{"description": "System executables are stored in the following directories by default:\n<pre>/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin</pre>\nThese directories should not be group-writable or world-writable.\nIf any directory <i>DIR</i> in these directories is found to be\ngroup-writable or world-writable, correct its permission with the\nfollowing command:\n<pre>$ sudo chmod go-w <i>DIR</i></pre>", "rationale": "System binaries are executed by privileged users, as well as system services,\nand restrictive permissions are necessary to ensure execution of these programs\ncannot be co-opted.", "severity": "medium", "references": {"srg": ["SRG-OS-000258-GPOS-00099"], "stigid": ["UBTU-22-232010"], "stigref": ["SV-260485r991559_rule"]}, "control_references": {"stigid": ["UBTU-22-232010"]}, "components": [], "identifiers": {}, "ocil_clause": "any of these files are group-writable or world-writable", "ocil": "System executables are stored in the following directories by default:\n<pre>/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin</pre>\nTo find system executables directories that are group-writable or\nworld-writable, run the following command for each directory <i>DIR</i>\nwhich contains system executables:\n<pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify that System Executable Directories Have Restrictive Permissions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml", "template": {"name": "file_permissions", "vars": {"filepath": ["/bin/", "/sbin/", "/usr/bin/", "/usr/sbin/", "/usr/local/bin/", "/usr/local/sbin/"], "recursive": "true", "filemode": "0755"}, "backends": {}}}