No write access to shared system binaries

A.1.2.c Verify that an entity’s users do not have write access to
shared system binaries

Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible.

Paths for system binaries

Depending on the distribution used there are several directories which have shared system binaries. Common paths are:

/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/libexec /usr/local/sbin /usr/local/libexec

These paths can be scanned for any binary having incorrect permissions. In this particular case we are interested in binaries which can be overwritten by people in the “other” group.

find /bin -perm -o=w ! -type l

This will show any system binaries in /bin where the other group has the write bit set. We skip symlinks, as they are not interesting and give false positives to the test.

Depending on the paths, this has to be repeated for all of them. Any findings from the find command means this binary (or file) can be written to by someone other than the owner. Usually this is a sign of bad system management or a possible intrusion.

This information is provided as an addition to the PCI DSS plugin for Lynis