Preventing non-root users from changing permission of Unix files (even if they are the owner)
Posted on 2017-10-20
I have this issue where non-root (ie non-priv) UNIX users or even applications could
alter or create files that are world-writable & this will easily become an audit issue.
As the creator/owner, they can always change the file permission using chmod.
"umask" can set the default settings for files created but this will not stop them
from altering it subsequently.
Can provide sample ACLs or any method such that even owners of files can't alter
the UNIX file permission?
Is there any way without using paid products (OpenSource is fine) to alert us if
file permissions are being changed? Sort of File Integrity Monitoring but we
don't want to be alerted/notified if file content or dates are changed, only if
permission is changed.
We run Solaris 10 & 11 (both have ACL features) & AIX 6.x/7.x and RHEL 7.x.
Or is there a "find ..." command which we can run daily to identify which files'
permissions got changed the last 1 day?