9.23 Find SUID/SGID System Executables

Information

The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID/SGID program is to enable users to perform functions (such as changing their password), which requires root privileges.

There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Correct or justify any items discovered in the Audit step. Determine the existence of any set-UID programs that do not belong on the system, and work with the owner (or system administrator) to determine the best course of action in accordance with site policy. Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example:
# elfsign verify -e /usr/bin/su elfsign: verification of /usr/bin/su passed.

See Also

https://workbench.cisecurity.org/files/611

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(8)

Plugin: Unix

Control ID: ce30dc2571a36903693d902d84b85454fcef2d6239511619a21c891d981fcf6e