Other Articles
- Servers – Disable UDF Filesystem
- Servers – Configure /tmp Partition
- Servers – Configure /home Partition
- Servers – Configure /var Partition
- Servers – Configure Shm Partition
- Servers – Enable dm-verity
- Servers – Enforce Authentication for Single User Mode
- Servers – Restrict Core Dump Generation
- Servers – Enable NX Protection
- Servers – Enable Address Space Layout Randomization (ASLR)
- Servers – Configure Message of the Day (MOTD)
- Servers – Configure Local Login Banner
- Servers – Configure Remote Login Banner
- Servers – Configure Message of the Day (MOTD) Permissions
- Servers – Configure Issue Permissions
- Servers – Configure Password Permissions
- Servers – Configure Group Backup Permissions
- Servers – Configure Group Permissions
- Servers – Configure Gshadow Backup Permissions
- Servers – Configure Gshadow Permissions
- Servers – Configure Passwd Backup Permissions
- Servers – Configure Shadow Backup Permissions
- Servers – Configure Shadow Permissions
- Servers – Ensure All Users' Home Directories Exist
- Servers – Ensure No Users Have .forward Files
- Servers – Ensure No Users Have .netrc Files
- Servers – Ensure No Users Have .rhosts Files
- Servers – Ensure Root is the Only UID 0 Account
- Servers – Remove Legacy '+' Entries from Group
- Servers – Remove Legacy '+' Entries from Passwd
- Servers – Remove Legacy '+' Entries from Shadow
- Servers – Restrict Access to .netrc Files
- Servers – Secure System Accounts
- Servers – Ensure Users' Home Directory Permissions are 750 or More Restrictive
- Servers – Ensure Users Own Their Home Directories
- Servers – Verify Security Of Dot Files
- Servers – Verify Existence of passwd Groups
- Servers – Ensure No Duplicate UIDs Exist
- Servers – Ensure No Duplicate GIDs Exist
- Servers – Ensure No Duplicate User Names Exist
- Servers – Ensure No Duplicate Group Names Exist
- Servers – Ensure Shadow Group Has No Members
- Servers – Ensure Logging is Configured
- Servers – Ensure Journald Compression is Configured
- Servers – Ensure Journald Storage is Configured to Persistent Disk
- Servers – Ensure Permissions on All Logfiles are Configured
- Servers – Verify Time Synchronization with Chrony
- Servers – Ensure Chrony is Configured
- Servers – Ensure X Window System is Not Installed
- Servers – Ensure NFS and RPC Services are Disabled
- Servers – Ensure Rsync Service is Disabled
- Servers – Ensure TCP SYN Cookies is Enabled
- Servers – Ensure IPv6 Default Deny Firewall Policy
- Servers – Ensure IPv6 Loopback Traffic is Configured
- Servers – Ensure IPv6 Outbound and Established Connections are Configured
- Servers – Verify IPv6 Open Ports Rules
- Servers – Ensure Default Deny Firewall Policy is Configured
- Servers – Ensure Loopback Traffic is Configured
- Servers – Ensure Outbound and Established Connections are Configured
- Servers – Ensure Iptables is Installed
- Servers – Ensure Packet Redirect Sending is Disabled
- Servers – Ensure Source Routed Packets are Not Accepted
- Servers – Ensure ICMP Redirects are Not Accepted
- Servers – Ensure Secure ICMP Redirects are Disabled
- Servers – Ensure Suspicious Packets Logging is Enabled
- Servers – Ensure Broadcast ICMP Requests are Ignored
- Servers – Ensure Bogus ICMP Responses are Ignored
- Servers – Ensure Reverse Path Filtering is Enabled
- Servers – Ensure Absence of IPv6 Router Advertisements
- Servers – Ensure SSH SSHD Config Permissions Are Configured
- Servers – Ensure SSH Private Host Key Permissions
- Servers – Ensure SSH Public Host Key Permissions Are Configured
- Servers – Ensure SSH Protocol is Set to 2
- Servers – Ensure SSH LogLevel is Appropriate
- Servers – Ensure SSH X11 Forwarding is Disabled
- Servers – Ensure SSH MaxAuthTries is Set to 4 or Less
- Servers – Ensure SSH IgnoreRhosts is Enabled
- Servers – Ensure SSH HostbasedAuthentication is Disabled
- Servers – Disable SSH Root Login
- Servers – Ensure SSH PermitEmptyPasswords is Disabled
- Servers – Verify SSH Strong Ciphers Strength
- Servers – Verify SSH Strong MAC Algorithms
- Servers – Verify SSH Strong Key Exchange Algorithms
- Servers – Ensure SSH Idle Timeout Interval is Configured
- Servers – Ensure SSH Login Grace Time is Configured
- Servers – Configure SSH Warning Banner
- Servers – Enable SSH PAM Authentication
- Servers – Disable SSH AllowTcpForwarding
- Servers – Configure SSH MaxStartups
- Servers – Verify SSH MaxSessions Configuration
- Servers – Ensure Password Creation Requirements are Configured
- Servers – Ensure Password Reuse is Limited
- Servers – Ensure Password Hashing Algorithm is SHA-512
- Servers – Ensure Password Expiration Days is 365 or Less
- Servers – Ensure Minimum Days Between Password Changes is 7 or More
- Servers – Ensure Password Expiration Warning Days is 7 or More
- Servers – Ensure Inactive Password Lock is 30 Days or Less
- Servers – Ensure All Users Last Password Change Date is in the Past
- Servers – Ensure System Accounts Are Secured
- Servers – Ensure Default Group for Root Account is GID 0
- Servers – Verify Default User Umask
- Servers – Ensure Default User Shell Timeout is 900 Seconds or Less
- Servers – Ensure Root Login is Restricted to System Console
- Servers – Ensure Access to su Command is Restricted
Servers – Ensure Root PATH Integrity
Support > Fixing Checks > Server
06 March, 2026
This check ensures that the root user's PATH variable is configured securely. The
PATH environment variable determines the directories the system searches when executing
commands.
If insecure directories such as the current directory (.) or writable directories are included in the root user's PATH, an attacker could place a malicious program that may be executed unintentionally by the administrator. Maintaining a secure PATH helps prevent unauthorized privilege escalation.
Check Details
- Resource: Server
- Check: Ensure Root Path Integrity
- Risk: If the root PATH includes insecure or writable directories, an attacker may place malicious executables that could be run unintentionally by the root user, leading to full system compromise.
Remediation Steps
- Open a terminal session on the server with root or sudo privileges.
-
Check the current
PATHconfiguration for the root user.sudo -Hiu root env | grep '^PATH'
-
Verify that the PATH variable does not contain:
- Empty directory entries (
::) - A trailing colon (
:) - The current directory (
.) - Directories that are writable by group or others
- Empty directory entries (
-
Run the following script to identify insecure directories within the root PATH.
#!/bin/bash PATH="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)" echo "$PATH" | grep -q "::" && echo "Empty directory in PATH (::)" echo "$PATH" | grep -q ":$" && echo "Trailing : in PATH" for dir in $(echo "$PATH" | tr ":" " "); do if [ -d "$dir" ]; then ls -ldH "$dir" | awk ' substr($1,6,1) != "-" { print $9, "is group writable" } substr($1,9,1) != "-" { print $9, "is world writable" } $3 != "root" { print $9, "is not owned by root" } ' else echo "$dir is not a directory" fi done -
If any insecure directories are identified, update permissions or remove them from the root PATH
configuration files such as
/root/.bashrc,/root/.profile, or system-wide environment files. -
Ensure that all directories in the root PATH are:
- Owned by root
- Not writable by group or other users
- Valid directories required for system administration