My company recently had a Sarbanes-Oxley audit done,  and some flags
were raised during the audit about HP-UX security.  One thing the
auditors questioned  was: shoulld ther be any world-writeable files and
directories belonging to root-sys..  It appears that many of the
directories involved belong to Navisphere and  Omniback.   Just
wondering if anyone knows if those directories need to keep their
permissions like this (and can explain why)..  Thanks.

[ Post a follow-up to this message ]

On 2006-07-26, gbruner@gmail.com <gbruner@gmail.com> wrote:
> My company recently had a Sarbanes-Oxley audit done,  and some flags
> were raised during the audit about HP-UX security.  One thing the
> auditors questioned  was: shoulld ther be any world-writeable files and
> directories belonging to root-sys..  It appears that many of the
> directories involved belong to Navisphere and  Omniback.   Just
> wondering if anyone knows if those directories need to keep their
> permissions like this (and can explain why)..  Thanks.

World-writable directories are always trouble.

I say there's never a reason to have a world-writable file nor
a have a world-writable directory without the sticky bit.

It's not a matter of who they belong to but what they are used for.

Then I think the openview webserver by default creates world-writable
files and directories and runs as bin.  It's enough to make you think
discretionary access control was one of the worst mistakes of the century.

--
Elvis Notargiacomo  master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/
One of my other 11 computers runs Minix.

[ Post a follow-up to this message ]