All User Files and Directories In The Home Directory Must Have a Valid Owner
An XCCDF Rule
Description
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive user's files and directories, use the following command:
$ sudo chown -R USER /home/USERThis rule ensures every file or directory under the home directory related to an interactive user is owned by an interactive user.
warning alert: Warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the ownership of
folders or files in their respective home directories.
Rationale
If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.
- ID
- xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- accounts_users_home_files_ownership
Remediation - Shell Script
for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
home_dir=$(getent passwd $user | cut -d: -f6)
# Only update the ownership when necessary. This will avoid changing the inode timestamp
# when the owner is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.