HPE Community
Operating System - HP-UX
1751969 Members
4928 Online
108783 Solutions
New Discussion юеВ

Re: non-compliant

 
gogleboy
Occasional Advisor

тАО05-19-2009 04:59 AM

тАО05-19-2009 04:59 AM

non-compliant

The files listed below are referenced in a startup file. These files are group writable AND owned by a non-privileged group. This is a security problem because anyone with group access can modify the files. Files referenced in startup files are executed (or read) by the root account on system startup. Anyone with group access can replace these files and have them executed (or read) by root the next time the system boots. So how can I fix and make from non-compliant to compliant

File name:
/sbin/init.d/autosys: -rwxrwxr-x: autosys

Thanks
Nanda
0 Kudos
Reply
6 REPLIES 6
James R. Ferguson
Acclaimed Contributor

тАО05-19-2009 05:02 AM

тАО05-19-2009 05:02 AM

Re: non-compliant

Hi:

Use Google.

...JRF...
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО05-19-2009 05:18 AM

тАО05-19-2009 05:18 AM

Re: non-compliant

well one would have thought that

chmod 755 /sbin/init.d/autosys

would fix it

but if you don't understand what the command above means, you shouldn't be even a junior admin of a UNIX box...

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
TTr
Honored Contributor

тАО05-19-2009 06:08 AM

тАО05-19-2009 06:08 AM

Re: non-compliant

> These files are group writable AND owned by a non-privileged group. This is a security problem...

So isn't the fix obvious?
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-19-2009 08:55 AM

тАО05-19-2009 08:55 AM

Re: non-compliant

>/sbin/init.d/autosys: -rwxrwxr-x: autosys

Who is the owner and group of the file?
What fileset contains this file? Is it delivered by HP? What OS version do you have?
swlist -l file | grep /autosys

You may want to use "swverify \*" to see if already broken?

>Duncan: chmod 755 /sbin/init.d/autosys

I would go even further:
chmod a-w /sbin/init.d/autosys

0 Kudos
Reply
Olivier Masse
Honored Contributor

тАО05-19-2009 05:33 PM

тАО05-19-2009 05:33 PM

Re: non-compliant

While I don't see why a startup script should be group-writable, there might be an obscure reason for this. For example, maybe an admin wanted to be able to edit parameters in the script without becoming root. That's indeed a security risk but if you're unsure, you better not mess with it without reviewing what the script does first.

This might be something related to CA's autosys which is an enterprise job scheduler, so chances are you have a support contract with CA. I suggest you check with them to have an official answer.

Good luck
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-19-2009 10:41 PM

тАО05-19-2009 10:41 PM

Re: non-compliant

>Olivier: maybe an admin wanted to be able to edit parameters in the script without becoming root.

I would hope that rc script parms would be in /etc/rc.config.d/ and changed with ch_rc(1M).
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.