Skip to content

All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

An XCCDF Rule

Description

Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command:

$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
                
This rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.

warning alert: Warning

Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of folders or files in their respective home directories.

Rationale

If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.

ID
xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership
Severity
Medium
References
Updated



Remediation - Ansible

- name: Get all local users from /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - accounts_users_home_files_groupownership

Remediation - Shell Script


for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
    home_dir=$(getent passwd $user | cut -d: -f6)
    group=$(getent passwd $user | cut -d: -f4)
    # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
    # when the group is already defined as expected, therefore not impacting in possible integrity