2.7 Remove Unused Symbolic Links

Information

This recommendation finds and removes symbolic links whose targets are missing. Symbolic Links that do not have a valid target are a risk to system integrity.

The recommendation is to scan frequently (weekly or daily) for symbolic links without a valid target object and remove them.

Rationale:

Do not assume that anyone responsible for maintaining system integrity is (actively) monitoring unknown software.

Symbolic links - pointing at nothing - are, by definition, unauthorized and/or belong on a blocklist.

Impact:

Symbolic Links, used properly, are a tremendous asset - enhancing system usability (ease of use). However, when pointing to nothing (i.e., whatever they pointed at has been removed but not replaced) system integrity is at the mercy of whatever process replaces that filesystem location later.

To reduce risk to system integrity any symbolic link that points at a non-existent file-system object is to be removed.

Note: most symbolic links that point at no longer existent objects exist due to incomplete software removal procedures. When an authorized application is (re-)installed it's installation process will (or should) re-create the symbolic link.

Solution

The following command will remove all symbolic links that lack a valid target object:

find -L / ( -fstype jfs -o -fstype jfs2 ) -type l | xargs rm

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), 800-53|CM-8(3), 800-53|CM-10, 800-53|CM-11, CSCv7|2.6

Plugin: Unix

Control ID: c090b513e11bf9184082b526ef37b2d2076b46f227f0e58a8a59d98b9d692fac