Device files and directories must only be writable by users with a system account or as configured by the vendor.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-924 | GEN002280 | SV-38505r2_rule | Medium |
| Description |
|---|
| System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware. |
| STIG | Date |
|---|---|
| HP-UX 11.31 Security Technical Implementation Guide | 2018-09-14 |
Details
| Check Text ( C-36415r2_chk ) |
|---|
| Find all device special files existing anywhere on the system. Types include: b=block, c=character, p=fifo. Example: # find / -type b -print >> devicelist # find / -type c -print >> devicelist # find / -type p -print >> devicelist Check the permissions on the directories above subdirectories that contain device files. If any device file, or directory containing device files, is world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding. Note the following exception/exclusion list: /dev/pts/*, /dev/pty/*, /dev/ptym/*, the following in dev: full, zero, null, tty, ptmx, pty*, tcp, udp, ip, arp, udp6, tcp6, rawip6, ip6, rawip, rtsock, ipsecpol, ipseckey, sad, dlpi*, sasd*, ttyp*, ttyq*, ttyr*, strlog, telnetm, tlclts, asyncdsk, async, tlcots, tlcotsod, echo, beep, gvid0, gvid, poll, log, log.um, stcpmap, nuls, usctp6, sctp6, usctp, syscon, and sctp. |
| Fix Text (F-31753r1_fix) |
|---|
| Remove the world-writable permission from the device file(s). # chmod o-w Document all changes. |