PCI DSS Linux: No write access to shared system binaries

A.1.2.c Verify that an entity’s users do not have write access to shared system binaries

Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible.

Paths for system binaries

Depending on the distribution used there are several directories which have shared system binaries. Common paths are:

  • /bin
  • /sbin
  • /usr/bin
  • /usr/sbin
  • /usr/local/bin
  • /usr/libexec
  • /usr/local/sbin
  • /usr/local/libexec

These paths can be scanned for any binary having incorrect permissions. In this particular case we are interested in binaries which can be overwritten by people in the “other” group.

find /bin -perm -o=w ! -type l

This will show any system binaries in /bin where the other group has the write bit set. We skip symlinks, as they are not interesting and give false positives to the test.

Depending on the paths, this has to be repeated for all of them. Any findings from the find command means this binary (or file) can be written to by someone other than the owner. Usually this is a sign of bad system management or a possible intrusion.

This information is provided as an addition to the PCI DSS plugin for Lynis

Learn more about find

This article uses the find command to achieve its tasks. For this popular tool there is a cheat sheet available!

» Mastering the tool: find

find cheat sheet

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon