PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

No write access to shared system binaries

A.1.2.c Verify that an entity’s users do not have write access to
shared system binaries

Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible.

Paths for system binaries

Depending on the distribution used there are several directories which have shared system binaries. Common paths are:

/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/libexec /usr/local/sbin /usr/local/libexec

These paths can be scanned for any binary having incorrect permissions. In this particular case we are interested in binaries which can be overwritten by people in the “other” group.

find /bin -perm -o=w ! -type l

This will show any system binaries in /bin where the other group has the write bit set. We skip symlinks, as they are not interesting and give false positives to the test.

Depending on the paths, this has to be repeated for all of them. Any findings from the find command means this binary (or file) can be written to by someone other than the owner. Usually this is a sign of bad system management or a possible intrusion.

 

This information is provided as an addition to the PCI DSS plugin for Lynis

Automate security audits and know your risks
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux and Unix-based systems more secure.

Is system hardening taking a lot of time for you? Don't know where to start? We solved that problem: Lynis Enterprise.


Leave a Reply

Your email address will not be published. Required fields are marked *