mediumfilesystemverified ✓
Ensure system command files are group-owned by root or system account
system-commands-group · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
All files in /usr/bin, /usr/sbin, /usr/local/bin, and /usr/local/sbin must be group-owned by root or a system account to prevent unauthorized modification.
Rationale
System commands group-owned by non-system accounts could be modified by members of those groups. Root or system group ownership prevents this.
Check → Remediate
Checkcommand
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f ! -group root 2>/dev/null | while IFS= read -r f; do g=$(stat -c %g "$f" 2>/dev/null); [ -n "$g" ] && [ "$g" -ge 1000 ] && printf '%s\n' "$f"; done | head -1
Remediatemanual
- note:
- Change the group owner of any system command file group-owned by a non-system (user) group to root: 'chgrp root <file>'. Leave sgid system helpers (e.g. write:tty, locate:slocate, postdrop:postdrop) unchanged.
Framework references
STIG
V-281038 / RHEL-10-400105V-257919 / RHEL-09-232195V-230259V-270703 / UBTU-24-300013V-260496 / UBTU-22-232055
NIST 800-53
AC-6CM-5
Live verification
rhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#file-permissions#system-commands#security