All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
An XCCDF Rule
Description
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIRThis rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.
warning alert: Warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of folders or files in their respective home directories.
Rationale
If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.
- ID
- xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- accounts_users_home_files_groupownership
Remediation - Shell Script
for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
home_dir=$(getent passwd $user | cut -d: -f6)
group=$(getent passwd $user | cut -d: -f4)
# Only update the group-ownership when necessary. This will avoid changing the inode timestamp
# when the group is already defined as expected, therefore not impacting in possible integrity