{"description": "System commands are stored in the following directories by default:\n<pre>/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin</pre>\nAll files in these directories should not be group-writable or world-writable.\nIf any file <i>FILE</i> in these directories is found\nto be group-writable or world-writable, correct its permission with the\nfollowing command:\n<pre>$ sudo chmod 755 <i>FILE</i></pre>", "rationale": "System binaries are executed by privileged users, as well as system services,\nand restrictive permissions are necessary to ensure execution of these programs\ncannot be co-opted.", "severity": "medium", "references": {"nist": ["CM-5(6)", "CM-5(6).1"], "srg": ["SRG-OS-000259-GPOS-00100"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "any system commands are found to be group or world writable", "ocil": "System commands are stored in the following directories by default:\n<pre>/bin\n/sbin\n/usr/bin\n/usr/local/bin\n/usr/local/sbin\n/usr/sbin</pre>\nTo find system commands that have mode 0755 or less permissive,\nrun the following command for each directory <i>DIR</i> which contains system executables:\n<pre>$ sudo find -L <i>DIR</i> -perm /022 -type f</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify that system commands are protected from unauthorized access", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml", "template": null}