5.1.2 Check System Wide Applications for appropriate permissions

Information

Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions

Rationale:

Unauthorized modifications of applications could lead to the execution of malicious code.

Impact:

Applications changed will no longer be world-writable

Solution

Run the following command to change the permissions for each application that does not meet the requirements:

$ sudo chmod -R o-w /Applications/<applicationname>

example:

$ sudo chmod -R o-w /Applications/Google Chrome.app/

$ sudo find /Applications -iname '*.app' -type d -perm -2 -ls

922602 0 drwxr-xrwx 3 seconduser admin 96 8 Aug 04:32 /Applications/Google Chrome copy.app

See Also

https://workbench.cisecurity.org/files/3197

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7), CSCv7|14.6

Plugin: Unix

Control ID: c06186993221f6a32fc758d34ee9191e411c299e6845cbd62c860860b2cee0c8