← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-802

CAT II (Medium)

The owner, group-owner, mode, ACL and location of files with the setgid bit set must be documented using site-defined procedures.

Rule ID

SV-45192r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000368

Discussion

All files with the setgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation, security problems can result if setgid is assigned to programs allowing reading and writing of files, or shell escapes.

Check Content

List all setgid files on the system.
Procedure:
# find / -perm -2000 -exec ls -l {} \; | more

Note: Executing these commands may result in large listings of files; the output may be redirected to a file for easier analysis.

Ask the SA or IAO if files with the sgid bit set have been documented. If any undocumented file has its sgid bit set, this is a finding.

Fix Text

Document the files with the sgid bit set or unset the sgid bit on the executable.