For Verify that All World-Writable Directories Have Sticky Bits Set - (CCE-26840-9), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative when running SCC 3.1.1.1 on a RHEL6V1R2 non-complaint machine. ls -ldh /root/ /root/.ssh/ drwxrwxrwx. 28 user user 4.0K Feb 7 09:46 /root/ drwxrwxrwt. 2 nobody wheel 4.0K Jul 24 2013 /root/.ssh See the following report output:
Verify that All World-Writable Directories Have Sticky Bits Set ID: sticky_world_writable_dirs Result: Pass Identities: CCE-26840-9 Description: When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: # chmod +t DIR Fix Text: Severity: low Weight: Reference: AC-6 Definitions: ID: oval:ssg:def:169 Result: true Title: Verify that All World-Writable Directories Have Sticky Bits Set Description: The sticky bit should be set for all world-writable directories. Class: compliance Tests: true (All item-state comparisons must be true.) true (all local world-writable directories have sticky bit set) (negated) Tests: Test ID: oval:ssg:tst:170 Result: false Title: all local world-writable directories have sticky bit set Check Existence: All N15 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
