mediumfilesystemverified ✓rollback-safe
Ensure system command files have mode 755 or less
system-commands-mode · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
All files in /usr/bin, /usr/sbin, /usr/local/bin, and /usr/local/sbin must have mode 755 or less permissive to prevent unauthorized modification of system commands.
Rationale
If system commands are world-writable, local users can replace them with malicious versions. Restricting permissions to 755 prevents unauthorized modification.
Check → Remediate
Checkcommand
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f 2>/dev/null | head -1
Remediatefile_permissions
- find_paths:
- /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin
- find_type:
- f
- find_args:
- -perm /022
- mode:
- go-w
Framework references
STIG
V-281058 / RHEL-10-400205V-257882 / RHEL-09-232010V-230257V-270701 / UBTU-24-300011V-260486 / UBTU-22-232015
NIST 800-53
AC-6CM-5
Live verification
rhel8:checkubuntu22:checkubuntu24:checkubuntu26:check
#file-permissions#system-commands#security