BOOT-5184 - Writable start-up scripts
Unix based systems have an extensive boot process, from loading the bootloader up to the execution of post-boot scripts. Protecting the boot process is important for the integrity of the system. Start-up scripts define what services will be initialized and started during the boot process. Lynis tests if there are scripts with world writable permissions. These files can be changed by all users on the system and usually started with root permissions. Therefore they impose a risk to the system, as one might include a backdoor into a start-up script.
How to solve
Check the Lynis log file for the discovered files and adjust their permissions. Usually limiting the file permissions to just the root user will be sufficient.
Linux and Unix System Hardening
This information is provided as part of the Lynis community project. It is related to Lynis control BOOT-5184. All information should be considered as-is, without guarantees. Any advice or snippets should be tested before implementing in production environments.
Lynis is a technical security audit tool for systems running Linux, UNIX, *BSD, and macOS. It is open source software and free to use. The project has an active community, and can also be found on GitHub.
Need more advanced features, like vulnerability scanning, or reporting installed software packages? Lynis Enterprise will collect more data and present it with an easy to use web interface.
Gain additional benefits: automating security audits, reporting, and the implementation of related security measures.
- Centralized management
- Prioritized plans
- Integration (API)
- Improvement snippets for tools like Ansible, Chef, Cfengine and Puppet