1 Reply Latest reply on Sep 21, 2011 5:17 AM by Gerardo Bartoccini

    Simple (?) compliance rule about SUID

    Gerardo Bartoccini

      Hi,

      I am building a compliance rule which will check if a specific file has got the SUID bit set.

      I took /usr/bin/wall as an example. On my test server, here's how it looks like:

       

      [as1 bin]$ ls -l /usr/bin/wall

      -r-xr-sr-x 1 root tty 14824 Sep 17  2008 /usr/bin/wall

      [as1 bin]$

       

      The script used by CIS actually finds it:

       

      [as1 bin]$ find /usr/bin -type f \( -perm -02000 \) -print

      /usr/bin/wall

      /usr/bin/locate

      /usr/bin/crontab

      /usr/bin/ssh-agent

      /usr/bin/write

      /usr/bin/lockfile

      [as1 bin]$

       

      However, my compliance rule won't match.

      I have tried the following:

       

      "File:/usr/bin/wall"."Permissions (Unix) (Unix)" has no flags "SetUID"

       

      and

       

      "File:/usr/bin/wall"."Permissions (Unix) (Unix)" does not have any flag "SetUID"

       

      but no luck.

      I would rather not script it, as customer complians we script too much :-)

       

      Any clues?

        • 1. Re: Simple (?) compliance rule about SUID
          Gerardo Bartoccini

          I figured out how it works.

           

          I will summarize here my findings should someone face the same issue.

           

          Here's how the SetUID bit looks like:

           

          (4000) --s --- ---

          SetUID.jpg

           

          Here's how the SetGID bit looks like:

           

          (2000) --- --s ---

          SetGID.jpg

           

          Here's how the Sticky bit looks like:

           

          (1000) --- --- --t

           

          Sticky.jpg

           

          This means that the tool in my example (/usr/bin/wall) has got the SetGID bit set.

           

          Actually, BladeLogic marks it as non-compliant if the rule looks like:

           

          "File:/usr/bin/wall"."Permissions (Unix) (Unix)" has no flags "SetGID"