6.1.14 Audit SGID executables

Information

The owner of a file can set the file's permissions to run with the owner's or group's
permissions, even if the user running the program is not the owner or a member of the
group. The most common reason for a SGID program is to enable users to perform
functions (such as changing their password) that require root privileges.

Rationale:

There are valid reasons for SGID programs, but it is important to identify and review such
programs to ensure they are legitimate. Review the files returned by the action in the audit
section and check to see if system binaries have a different md5 checksum than what from
the package. This is an indication that the binary may have been replaced.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Ensure that no rogue SGID programs have been introduced into the system. Review the
files returned by the action in the Audit section and confirm the integrity of these binaries.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.1

Plugin: Unix

Control ID: be05f25fd1b583c1f2a2522b1051d9bb39818525057c84b5037251a029375bf7