Versions Compared

Version Old Version 1 New Version Current
Changes made by

Joseph Osborne

Joseph Osborne

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Using the stat command to scan Linux user/group ownership as well as permissions on files and directories. These are usually combined with the find command to traverse multiple directories or an entire filesystem. The following example controls go over the 3 Type values for Linux Security and are related to world-writable files and directories.

Ownerships:user:

Expand
titleExample of changing user ownership on files:
Code Block
languagexml
<Group>
  <GroupId>V-228563</GroupId>
  <GroupTitle>SRG-OS-000480-GPOS-00227</GroupTitle>
  <RuleId>SV-228563r744119_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-07-021031</RuleVersion>
  <RuleTitle>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</RuleTitle>
  <Where>Linux Security</Where>
  <Applied>[find /  -xdev -type d -perm -0002 -uid +999]</Applied>
  <Type>Ownerships:user</Type>
  <Value>[""],root</Value>
  <Ignore>case,space</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>

Ownerships:group:

Expand
titleExample of changing group ownership on files:
Code Block
languagexml
<Group>
  <GroupId>V-204487</GroupId>
  <GroupTitle>SRG-OS-000480-GPOS-00227</GroupTitle>
  <RuleId>SV-204487r744106_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-07-021030</RuleVersion>
  <RuleTitle>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</RuleTitle>
  <Where>Linux Security</Where>
  <Applied>[find / -xdev -type d -perm -0002 -gid +999]</Applied>
  <Type>Ownerships:group</Type>
  <Value>[""],root</Value>
  <Ignore>case,space</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>

Permissions:

Expand
titleExample of changing permissions on files:
Code Block
languagexml
<Group>
  <GroupId>V-204478</GroupId>
  <GroupTitle>SRG-OS-000480-GPOS-00227</GroupTitle>
  <RuleId>SV-204478r603261_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-07-020730</RuleVersion>
  <RuleTitle>The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.</RuleTitle>
  <Where>Linux Security</Where>
  <Applied>[find / -xdev -perm -775 -type f -exec ls -ld {} \;]</Applied>
  <Type>Permissions</Type>
  <Value>[""],775</Value>
  <Ignore>case,space,import</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>