https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247381#M677679 Thank you everyone for your replies. TTr, thank you for pointing out that the file is a socket. I overlooked that fact. I will likely push for an exception for this file from the security violation.<BR /> Thu, 07 Aug 2008 18:06:23 GMT Carl Cloutier 2008-08-07T18:06:23Z https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247377#M677675 Hello,<BR /><BR />I am getting a security audit violation for having world writable permissions on the /etc/useracct/utmpd_read file. Does this file have to be world writable and if so why?<BR /><BR />Thank you,<BR />Carl Wed, 06 Aug 2008 15:48:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247377#M677675 Carl Cloutier 2008-08-06T15:48:08Z https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247378#M677676 Shalom Carl,<BR /><BR />Strange day for me. Lots of stuff I never saw before.<BR /><BR />I'm not familiar with this file. I'm not even sure its a part of HP-UX.<BR /><BR />Can you do a uname -a and let us know what version of the OS this is and what security enhancements you have installed?<BR /><BR />SEP Wed, 06 Aug 2008 16:33:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247378#M677676 Steven E. Protter 2008-08-06T16:33:53Z https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247379#M677677 Hi Carl:<BR /><BR />Since this file and its companions are part of the accounting for currently logged-in users, I think that the audit isn't context-sensitive". Stated differently, the audit may be overly paranoid.<BR /><BR /><A href="http://docs.hp.com/en/B3921-60631/utmpd.1M.html" target="_blank">http://docs.hp.com/en/B3921-60631/utmpd.1M.html</A><BR /><BR />I would suspect that the 'umask' setting at the time accounting is enabled may be too lax.<BR /><BR />Regards!<BR /><BR />...JRF... Wed, 06 Aug 2008 16:39:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247379#M677677 James R. Ferguson 2008-08-06T16:39:45Z https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247380#M677678 That file is not a regular file, it is a socket. Typically sockets are world writable and if you search in the system for more sockets (find / -type s -exec ll {} \;) you will find that most sockets are world writable. I can't tell what will happen if you change the permissions.<BR />Every socket file is used by two or more processes. If these processes are owned by the socket owner/group they should be able to use the socket if you take away the world write access. <BR /> Wed, 06 Aug 2008 16:56:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247380#M677678 TTr 2008-08-06T16:56:49Z https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247381#M677679 Thank you everyone for your replies. TTr, thank you for pointing out that the file is a socket. I overlooked that fact. I will likely push for an exception for this file from the security violation.<BR /> Thu, 07 Aug 2008 18:06:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/etc-useracct-utmpd-read-why-world-writable/m-p/4247381#M677679 Carl Cloutier 2008-08-07T18:06:23Z