6.1.1 Create baseline of executables that elevate to a different GUID (Not scored)

Information

Access Control can be managed by a judicious arrangement of file system DAC controls. Legacy AIX Role based management relies on careful assignment of 'Other' to group escalation, followed by Group membership to EUID for the remaining privilege requirement - where the object owner (or super-user access) is able to access any resources needed to complete a task or function.

Rationale:

The baseline is to have a point that can be used to very system integrity - the file system DAC permissions are 'as installed' by OEM.

Should you make local changes to OEM, be sure to create a second list to verify the desired settings (and perhaps verify a specific delta).

Impact:

An example:

# find / -fstype jfs2 -type f ! -size 0 -perm -g+s ! -perm -u+s -perm -o+x -ls | awk '{ print $6, $5, $3, $11 }' | sort

adm bin -r-xr-sr-x /usr/bin/timex

cron bin -r-xr-sr-x /usr/bin/atq

printq bin -r-xr-sr-x /usr/bin/splp

printq bin -r-xr-sr-x /usr/lib/lpd/piobe

printq root -r-xr-sr-x /usr/lib/lpd/pio/etc/piomkapqd

security root -r-xr-sr-x /usr/bin/chfn

security root -r-xr-sr-x /usr/bin/chgrpmem

security root -r-xr-sr-x /usr/bin/chsh

security root -r-xr-sr-x /usr/bin/smitacl

security root -r-xr-sr-x /usr/sbin/lsgroup

system bin -r-xr-sr-x /usr/bin/ps

system bin -r-xr-sr-x /usr/sbin/killall

system root -r-xr-sr-x /usr/bin/lssrc

system root -r-xr-sr-x /usr/bin/uptime

system root -r-xr-sr-x /usr/bin/w

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None

See Also

https://workbench.cisecurity.org/benchmarks/7851