file_perms - Filesystem permissions

One of the first layers of defense against attacks on a Linux system is Discretionary Access Control (DAC), which is managed through filesystem permissions.

Overview

Some of the STIG requirements for file permissions could cause disruptions on production systems if the permissions were adjusted to meet the needs of a particular application. These configurations are applied on an opt-in basis. Deployers must verify that these changes work well with their systems before applying the changes.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/file_perms.yml.

V-71849

  • Summary: The file permissions, ownership, and group membership of system files and commands must match the vendor values.

  • Severity: High

  • Implementation Status: Opt-In

Deployer/Auditor notes

Note

Ubuntu’s debsums command does not support verification of permissions and ownership for files that were installed by packages. This STIG requirement will be skipped on Ubuntu.

The STIG requires that all files owned by an installed package must have their permissions, user ownership, and group ownership set back to the vendor defaults.

Although this is a good practice, it can cause issues if permissions or ownership were intentionally set after the packages were installed. It also causes significant delays in deployments. Therefore, this STIG is not applied by default.

Deployers may opt in for the change by setting the following Ansible variable:

security_reset_perm_ownership: yes

V-72007

  • Summary: All files and directories must have a valid owner.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Searching an entire filesystem with find reduces system performance and might impact certain applications negatively. Therefore, the search for files and directories with an invalid owner is disabled by default.

Deployers can opt in for this search by setting the following Ansible variable:

security_search_for_invalid_owner: yes

Any files or directories without a valid user owner are displayed in the Ansible output.


V-72009

  • Summary: All files and directories must have a valid group owner.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Searching an entire filesystem with find reduces system performance and might impact certain applications negatively. Therefore, the search for files and directories with an invalid group owner is disabled by default.

Deployers can opt in for this search by setting the following Ansible variable:

security_search_for_invalid_group_owner: yes

Any files or directories without a valid group owner are displayed in the Ansible output.


V-72017

  • Summary: All local interactive user home directories must have mode 0750 or less permissive.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Although the STIG requires that all home directories have the proper owner, group owner, and permissions, these changes might be disruptive in some environments. These tasks are not executed by default.

Deployers can opt in for the following changes to each home directory:

  • Permissions are set to 0750 at a maximum. If permissions are already more restrictive than 0750, the permissions are left unchanged.

  • User ownership is set to the UID of the user.

  • Group ownership is set to the GID of the user.

Deployers can opt in for these changes by setting the following Ansible variable:

security_set_home_directory_permissions_and_owners: yes

V-72019

  • Summary: All local interactive user home directories must be owned by their respective users.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:


V-72021

  • Summary: All local interactive user home directories must be group-owned by the home directory owners primary group.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:


V-72023

  • Summary: All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.


V-72025

  • Summary: All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.


V-72027

  • Summary: All files and directories contained in local interactive user home directories must have mode 0750 or less permissive.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.


V-72029

  • Summary: All local initialization files for interactive users must be owned by the home directory user or root.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.

Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.


V-72031

  • Summary: Local initialization files for local interactive users must be group-owned by the users primary group or root.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.

Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.


V-72033

  • Summary: All local initialization files must have mode 0740 or less permissive.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.

Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.


V-72037

  • Summary: Local initialization files must not execute world-writable programs.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Deployers should manually search their system for world-writable programs and change the permissions on those programs. They are easily found with this command:

find / -perm -002 -type f

World-writable executables should not be needed under almost all circumstances.


V-72047

  • Summary: All world-writable directories must be group-owned by root, sys, bin, or an application group.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The tasks in the security role examine the world-writable directories on the system and report any directories that are not group-owned by the root user. Those directories appear in the Ansible output.

Deployers should review the list of directories and group owners to ensure that they are appropriate for the directory. Unauthorized group ownership could allow certain users to modify files from other users.

Searching the entire filesystem for world-writable directories will consume a significant amount of disk I/O and could impact the performance of a production system. It can also delay the playbook’s completion. Therefore, the search is disabled by default.

Deployers can enable the search by setting the following Ansible variable:

security_find_world_writable_dirs: yes

V-72049

  • Summary: The umask must be set to 077 for all local interactive user accounts.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

Although the STIG requires that all local interactive user accounts have a umask of 077, this change can be disruptive for users and the applications they run. This change cannot be applied in an automated way.

Deployers should review user initialization files regularly to ensure that the umask is not specified. This allows the system-wide setting of 077 to be applied to all user sessions.


V-72053

  • Summary: If the cron.allow file exists it must be owned by root.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role check for the existence of /etc/cron.allow and set both the user and group ownership to root. This is the default on Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux Enterprise 12 already.