Set System File Permissions

What the system file permissions hardener does

This Automox Worklet™ applies security-focused file permissions to critical system files across Linux endpoints. The Worklet addresses common permission misconfigurations that could allow unauthorized users to read sensitive data or modify system configurations.

The Worklet sets permissions on: GRUB boot configuration files (/boot/grub2/), cron directories and configuration, message of the day and issue files, system log files (/var/log/), SSH daemon configuration, and password/shadow files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow and their backups).

Why set restrictive system file permissions

Improper file permissions are a common source of security vulnerabilities. World-readable shadow files expose password hashes. Writable boot configurations enable persistence for attackers. Accessible log files reveal sensitive information about system activity.

CIS Benchmarks specify exact permissions for these files. Security audits flag deviations from these standards. This Worklet automates compliance across your fleet, eliminating manual remediation of permission findings.

The permissions applied follow the principle of least privilege: files are readable only by root where possible, and write access is restricted to root. Log files allow group read but not write to support log aggregation tools running as non-root users.

How system permission hardening works

1. Evaluation phase: Always triggers remediation (exit 1) to apply permissions. This is a run-once hardening action.

2. Remediation phase: Uses chmod to set permissions on each file/directory: GRUB files to 600 (root only), cron to 700 (root only), /etc/motd and /etc/issue to 644 (world readable), log files to no group/other write/execute, password files to 644 (passwd, group) or 600 (shadow, gshadow), SSH config to 600. Sets ownership to root:root on GRUB files.

System file permission requirements

• Linux endpoints with standard file locations

• GRUB2 boot loader at /boot/grub2/

• Root privileges for the Automox agent

• Some paths may not exist on all distributions; missing files are skipped

• Compatible with workstations and servers

Expected file permission state

After remediation, critical system files have CIS-compliant permissions. Verify with ls -la on targeted files and directories. GRUB configuration shows -rw-------, cron directories show drwx------, shadow files show -rw-------, and passwd files show -rw-r--r--.

System operation continues normally. Services that need to read these files do so as root. Non-root users can no longer read shadow files or modify boot configuration. Log aggregation tools may need adjustment if they were relying on world-readable logs.

How to validate set system file permissions changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for set system file permissions.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as chmod, chown, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for set system file permissions. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as chmod, chown, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.