One of the first layers of defense against attacks on a Linux system is Discretionary Access Control (DAC), which is managed through filesystem permissions.
Some of the STIG requirements for file permissions could cause disruptions on production systems if the permissions were adjusted to meet the needs of a particular application. These configurations are applied on an opt-in basis. Deployers must verify that these changes work well with their systems before applying the changes.
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/file_perms.yml
.
Note
Ubuntu’s debsums
command does not support verification of permissions
and ownership for files that were installed by packages. This STIG
requirement will be skipped on Ubuntu.
The STIG requires that all files owned by an installed package must have their permissions, user ownership, and group ownership set back to the vendor defaults.
Although this is a good practice, it can cause issues if permissions or ownership were intentionally set after the packages were installed. It also causes significant delays in deployments. Therefore, this STIG is not applied by default.
Deployers may opt in for the change by setting the following Ansible variable:
security_reset_perm_ownership: yes
Searching an entire filesystem with find
reduces system performance and
might impact certain applications negatively. Therefore, the search for files
and directories with an invalid owner is disabled by default.
Deployers can opt in for this search by setting the following Ansible variable:
security_search_for_invalid_owner: yes
Any files or directories without a valid user owner are displayed in the Ansible output.
Searching an entire filesystem with find
reduces system performance and
might impact certain applications negatively. Therefore, the search for files
and directories with an invalid group owner is disabled by default.
Deployers can opt in for this search by setting the following Ansible variable:
security_search_for_invalid_group_owner: yes
Any files or directories without a valid group owner are displayed in the Ansible output.
Although the STIG requires that all home directories have the proper owner, group owner, and permissions, these changes might be disruptive in some environments. These tasks are not executed by default.
Deployers can opt in for the following changes to each home directory:
0750
at a maximum. If permissions are already
more restrictive than 0750
, the permissions are left unchanged.UID
of the user.GID
of the user.Deployers can opt in for these changes by setting the following Ansible variable:
security_set_home_directory_permissions_and_owners: yes
This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:
This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:
Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.
Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.
Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.
Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.
Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.
Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.
Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.
Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.
Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.
Deployers should manually search their system for world-writable programs and change the permissions on those programs. They are easily found with this command:
find / -perm -002 -type f
World-writable executables should not be needed under almost all circumstances.
The tasks in the security role examine the world-writable directories on the
system and report any directories that are not group-owned by the root
user. Those directories appear in the Ansible output.
Deployers should review the list of directories and group owners to ensure that they are appropriate for the directory. Unauthorized group ownership could allow certain users to modify files from other users.
Although the STIG requires that all local interactive user accounts have a
umask of 077
, this change can be disruptive for users and the applications
they run. This change cannot be applied in an automated way.
Deployers should review user initialization files regularly to ensure that the
umask is not specified. This allows the system-wide setting of 077
to be
applied to all user sessions.
The tasks in the security role check for the existence of /etc/cron.allow
and set both the user and group ownership to root
. This is the default on
Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux
Enterprise 12 already.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.