Hi,
With respect to the security remediation, there is a finding to remove world writeable permissions from the following files on our Nagios XI monitoring server.
Can we remove the world writeable permission or should we add it as an exception?
# ls -ld /usr/lib/vmware-vcli/bin/esxcli/esxcli /usr/lib/vmware-vcli/bin/vmware-dcli/dcli /usr/local/nagios/var/Nagios.host.java.config.ser /usr/local/nagios/var/profile.csv /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs /usr/local/nagiosxi/var/NXTI_Write_Test
--wxrw--wt. 1 root root 9320 Nov 17 2020 /usr/lib/vmware-vcli/bin/esxcli/esxcli
--wxrw--wt. 1 root root 823592 Nov 17 2020 /usr/lib/vmware-vcli/bin/vmware-dcli/dcli
-rw-rw-rw-. 1 root root 263 Aug 14 2020 /usr/local/nagios/var/Nagios.host.java.config.ser
-rw-rw-rw-. 1 root root 483 Jun 17 2020 /usr/local/nagios/var/profile.csv
drwxrwxrw-. 2 nagios nagios 4096 Jan 16 2018 /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs
-rw-rw-rw-. 1 nagios nagios 18 May 17 2019 /usr/local/nagiosxi/var/NXTI_Write_Test
Can we change permission on files?
Re: Can we change permission on files?
Hi steph007,
Sorry for the delay. It appears that a number of the files are from third party components and you should probably consult the provider of the plugin in those cases. You should be able to remove the world permissions on the autodiscovery directory however the group permissions need to remain (770). This directory is used for discovery processes which most organizations often only use on initial deployment.
These appear to belong to the VMWare:
These two appear to be produced by IBM's plugin for the series i
https://github.com/IBM/nagios-for-i/blo ... gInfo.java
The permissions for NXTI_Write_Test are set correctly:
Thanks and Best Regards,
Keith
Sorry for the delay. It appears that a number of the files are from third party components and you should probably consult the provider of the plugin in those cases. You should be able to remove the world permissions on the autodiscovery directory however the group permissions need to remain (770). This directory is used for discovery processes which most organizations often only use on initial deployment.
Code: Select all
drwxrwxrw-. 2 nagios nagios 4096 Jan 16 2018 /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs
Code: Select all
--wxrw--wt. 1 root root 9320 Nov 17 2020 /usr/lib/vmware-vcli/bin/esxcli/esxcli
--wxrw--wt. 1 root root 823592 Nov 17 2020 /usr/lib/vmware-vcli/bin/vmware-dcli/dcli
Code: Select all
-rw-rw-rw-. 1 root root 263 Aug 14 2020 /usr/local/nagios/var/Nagios.host.java.config.ser
-rw-rw-rw-. 1 root root 483 Jun 17 2020 /usr/local/nagios/var/profile.csv
The permissions for NXTI_Write_Test are set correctly:
Code: Select all
-rw-rw-rw-. 1 nagios nagios 18 May 17 2019 /usr/local/nagiosxi/var/NXTI_Write_Test
Keith