Details

Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.

Rationale:

This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.

Solution

Run the following command to set the sticky bit on all world writable directories:

# df –local -P | awk ‘{if (NR!=1) print $6}’ | xargs -I ‘{}’ find ‘{}’ -xdev -type d ( -perm -0002 -a ! -perm -1000 ) 2>/dev/null | xargs -I ‘{}’ chmod a+t ‘{}’

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3682

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, Identification and Authentication, Media Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• 800-53|CM-1
• 800-53|CM-2
• 800-53|CM-6
• 800-53|CM-7
• 800-53|IA-5
• 800-53|MP-2
• CSCv7|5.1
• CSCv7|13

Source

• Tenable.com/audits