Skip to content

All User Files and Directories In The Home Directory Must Have a Valid Owner

An XCCDF Rule

Description

Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive user's files and directories, use the following command:

$ sudo chown -R USER /home/USER
This rule ensures every file or directory under the home directory related to an interactive user is owned by an interactive user.

warning alert: Warning

Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the ownership of folders or files in their respective home directories.

Rationale

If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.

ID
xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership
Severity
Medium
References
Updated



Remediation - Ansible

- name: Get all local users from /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - accounts_users_home_files_ownership

Remediation - Shell Script


for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
    home_dir=$(getent passwd $user | cut -d: -f6)
    # Only update the ownership when necessary. This will avoid changing the inode timestamp
    # when the owner is already defined as expected, therefore not impacting in possible integrity
    # check systems that also check inodes timestamps.