find_world_writeable_files
This check reports all the files that are world writeable on the remote system. Ideally, there should be no world writeable files on the remote system, for example, the result from this check should show nothing. However, in some cases, depending on organizational needs, there may be a requirement for having world writeable files. All items returned from this check must be carefully audited and files that do not necessarily need world writeable attributes should be removed as follows:
# chmod o-w world_writeable_file
By default, the search is done recursively under the “/” directory. This can make this check extremely slow to execute depending on the number of files present on the remote system. However, if needed, the default base directory to search for can be changed by using the optional keyword basedir
. It is also possible to skip certain files within a base directory from being searched using another optional keyword ignore
.
Due to the nature of the check, it is normal for it to keep running for a couple of hours, depending on the type of system being scanned. The check can be modified with the timeout tag with a value between 1 and 7,200 seconds to control processing time for this check.
Usage
<item>
name: "find_world_writeable_files"
description: "This check finds all the files which are world writeable and whose sticky bit is not set."
# Globs allowed (? and *)
(optional) basedir: "<directory>"
(optional) ignore: "<directory>"
(optional) timeout: "[1 - 7200]"
</item>
Example
<item>
name: "find_world_writeable_files"
description: "Search for world-writable files"
# Globs allowed (? and *)
basedir: "/tmp"
ignore: "/tmp/foo"
ignore: "/tmp/bar"
</item>