S 4.23 Secure invocation of executable files

Initiation responsibility: IT Security Management, Administrators

Implementation responsibility: Administrator, IT users

It must be ensured that only approved versions of executable files and no modified versions that may have been introduced (especially Trojan Horses) are called up.

Therefore, the current directory (.) should not be included as a path in the PATH variable. Executable files should be contained only in the directories intended for the purpose. Only the owner may have write access to the directories contained in a PATH variable. This should be regularly checked. In Unix systems with an IFS variable, this should be set at the standard value ( space, tab and newline) and, in particular, must not be set at"/".

Additional controls:

• Are the PATH entries being regularly checked?
• Are executable files held in specific directories or scattered in the system?
• Are the users aware of these regulations and their underlying reasons?