Ensure users' .netrc Files are not group or world accessible
An XCCDF Rule
Description
While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures every .netrc file or directory under the home directory related to an interactive user is not group or world accessible
Rationale
.netrc files may contain unencrypted passwords that may be used to attack other systems. Note: While the complete removal of .netrc files is recommended, if any are required on the system, secure permissions must be applied.
- ID
- xccdf_org.ssgproject.content_rule_accounts_users_netrc_file_permissions
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- CCE-89524-3
Remediation - Shell Script
for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
home_dir=$(getent passwd "$user" | cut -d: -f6)
find "${home_dir}/.netrc" -exec chmod 0600 {} \;
done