Skip to content

All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

An XCCDF Rule

Description

Set the mode on files and directories in the local interactive user home directory with the following command:

$ sudo chmod 0750 /home/USER/FILE_DIR
Files that begin with a "." are excluded from this requirement.

Rationale

If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.

ID
xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions
Severity
Medium
References
Updated



Remediation - Ansible

- name: Get all local users from /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - DISA-STIG-OL07-00-020680

Remediation - Shell Script


for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
    # the permission is already defined as expected, therefore not impacting in possible integrity
    # check systems that also check inodes timestamps.
    find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;