5.1.2 Check System Wide Applications for appropriate permissions

Information

Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world writable and allow any process or user to alter them for other processes or users to then execute modified versions

Rationale:

Unauthorized modifications of applications could lead to the execution of malicious code.

Impact:

Applications changed will no longer be world writable

Solution

Run the following command to change the permissions for each application that does not meet the requirements:

$ sudo chmod -R o-w /Applications/<applicationname>

example:

$ sudo chmod -R o-w /Applications/Google Chrome.app/

$ sudo find /Applications -iname '*.app' -type d -perm -2 -ls

922602 0 drwxr-xrwx 3 seconduser admin 96 8 Aug 04:32 /Applications/Google Chrome copy.app

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7)(b)

Plugin: Unix

Control ID: c2eb19e4a61c2cee2f4344340b49b0bdb116a9bd28f67280f0d92550151eaba8