Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Using the stat command to scan Linux user/group ownership as well as permissions on files and directories. These are usually combined with the find command to traverse multiple directories or an entire filesystem. The following example controls go over the 3 Type values for Linux Security and are related to world-writable files and directories.

Ownerships:user:

 Example of changing user ownership on files:
<Group>
  <GroupId>V-228563</GroupId>
  <GroupTitle>SRG-OS-000480-GPOS-00227</GroupTitle>
  <RuleId>SV-228563r744119_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-07-021031</RuleVersion>
  <RuleTitle>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</RuleTitle>
  <Where>Linux Security</Where>
  <Applied>[find /  -xdev -type d -perm -0002 -uid +999]</Applied>
  <Type>Ownerships:user</Type>
  <Value>[""],root</Value>
  <Ignore>case,space</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>

Ownerships:group:

 Example of changing group ownership on files:
<Group>
  <GroupId>V-204487</GroupId>
  <GroupTitle>SRG-OS-000480-GPOS-00227</GroupTitle>
  <RuleId>SV-204487r744106_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-07-021030</RuleVersion>
  <RuleTitle>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</RuleTitle>
  <Where>Linux Security</Where>
  <Applied>[find / -xdev -type d -perm -0002 -gid +999]</Applied>
  <Type>Ownerships:group</Type>
  <Value>[""],root</Value>
  <Ignore>case,space</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>

Permissions:

 Example of changing permissions on files:
<Group>
  <GroupId>V-204478</GroupId>
  <GroupTitle>SRG-OS-000480-GPOS-00227</GroupTitle>
  <RuleId>SV-204478r603261_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-07-020730</RuleVersion>
  <RuleTitle>The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.</RuleTitle>
  <Where>Linux Security</Where>
  <Applied>[find / -xdev -perm -775 -type f -exec ls -ld {} \;]</Applied>
  <Type>Permissions</Type>
  <Value>[""],775</Value>
  <Ignore>case,space,import</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>
  • No labels