-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-8.10, rhel-9.6
-
None
-
No
-
Low
-
rhel-security-compliance
-
3
-
False
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
As per CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0 specification, "Ensure root path integrity" is supposed to detect non-existent paths in the PATH as well, as part of "Locations that are not directories" item.
When a path in PATH is not existing, the proposed verifier script should enter the else clause on line 23:
1 #!/usr/bin/env bash
2 {
3 l_output2=""
4 l_pmask="0022"
5 l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
6 l_root_path="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)"
7 unset a_path_loc && IFS=":" read -ra a_path_loc <<< "$l_root_path"
8 grep -q "::" <<< "$l_root_path" && l_output2="$l_output2\n - root's path
9 contains a empty directory (::)"
10 grep -Pq ":\h*$" <<< "$l_root_path" && l_output2="$l_output2\n - root's
11 path contains a trailing (:)"
12 grep -Pq '(\h+|:)\.(:|\h*$)' <<< "$l_root_path" && l_output2="$l_output2\n
13 - root's path contains current working directory (.)"
14 while read -r l_path; do
15 if [ -d "$l_path" ]; then
16 while read -r l_fmode l_fown; do
17 [ "$l_fown" != "root" ] && l_output2="$l_output2\n - Directory:
18 \"$l_path\" is owned by: \"$l_fown\" should be owned by \"root\""
19 [ $(( $l_fmode & $l_pmask )) -gt 0 ] && l_output2="$l_output2\n -
20 Directory: \"$l_path\" is mode: \"$l_fmode\" and should be mode:
21 \"$l_maxperm\" or more restrictive"
22 done <<< "$(stat -Lc '%#a %U' "$l_path")"
23 else
24 l_output2="$l_output2\n - \"$l_path\" is not a directory"
25 fi
26 done <<< "$(printf "%s\n" "${a_path_loc[@]}")"
27 if [ -z "$l_output2" ]; then
28 echo -e "\n- Audit Result:\n *** PASS ***\n - Root's path is correctly
29 configured\n"
30 else
31 echo -e "\n- Audit Result:\n ** FAIL **\n - * Reasons for audit
32 failure * :\n$l_output2\n"
33 fi
34 }
This check is missing from our implementation.
