System startup file contents (UNIX)

Module: Startup Files

This check examines the contents of the rc scripts and verifies that the files referenced by the scripts are not world writable and/or writable by a non-privileged group. Files referenced in the rc scripts and listed in the exclude list will not be reported. Specify full path names in the file list.

The following table lists the error messages for the check.

Table: Error messages for System startup file contents

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: STKU_SYSSWW

Category: Policy Compliance

UNIX (5834)

Title: World writable file/directory referenced in startup file

Description:The files listed below are referenced in a startup file and are world writable. This usually presents a security risk because there is no control over who can modify these files. Files referenced in startup files are executed (or read) by the root account on system startup. Anyone can replace these files and have them executed (or read) by root the next time the system restarts. You should investigate the usage of each file and consider changing its permissions so world write is not allowed (chmod o-w filename) or removing the reference to the file from the script. In the rare cases in which using such a file is necessary and safe, you can suppress this message.

Severity: red-4

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_SYSSGW

Category: Policy Compliance

UNIX (5835)

Title: File/directory writable by non-privileged group referenced in startup file

Description:The files listed below are referenced in a startup file. These files are group writable AND owned by a non-privileged group. This is a security problem because anyone with group access can modify the files. Files referenced in startup files are executed (or read) by the root account on system startup. Anyone with group access can replace these files and have them executed (or read) by root the next time the system boots. You should change the permissions on each file so group write is not allowed (chmod g-w filename).

Severity: yellow-1

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]