DLPX-86524 CIS: remove non-existent paths from the default PATH variable #495
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The 'global PATH variable' should be appropriately restricted and not contain any non-directory files. Non-directory files in the global PATH present systemic risks to the host of unauthorized access, alteration and deletion of system files and/or data. Also, non-directory files in the global PATH enable privilege escalation by unauthorized users. As there are several well known exploits of the global PATH settings, these should be carefully configured according to the needs of the business.
/usr/sbin/
and/usr/bin
:Solution
/etc/environment
Implementation
For setting the default path:
For removing existing PATH with invalid entries from
/etc/environment
Testing
Manual
/etc/environment output and
/etc/security/pam_env.conf`:/etc/environment
and/etc/security/pam_env.conf
- PATH got removed from the/etc/environment
and $PATH value updated as mentioned in the above scenario.