Ensure that User Home Directories are not Group-Writable or World-Readable
An XCCDF Rule
Description
For each human user of the system, view the permissions of the user's home directory:
# ls -ld /home/USEREnsure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions:
# chmod g-w /home/USER # chmod o-rwx /home/USER
warning alert: Functionality Warning
This action may involve modifying user home directories.
Notify your user community, and solicit input if appropriate,
before making this type of change.
warning alert: Warning
This rule is deprecated in favor of the
file_permissions_home_directories
rule.Please consider replacing this rule in your files as it is not expected to receive
updates as of version 0.1.62
.Rationale
User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs.
- ID
- xccdf_org.ssgproject.content_rule_file_permissions_home_dirs
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
# Only update the permissions when necessary. This will avoid changing the inode timestamp when
# the permission is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
Remediation - Ansible
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- CCE-83638-7