Profile Applicability:
Level 1
Description:
Files with SUID (Set User ID) and SGID (Set Group ID) permissions execute with the privileges of the file owner or group, respectively. While necessary for some system functions, these files can be exploited by attackers to gain elevated privileges if misconfigured or vulnerable.
Rationale:
Regularly reviewing SUID and SGID files helps detect unauthorized or suspicious files, reducing the risk of privilege escalation attacks.
Impact:
Pros:
Enhances system security by controlling privileged file usage.
Helps identify and remediate potentially dangerous files.
Cons:
Review process can be time-consuming and requires expertise.
Removing necessary SUID/SGID bits may disrupt system functionality.
Default Value:
No default automated review is typically configured; manual review is required.
Pre-requisites:
Root or sudo privileges to list and inspect SUID and SGID files.
Remediation:
Test Plan:
Using Linux command line:
List all SUID files:
find / -perm -4000 -type f 2>/dev/null
List all SGID files:
find / -perm -2000 -type f 2>/dev/null
Review the list for unauthorized or unexpected files.
Implementation Plan:
Using Linux command line:
Investigate and validate the necessity of each SUID and SGID file.
Remove SUID/SGID bits from unnecessary files:chmod u-s /path/to/file # Remove SUID chmod g-s /path/to/file # Remove SGID
Document changes and monitor for new files with these permissions.
Backout Plan:
Using Linux command line:
1. Restore SUID/SGID bits to files if removal causes issues:
chmod u+s /path/to/file # Restore SUID chmod g+s /path/to/file # Restore SGID
2. Reassess the security impact.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux File Permissions