AnsweredAssumed Answered

QualysGuard PC - Control Parameter Configuration - CID 1201 Status of the 'root user's $PATH variable' (if dot '.' exists) and current list of 'root-owned directories'

Question asked by Jason Creech on Dec 7, 2012

Hello All,

 

This discussion covers how to configure the expected value for CID 1201: Status of the 'root user's $PATH variable' (if dot '.' exists) and current list of 'root-owned directories'.

 

As the Control Statement (Title) implies, this control is commonly used to confirm that a dot ('.') does not exist in roots path. 

 

Justification for the Control:

 

A single dot ('.') represents 'current directory' on *NIX operating systems.  Presence of a dot in the $PATH variable for the 'root' user could cause a binary in the root users current directory to be execute instead of an identically named system binary.  This scenario can contribute to the execution of malicious code, especially if the root user is currently in an unprotected folder with globally availabe access to all system users.

 

For example, if the root user is in the /etc folder and executes a command such as 'ls', 'cat', other other commonly used command, if there is a malicous binary identically named in the /etc folder, the presence of a dot could contribute to that malicious binary being invoked instead of the expected system command, the placement of the dot in the path has an impact on which command would be located and executed first.  Additionally, common typos in specification of the desired command may cause a similar behaviour (I.e., Attempting to execute 'ls-alt' with no space before the dash as in 'ls -alt') where the OS will search for a binary with the incorrect spelling.

 

Configuration:

 

The default expected value for CID 1201 is a wild card .* and needs to be configured so that the control fails if a dot is found in root's $PATH variable.

 

Here is a commonly used regular expression to explicitly check for the existence of dot in roots path.

 

^(?!.*:\..*$)

 

This is just one example that checks explicity for a dot in the path regardless of where it is located in the path.  For an additional consideration, some users like to check for a dot and a double colon ('::') as some *NIX flavors interpret the double colon as 'current folder' as well which can cause the same scenario. 

 

For this use case, here is an example regular expression for check BOTH a dot and double colon in root's $PATH variable:

 

^(?!.*:(\.|:).*$)

 

Since the expected value for the control can be customized with regular expressions and since CID1201 returns the list of root owned folders, there are additional use cases where CID 1201 can be beneficial.   But, these two use cases represent the most common examples found for CID 1201.

 

Regards,

 

Jason Creech

Qualys

Outcomes