Details

Software sometimes insists on being installed in the /Library Directory and have inappropriate world-writable permissions.

Rationale:

Folders in /System/Volumes/Data/Library should not be world-writable. The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set.

Solution

Run the following command to set permissions so that folders are not world-writable in the /System/Volumes/Data/Library folder:

$ sudo chmod -R o-w /System/Volumes/Data/Library/

example:

$ sudo chmod -R o-w /System/Volumes/Data/Library/baddir

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3423

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Media Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• 800-53|MP-2
• CSCv7|14.6

Source

• Tenable.com/audits