Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DLPX-86524 CIS: remove non-existent paths from the default PATH variable #495

Merged
merged 2 commits into from
Sep 19, 2024
Merged

DLPX-86524 CIS: remove non-existent paths from the default PATH variable #495

merged 2 commits into from
Sep 19, 2024

Conversation

dbshah12
Copy link
Contributor

@dbshah12 dbshah12 commented Sep 16, 2024
edited
Loading

Problem

The 'global PATH variable' should be appropriately restricted and not contain any non-directory files. Non-directory files in the global PATH present systemic risks to the host of unauthorized access, alteration and deletion of system files and/or data. Also, non-directory files in the global PATH enable privilege escalation by unauthorized users. As there are several well known exploits of the global PATH settings, these should be carefully configured according to the needs of the business.

Screenshot 2024-09-17 at 3 54 09 PM
  • We don't have anything on the below 2 paths:
/usr/games
/usr/local/games
  • Below 2 paths are symbolic links to /usr/sbin/ and /usr/bin:
/sbin
/bin

Solution

  • For new installations, during installation set the default PATH exactly as needed, without any invalid entries, to ensure that new non-existent directories don't appear in the future.
  • For systems that were previously installed, on upgrade set the default PATH exactly as needed, without any invalid entries, to ensure that new non-existent paths don't appear in the future and remove existing PATH with invalid entries from /etc/environment

Implementation

  • Added below Ansible logics which run automatically during the initial appliance build to configure it before the first boot. It also executes at first boot and after upgrades

For setting the default path:

- lineinfile:
     path: /etc/security/pam_env.conf
     state: present
     regexp: '^\s*PATH\s+DEFAULT='
     line: 'PATH DEFAULT=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin'

For removing existing PATH with invalid entries from /etc/environment

- lineinfile:
    path: /etc/environment
    state: absent
    regexp: '^\s*PATH\s*='

Testing

Manual

  • Created an instance from the ab-pre-push image and checked the $PATH output, /etc/environment output and /etc/security/pam_env.conf`:
root@ip-10-110-251-174:/export/home/delphix# cat /etc/security/pam_env.conf
#
# This is the configuration file for pam_env, a PAM module to load in
# a configurable list of environment variables for a
.
.
.
#LESS		DEFAULT="M q e h15 z23 b80"
#NNTPSERVER	DEFAULT=localhost
#PATH		DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
#
# silly examples of escaped variables, just to show how they work.
#
#DOLLAR		DEFAULT=\$
#DOLLARDOLLAR	DEFAULT=	OVERRIDE=\$${DOLLAR}
#DOLLARPLUS	DEFAULT=\${REMOTEHOST}${REMOTEHOST}
#ATSIGN		DEFAULT=""	OVERRIDE=\@
PATH DEFAULT=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
root@ip-10-110-251-174:/export/home/delphix# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
root@ip-10-110-251-174:/export/home/delphix# cat /etc/environment 
JAVA_HOME="/usr/lib/jvm/adoptopenjdk-java8-jdk-amd64"
  • Took v27 DE and did upgrade with ab-pre-push image and checked $PATH, /etc/environment and /etc/security/pam_env.conf - PATH got removed from the /etc/environment and $PATH value updated as mentioned in the above scenario.

@dbshah12 dbshah12 force-pushed the dlpx/pr/dbshah12/0bd52434-f884-4b5f-a57c-fcbeff518ce3 branch from d8b496f to d2a17b0 Compare September 16, 2024 12:39
@dbshah12 dbshah12 force-pushed the dlpx/pr/dbshah12/0bd52434-f884-4b5f-a57c-fcbeff518ce3 branch from d2a17b0 to 1a0b53f Compare September 17, 2024 10:43
@dbshah12 dbshah12 self-assigned this Sep 17, 2024
@dbshah12 dbshah12 added the S & I Security & Infra Team label Sep 17, 2024
@dbshah12 dbshah12 force-pushed the dlpx/pr/dbshah12/0bd52434-f884-4b5f-a57c-fcbeff518ce3 branch 3 times, most recently from 99ff2ad to 47c4760 Compare September 17, 2024 18:46
@dbshah12 dbshah12 force-pushed the dlpx/pr/dbshah12/0bd52434-f884-4b5f-a57c-fcbeff518ce3 branch from 47c4760 to 22ab9a2 Compare September 18, 2024 02:39
@dbshah12 dbshah12 marked this pull request as ready for review September 18, 2024 07:50
@dbshah12 dbshah12 force-pushed the dlpx/pr/dbshah12/0bd52434-f884-4b5f-a57c-fcbeff518ce3 branch from 22ab9a2 to a369448 Compare September 18, 2024 14:10
@dbshah12 dbshah12 merged commit b3bb7d8 into develop Sep 19, 2024
15 checks passed
@dbshah12 dbshah12 deleted the dlpx/pr/dbshah12/0bd52434-f884-4b5f-a57c-fcbeff518ce3 branch September 19, 2024 05:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebroy sebroy sebroy approved these changes

@VenkatanadhanG VenkatanadhanG VenkatanadhanG approved these changes

@prakashsurya prakashsurya Awaiting requested review from prakashsurya

@nealquigley nealquigley Awaiting requested review from nealquigley

@ShibasishDelphix ShibasishDelphix Awaiting requested review from ShibasishDelphix

Assignees

@dbshah12 dbshah12

Labels
S & I Security & Infra Team
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dbshah12 @sebroy @VenkatanadhanG