{"description": "The SGID (set group id) bit should be set only on files that were installed via authorized\nmeans. A straightforward means of identifying unauthorized SGID files is determine if any were\nnot installed as part of an RPM package, which is cryptographically verified. Investigate the\norigin of any unpackaged SGID files. This configuration check considers authorized SGID files\nthose which were installed via RPM. It is assumed that when an individual has sudo access to\ninstall an RPM and all packages are signed with an organizationally-recognized GPG key, the\nsoftware should be considered an approved package on the system. Any SGID file not deployed\nthrough an RPM will be flagged for further review.", "rationale": "Executable files with the SGID permission run with the privileges of the owner of the file.\nSGID files of uncertain provenance could allow for unprivileged users to elevate privileges.\nThe presence of these files should be strictly controlled on the system.", "severity": "medium", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-6(a)", "AC-6(1)"], "nist-csf": ["PR.AC-4", "PR.DS-5"], "anssi": ["R56"], "ism": ["1409"]}, "control_references": {"anssi": ["R56"], "ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "there is output", "ocil": "To find SGID files, run the following command:\n<pre>$ sudo find / -xdev -type f -perm -2000</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule can take a long time to perform the check and might consume a considerable\namount of resources depending on the number of files present on the system. It is not a\nproblem in most cases, but especially systems with a large number of files can be affected.\nSee <code>https://access.redhat.com/articles/6999111</code>."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure All SGID Executables Are Authorized", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml", "template": null}