{"description": "The SUID (set user id) bit should be set only on files that were installed via authorized\nmeans. A straightforward means of identifying unauthorized SUID files is determine if any were\nnot installed as part of an RPM package, which is cryptographically verified. Investigate the\norigin of any unpackaged SUID files. This configuration check considers authorized SUID files\nthose which were installed via RPM. It is assumed that when an individual has sudo access to\ninstall an RPM and all packages are signed with an organizationally-recognized GPG key, the\nsoftware should be considered an approved package on the system. Any SUID file not deployed\nthrough an RPM will be flagged for further review.", "rationale": "Executable files with the SUID permission run with the privileges of the owner of the file.\nSUID files of uncertain provenance could allow for unprivileged users to elevate privileges.\nThe presence of these files should be strictly controlled on the system.", "severity": "medium", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-6(a)", "AC-6(1)"], "nist-csf": ["PR.AC-4", "PR.DS-5"], "anssi": ["R56"], "ism": ["1409"]}, "control_references": {"anssi": ["R56"], "ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "only authorized files appear in the output of the find command", "ocil": "To find SUID files, run the following command:\n<pre>$ sudo find / -xdev -type f -perm -4000</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule can take a long time to perform the check and might consume a considerable\namount of resources depending on the number of files present on the system. It is not a\nproblem in most cases, but especially systems with a large number of files can be affected.\nSee <code>https://access.redhat.com/articles/6999111</code>."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure All SUID Executables Are Authorized", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml", "template": null}