As a security best practice, ensure that the application resources are protected.

Follow the steps to ensure that the application resources are protected.

Procedure

  1. Run the find / -path /proc -prune -o -type f -perm /6000 -ls command to verify that the files have a well-defined SUID and GUID bits set.
    The following list appears: 
    141850     40 -rwsr-xr-x   1 root     root        40376 May 31 08:07 /usr/sbin/unix_chkpwd
   143209     16 -rwsr-xr-x   1 root     root        15408 Feb 25  2021 /usr/sbin/usernetctl
   142963     72 -rwsr-x---   1 root     root        66128 Oct 13  2022 /usr/libexec/dbus-daemon-launch-helper
   141312    516 -rwsr-xr-x   1 root     root       524184 Aug  1 21:01 /usr/libexec/ssh-keysign
   141930     60 -rwsr-xr-x   1 root     root        54464 Jun 21 16:27 /usr/bin/chsh
   141929     64 -rwsr-xr-x   1 root     root        60272 Jun 21 16:27 /usr/bin/chfn
   141927     56 -rwsr-xr-x   1 root     root        50384 Jun 21 16:27 /usr/bin/su
   140604     64 -rwsr-xr-x   1 root     root        61192 May 10  2022 /usr/bin/mount
   142924     60 -rwsr-xr-x   1 root     root        53576 Feb 25  2021 /usr/bin/crontab
   141938     60 -rwsr-xr-x   1 root     root        57000 Jun 21 16:27 /usr/bin/newuidmap
   141926     76 -rwsr-xr-x   1 root     root        70088 Jun 21 16:27 /usr/bin/passwd
   141928     80 -rwsr-xr-x   1 root     root        73984 Jun 21 16:27 /usr/bin/chage
   141937     48 -rwsr-xr-x   1 root     root        46176 Jun 21 16:27 /usr/bin/newgrp
   140621     36 -rwsr-xr-x   1 root     root        36224 May 10  2022 /usr/bin/umount
   141458     36 -rwsr-xr-x   1 root     root        36248 Feb 24  2021 /usr/bin/fusermount
   141936     60 -rwsr-xr-x   1 root     root        57008 Jun 21 16:27 /usr/bin/newgidmap
   141934     92 -rwsr-xr-x   1 root     root        86720 Jun 21 16:27 /usr/bin/gpasswd
   141931     32 -rwsr-xr-x   1 root     root        32376 Jun 21 16:27 /usr/bin/expiry
   143459    272 -rwsr-xr-x   1 root     root       273600 Aug  4 03:02 /usr/bin/sudo
  2. Run the find / -path */proc -prune -o -nouser -print -o -nogroup -print command to verify that all the files in the vApp have an owner.
    All the files have an owner if there are no results.
  3. Run the find / -name "*" -type f -not -path "*/sys*" -not -path "*/proc*" -not -path "*/dev*" -perm -o+w | xargs ls -lb command to verify that none of the files are world writable files by reviewing permissions of all the files on the vApp.
    Others should not have write permission. The permissions on these files should be ##4 or ##5, where # equals the default given set of permissions for the Owner and Group, such as 6 or 7.
  4. Run the find / -path */proc -prune -o ! -user root -o -user admin -print command to verify that the files are owned by the correct user.
    All the files belong to either root or admin if there are no results.
  5. Run the find /usr/lib/vmware-casa/ -type f -perm -o=w command to ensure that files in the /usr/lib/vmware-casa/ directory are not world writable.
    There must be no results.
  6. Run the find /usr/lib/vmware-vcops/ -type f -perm -o=w command to ensure that files in the /usr/lib/vmware-vcops/ directory are not world writable.
    There must be no results.
  7. Run the find /usr/lib/vmware-vcopssuite/ -type f -perm -o=w command to ensure that files in the /usr/lib/vmware-vcopssuite/ directory are not world writable.
    There must be no results.