5.1.4 Ensure Appropriate Permissions Are Enabled for System Wide Applications

Information

Applications in the System Applications Directory (/Applications) should be world-executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions.

Rationale:

Unauthorized modifications of applications could lead to the execution of malicious code.

Impact:

Applications changed will no longer be world-writable. Depending on the environment, there will be different risk tolerances on each non-conforming application. Global changes should not be performed where mission-critical applications are misconfigured.

Solution

Terminal Method:
Run the following command to change the permissions for each application that does not meet the requirements:

$ /usr/bin/sudo IFS=$'
'
for apps in $( /usr/bin/find /Applications -iname '*.app' -type d -perm -2 ); do
/bin/chmod -R o-w '$apps'
done

Note: Global changes should not be performed where mission-critical applications are part of the improperly permissioned applications.

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: c92ab0a8002580407fd70bc036fc3eaee62206ee1a54fc96d63b1a0e9c7aafd4