file_perms - Filesystem permissions¶
One of the first layers of defense against attacks on a Linux system is Discretionary Access Control (DAC), which is managed through filesystem permissions.
Overview¶
Some of the STIG requirements for file permissions could cause disruptions on production systems if the permissions were adjusted to meet the needs of a particular application. These configurations are applied on an opt-in basis. Deployers must verify that these changes work well with their systems before applying the changes.
STIG requirements¶
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/file_perms.yml
.
V-71849¶
Summary: The file permissions, ownership, and group membership of system files and commands must match the vendor values.
Severity: High
Implementation Status: Opt-In
Deployer/Auditor notes¶
Note
Ubuntu’s debsums
command does not support verification of permissions
and ownership for files that were installed by packages. This STIG
requirement will be skipped on Ubuntu.
The STIG requires that all files owned by an installed package must have their permissions, user ownership, and group ownership set back to the vendor defaults.
Although this is a good practice, it can cause issues if permissions or ownership were intentionally set after the packages were installed. It also causes significant delays in deployments. Therefore, this STIG is not applied by default.
Deployers may opt in for the change by setting the following Ansible variable:
security_reset_perm_ownership: yes
V-72007¶
Summary: All files and directories must have a valid owner.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
Searching an entire filesystem with find
reduces system performance and
might impact certain applications negatively. Therefore, the search for files
and directories with an invalid owner is disabled by default.
Deployers can opt in for this search by setting the following Ansible variable:
security_search_for_invalid_owner: yes
Any files or directories without a valid user owner are displayed in the Ansible output.
V-72009¶
Summary: All files and directories must have a valid group owner.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
Searching an entire filesystem with find
reduces system performance and
might impact certain applications negatively. Therefore, the search for files
and directories with an invalid group owner is disabled by default.
Deployers can opt in for this search by setting the following Ansible variable:
security_search_for_invalid_group_owner: yes
Any files or directories without a valid group owner are displayed in the Ansible output.
V-72017¶
Summary: All local interactive user home directories must have mode 0750 or less permissive.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
Although the STIG requires that all home directories have the proper owner, group owner, and permissions, these changes might be disruptive in some environments. These tasks are not executed by default.
Deployers can opt in for the following changes to each home directory:
Permissions are set to
0750
at a maximum. If permissions are already more restrictive than0750
, the permissions are left unchanged.User ownership is set to the
UID
of the user.Group ownership is set to the
GID
of the user.
Deployers can opt in for these changes by setting the following Ansible variable:
security_set_home_directory_permissions_and_owners: yes
V-72019¶
Summary: All local interactive user home directories must be owned by their respective users.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:
V-72021¶
Summary: All local interactive user home directories must be group-owned by the home directory owners primary group.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:
V-72023¶
Summary: All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.
V-72025¶
Summary: All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.
V-72027¶
Summary: All files and directories contained in local interactive user home directories must have mode 0750 or less permissive.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.
V-72029¶
Summary: All local initialization files for interactive users must be owned by the home directory user or root.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.
Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.
V-72031¶
Summary: Local initialization files for local interactive users must be group-owned by the users primary group or root.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.
Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.
V-72033¶
Summary: All local initialization files must have mode 0740 or less permissive.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.
Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.
V-72037¶
Summary: Local initialization files must not execute world-writable programs.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Deployers should manually search their system for world-writable programs and change the permissions on those programs. They are easily found with this command:
find / -perm -002 -type f
World-writable executables should not be needed under almost all circumstances.
V-72047¶
Summary: All world-writable directories must be group-owned by root, sys, bin, or an application group.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
The tasks in the security role examine the world-writable directories on the
system and report any directories that are not group-owned by the root
user. Those directories appear in the Ansible output.
Deployers should review the list of directories and group owners to ensure that they are appropriate for the directory. Unauthorized group ownership could allow certain users to modify files from other users.
Searching the entire filesystem for world-writable directories will consume a significant amount of disk I/O and could impact the performance of a production system. It can also delay the playbook’s completion. Therefore, the search is disabled by default.
Deployers can enable the search by setting the following Ansible variable:
security_find_world_writable_dirs: yes
V-72049¶
Summary: The umask must be set to 077 for all local interactive user accounts.
Severity: Medium
Implementation Status: Exception - Manual Intervention
Deployer/Auditor notes¶
Although the STIG requires that all local interactive user accounts have a
umask of 077
, this change can be disruptive for users and the applications
they run. This change cannot be applied in an automated way.
Deployers should review user initialization files regularly to ensure that the
umask is not specified. This allows the system-wide setting of 077
to be
applied to all user sessions.
V-72053¶
Summary: If the cron.allow file exists it must be owned by root.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in the security role check for the existence of /etc/cron.allow
and set both the user and group ownership to root
. This is the default on
Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux
Enterprise 12 already.