The root user's home directory must not be the root directory (/).

From HP-UX 11.31 Security Technical Implementation Guide

Part of GEN000900

Associated with IA controls: ECCD-2, ECCD-1

Associated with: CCI-000366

SV-34829r1_rule The root user's home directory must not be the root directory (/).

Vulnerability discussion

Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.

Check content

Determine if root is assigned a home directory other than / by listing its home directory. # cat /etc/passwd | grep "^root" | cut -f 6,6 -d ":" If the root user home directory is /, this is a finding.

Fix text

The root home directory should be something other than / (such as /roothome). # mkdir /rootdir # chown root /rootdir # chgrp root /rootdir # chmod 700 /rootdir # cp -r /.??* /rootdir/. Edit the passwd file and change the root home directory to /rootdir. The cp -r /.??* command copies all files and subdirectories of file names that begin with "." into the new root directory, which preserves the previous root environment. Ensure you are in the "/" directory when executing the "cp" command.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer