X11/bin/msmitpasswd

system root -r-sr-xr-x /usr/lpp/bos/inst_root/sbin/helpers/jfs2/backbyinode

system root -r-sr-xr-x /usr/lpp/bos/inst_root/sbin/helpers/jfs2/restbyinode

system root -r-sr-xr-x /usr/lpp/diagnostics/bin/diagrpt

system root -r-sr-xr-x /usr/sbin/arp

system root -r-sr-xr-x /usr/sbin/arp.ib

system root -r-sr-xr-x /usr/sbin/backbyinode

system root -r-sr-xr-x /usr/sbin/fdformat

system root -r-sr-xr-x /usr/sbin/format

system root -r-sr-xr-x /usr/sbin/frcactrl

system root -r-sr-xr-x /usr/sbin/fuser

system root -r-sr-xr-x /usr/sbin/invscout

system root -r-sr-xr-x /usr/sbin/keyenvoy

system root -r-sr-xr-x /usr/sbin/lparsetres

system root -r-sr-xr-x /usr/sbin/lquerylv

system root -r-sr-xr-x /usr/sbin/lquerypv

system root -r-sr-xr-x /usr/sbin/lqueryvg

system root -r-sr-xr-x /usr/sbin/lqueryvgs

system root -r-sr-xr-x /usr/sbin/lscfg

system root -r-sr-xr-x /usr/sbin/lscons

system root -r-sr-xr-x /usr/sbin/lslv

system root -r-sr-xr-x /usr/sbin/lsmcode

system root -r-sr-xr-x /usr/sbin/lspath

system root -r-sr-xr-x /usr/sbin/lspv

system root -r-sr-xr-x /usr/sbin/lsrset

system root -r-sr-xr-x /usr/sbin/lsslot

system root -r-sr-xr-x /usr/sbin/lsvg

system root -r-sr-xr-x /usr/sbin/lsvgfs

system root -r-sr-xr-x /usr/sbin/mknod

system root -r-sr-xr-x /usr/sbin/mount

system root -r-sr-xr-x /usr/sbin/mtrace

system root -r-sr-xr-x /usr/sbin/ndp

system root -r-sr-xr-x /usr/sbin/nfsstat

system root -r-sr-xr-x /usr/sbin/ping

system root -r-sr-xr-x /usr/sbin/portmir

system root -r-sr-xr-x /usr/sbin/restbyinode

system root -r-sr-xr-x /usr/sbin/sliplogin

system root -r-sr-xr-x /usr/sbin/timedc

system root -r-sr-xr-x /usr/sbin/umount

system root -r-sr-xr-x /usr/sbin/unmount

system root -rwsr-xr-x /usr/lib/perf/libperfstat_updt_dictionary

system root -rwsr-xr-x /usr/lpp/X11/Xamples/bin/xload

system root -rwsr-xr-x /usr/lpp/X11/bin/aixterm

system root -rwsr-xr-x /usr/lpp/X11/bin/xlock

system root -rwsr-xr-x /usr/lpp/X11/bin/xterm

uucp uucp -r-sr-xr-x /usr/bin/cu

uucp uucp -r-sr-xr-x /usr/bin/uucp

uucp uucp -r-sr-xr-x /usr/bin/uuname

uucp uucp -r-sr-xr-x /usr/bin/uuq

uucp uucp -r-sr-xr-x /usr/bin/uusnap

uucp uucp -r-sr-xr-x /usr/bin/uustat

uucp uucp -r-sr-xr-x /usr/bin/uux

uucp uucp -r-sr-xr-x /usr/sbin/uucp/uucico

uucp uucp -r-sr-xr-x /usr/sbin/uucp/uusched

uucp uucp -r-sr-xr-x /usr/sbin/uucp/uuxqt

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Unix

Control ID: 1ecbb5ac030d469c25cb86d53d140aac696ba832984478f30e9fdcbe34745acb