Control Values: File/Directory Permissions (Unix)

Some Unix controls identify permissions that are set on a Unix file or directory. The compliance module returns a single string literal with permissions information in this format:

OWNER:GROUP:PERMISSIONS:ABSOLUTEPATH

where each atom in the format is separated by a colon (:).

OWNER

The name of the user who owns the file or directory.

GROUP

The name of the Unix group that the file or directory belongs to.

PERMISSIONS

A Unix-style permissions scheme consisting of 10 characters in the form of symbolic notation. The first character identifies special file type, such as "d" for directory or "-" for file. The other characters in the scheme describe 3 classes of permissions for user (owner), group, and other users.

The 3 classes of permissions are represented by 3 characters starting with character position 2: user (owner), "group", and "other" (other users). For each class, the first character (r) indicates read permissions, the second character (w) indicates write permissions, and the third character (x) indicates execute permissions. The dash character (-) indicates that permissions are not assigned.

Samples of symbolic notation:

-rwxrwxr-x

Identifies a regular file with these permissions: user (owner) has full permissions (read, write, and execute), group has full permissions, and other users have read and execute permissions.

dr-x------

Identifies a directory with these permissions: user (owner) has read and execute permissions, group has no permissions, and other users have no permissions.

lrw-rw-r--

Identifies a symbolic link to another file with these permissions: user (owner) and group have read and write permissions, and other users have only read permission.

ABSOLUTE PATH

The absolute path of the file or directory.

If the file scanned was found to be a symbolic link, then the name of the resolved path is provided. For example, let's say you have a symbolic link "/foo/foo.link" which points to "/bar/bar.actual" on your network. If your control has the File Directory/path defined as "/foo/foo.link", then the abosolute path value returned by the scanning engine would be "/bar/bar.actual". The name resolver works on a continuous chain of links so if a link points to a link pointing to a file, the scanning engine will resolve to the actual file and return the actual filename.