Root Environment

dot_in_root_path_variable

This check ensures the following in the executable path of the root user:

current working directory not present - `.` (dot)
directories starts with a slash - `/`
path contains double colon - `::`
path has a trailing colon - `:$` (end of line)

Ensuring this prevents a malicious user from escalating privileges to superuser by forcing an administrator logged in as root from running a Trojan horse that may be installed in the current working directory.

Usage

<item>

name: "dot_in_root_path_variable"

description: "This check makes sure that root's $PATH variable does not contain any relative path."

</item>

writeable_dirs_in_root_path_variable

This check reports all the world/group writeable directories in root users PATH variable. All directories returned by this check should be carefully examined and unnecessary world/group writeable permissions on directories should be removed as follows:

# chmod go-w path/to/directory

Usage

<item>

name: "writeable_dirs_in_root_path_variable"

description: "This check makes sure that root's $PATH variable does not contain any writeable directory."

</item>