3.5 Ensure there are no group staff writable files

Information

The system is audited for group staff writable files.

An audit should be performed on the system to search for files that can be modified by members of the group staff As staff is the default group for user accounts any file that is writable via group staff is comparable to being writable by other aka world writable.

In a case - where this permission is required - the recommendation is to create a new group and appoint a group administrator.

The goal is no group staff writable files.

Solution

Run the following command to remove the write bit for the group staff :

find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff -exec chmod g-w {} +

See Also

https://workbench.cisecurity.org/benchmarks/19066

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f98242c77b659dbdd88e1e6642f1ba4a94c27da0dab7d57e28521883dce7de76