← Rules Catalog
mediumfilesystemverified

Ensure SUID and SGID files are reviewed

suid-sgid-files-reviewed · RHEL ≥ 8 · 1 impl

Description

SUID/SGID files must be limited to a reviewed, legitimate set. No SUID or SGID file may be world-writable or located in a user-writable directory (/tmp, /var/tmp, /home, /dev/shm), which would be an unambiguous privilege-escalation risk.

Rationale

SUID/SGID binaries run with elevated privileges. A world-writable one, or one an unprivileged user can place in a writable directory, is a direct local privilege-escalation vector. The full SUID/SGID inventory should be reviewed against a known-good baseline.

Check → Remediate

Checkcommand
# Unambiguous findings: SUID/SGID files that are world-writable or
# sit in a user-writable directory. Full inventory review is manual.
risky=$(find / -xdev -type f \( -perm -4000 -o -perm -2000 \) \
          \( -perm -0002 -o -path '/tmp/*' -o -path '/var/tmp/*' \
             -o -path '/home/*' -o -path '/dev/shm/*' \) 2>/dev/null | head -5)
if [ -n "$risky" ]; then
  echo "FAIL: SUID/SGID files world-writable or in user-writable paths:"; echo "$risky"; exit 1
fi
echo "OK: no world-writable or user-path SUID/SGID files (review full inventory against baseline)"
expected_exit:
0
Remediatemanual
note:
Enumerate all SUID/SGID files with `find / -xdev -type f \( -perm -4000 -o -perm -2000 \)`, compare against the approved baseline, and remove the SUID/SGID bit from any file that does not require it.

Framework references

CIS

rhel9 7.1.13rhel8 7.1.13rhel10 7.1.13

NIST 800-53

AC-6CM-6

Live verification

rhel9:check
#suid#sgid#privilege-escalation#review