Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

An XCCDF Rule

Description

Set the mode of the user initialization files, including the root user, to 0740 with the following commands:

$ sudo chmod 0740 /root/.INIT_FILE
$ sudo chmod 0740 /home/USER/.INIT_FILE

Rationale

Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

ID: xccdf_org.ssgproject.content_rule_file_permission_user_init_files_root
Severity: Medium
References: CCI-000366

SRG-OS-000480-GPOS-00227

SV-230325r1017136_rule
Updated: 5 days ago

- name: XCCDF Value var_user_initialization_files_regex # promote to variable
  set_fact:
    var_user_initialization_files_regex: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_user_initialization_files_regex" use="legacy"/>
  tags:
    - always
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Gather
    User Info
  ansible.builtin.getent:
    database: passwd
  tags:
  - DISA-STIG-RHEL-08-010770
  - file_permission_user_init_files_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Find
    Init Files
  ansible.builtin.find:
    paths: '{{ item.value[4] }}'
    pattern: '{{ var_user_initialization_files_regex }}'
    hidden: true
    use_regex: true
  with_dict: '{{ ansible_facts.getent_passwd }}'
  when:
  - item.value[4] != "/sbin/nologin"
  - item.key not in ["nobody", "nfsnobody"]
  - item.value[1] | int >= 1000 or item.key == "root"
  register: found_init_files
  tags:
  - DISA-STIG-RHEL-08-010770
  - file_permission_user_init_files_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Fix
    Init Files Permissions
  ansible.builtin.file:
    path: '{{ item.1.path }}'
    mode: u-s,g-wxs,o=
  loop: '{{ q(''ansible.builtin.subelements'', found_init_files.results, ''files'',
    {''skip_missing'': True}) }}'
  tags:
  - DISA-STIG-RHEL-08-010770
  - file_permission_user_init_files_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy


var_user_initialization_files_regex='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_user_initialization_files_regex" use="legacy"/>'


readarray -t interactive_users < <(awk -F: '$3==0 || $3>=1000   {print $1}' /etc/passwd)
readarray -t interactive_users_home < <(awk -F: '$3==0 || $3>=1000   {print $6}' /etc/passwd)readarray -t interactive_users_shell < <(awk -F: '$3==0 || $3>=1000   {print $7}' /etc/passwd)

USERS_IGNORED_REGEX='nobody|nfsnobody'

for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then

        readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \
            -exec basename {} \; | grep -P "$var_user_initialization_files_regex")
        for file in "${init_files[@]}"; do
            chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file"
        done
    fi
done

Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

Description

Rationale

Remediation - Ansible

Remediation - Shell Script