|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: SecurID Appliance
RSA Version/Condition: 8.1.0, 8.1 SP1
Platform: SuSE Linux
Platform (Other): This is in reference to the RSA SecurID appliance directly.
|Issue||Customer's Policy called for vulnerability SCAN tool to use its own Operating System Account or Service Account in Linux, instead of the RSA AM default OS account created during VM deployment. When customer used the useradd command in Linux to create this service account, |
This same account then was flagged with "unix-dot-entries-in-root-path" vulnerability
login as: rsaadmin
rsaadmin@am8p:~> sudo su -
am8p:~ # useradd baduser
am8p:~ # su - baduser
su: warning: cannot change directory to /home/baduser: No such file or directory
baduser@am8p:/root> echo $PATH
|Cause||The useradd utility in the VM version of SuSE Linux 11 in Authenticaiton Manager 8.1 SP1 places the . <dot> relative path in the service account.|
|Resolution||Remove the . <dot> relative path from this user service account by editing the SuSEconfiguration file /etc/sysconfig/suseconfig and locate the param CWD_IN_USER_PATH|
This will be evaluated by /etc/profile.d/profile.sh so that the . <dot> will no longer be added to PATH when any OS user logs in, even users already created with useradd.
The rsaadmin Operating System account created during VM deployment does not have this . <dot> relative path
|Workaround||Use the Operating System account created during VM deployment (i. e., rsaadmin).|
This is not something that is explained or supported with the Authentication Manager software, as RSA assumes there will be just one operating system account that was created at deployment and which does not have the . in the path.
|Notes||We did not see this behavior in the Dell Appliance Authentication Manager 8.1 SP1 SuSE Linux version of useradd|
Note: using useradd to modify the Authentication Manager softwre is not supported, has not been tested and may have unintended results, as seen by the default behavior which creates a vulnerability.