find_world_writeable_directories

This check reports all the directories that are world writeable and whose sticky bit is not set on the remote system. Checking that the sticky bit is set for all world writeable directories ensures that only the owner of file within a directory can delete the file. This prevents any other user from accidentally or intentionally deleting the file.

By default, the search is done recursively under the “/” directory. This can make this check extremely slow to execute depending on the number of files present on the remote system. However, if needed, the default base directory to search for can be changed by using the optional keyword basedir. It is also possible to skip certain files within a base directory from being searched using another optional keyword ignore.

Due to the nature of the check, it is normal for it to keep running for a couple of hours, depending on the type of system being scanned. The check can be modified with the timeout tag with a value between 1 and 7,200 seconds to control processing time for this check.

Note: File globs are not supported on AIX, Solaris, and other Unix systems where the find command does not support the -path flag.

Usage

<item>

name: "find_world_writeable_directories"

description: "This check finds all the directories which are world writeable and whose sticky bit is not set."

# Globs allowed (? and *)

(optional) basedir: "<directory>"

(optional) ignore: "<directory>"

(optional) timeout: "[1 - 7200]"

</item>

Example

<item>

name: "find_world_writeable_directories"

description: "This check finds all the directories which are world writeable and whose sticky bit is not set."

# Globs allowed (? and *)

basedir: "/tmp"

ignore: "/tmp/foo"

ignore: "/tmp/b*"

</item>