Root Environment

dot_in_root_path_variable

This check ensures that the current working directory (“.”) is not included in the executable path of the root user. Ensuring this prevents a malicious user from escalating privileges to superuser by forcing an administrator logged in as root from running a Trojan horse that may be installed in the current working directory.

Usage

<item>

name: "dot_in_root_path_variable"

description: "This check makes sure that root's $PATH variable does not contain any relative path."

</item>

writeable_dirs_in_root_path_variable

This check reports all the world/group writeable directories in root users PATH variable. All directories returned by this check should be carefully examined and unnecessary world/group writeable permissions on directories should be removed as follows:

# chmod go-w path/to/directory

Usage

<item>

name: "writeable_dirs_in_root_path_variable"

description: "This check makes sure that root's $PATH variable does not contain any writeable directory."

</item>