All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
An XCCDF Rule
Description
Set the mode on files and directories in the local interactive user home directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIRFiles that begin with a "." are excluded from this requirement.
Rationale
If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.
- ID
- xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- accounts_users_home_files_permissions
Remediation - Shell Script
for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
# Only update the permissions when necessary. This will avoid changing the inode timestamp when
# the permission is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;