Restrict the modification of environment variables to authorized users and processes by enforcing strict permissions and policies. This ensures the integrity of environment variables, preventing adversaries from abusing or altering them for malicious purposes. This mitigation can be implemented through the following measures:
Restrict Write Access:
.bashrc
, .bash_profile
, .zshrc
, systemd
service files)./etc/environment
or /etc/profile
on Linux systems to only allow root or administrators to modify the file.Secure Access Controls:
Restrict Process Scope:
Audit Environment Variable Changes:
auditd
on Linux to monitor changes to files like /etc/environment
or application-specific environment files.Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1562 | .003 | Impair Defenses: Impair Command History Logging |
Prevent users from changing the |
Enterprise | T1070 | .003 | Indicator Removal: Clear Command History |
Making the environment variables associated with command history read only may ensure that the history is preserved.[1] |