6.2.11 Ensure local interactive user dot files access is configured

Information

While the system administrator can establish secure permissions for users' "dot" files, the users can easily override these.

- forward file specifies an email address to forward the user's mail to.
- rhost file provides the "remote authentication" database for the rcp, rlogin, and rsh commands and the rcmd() function. These files bypass the standard password-based user authentication mechanism. They specify remote hosts and users that are considered trusted (i.e. are allowed to access the local system without supplying a password)
- netrc file contains data for logging into a remote host or passing authentication to an API.
- bash_history file keeps track of the user's last 500 commands.

User configuration files with excessive or incorrect access may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Solution

Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy.

The following script will:

- remove excessive permissions on dot files within interactive users' home directories
- change ownership of dot files within interactive users' home directories to the user
- change group ownership of dot files within interactive users' home directories to the user's primary group
- listforward andrhost files to be investigated and manually deleted

#!/usr/bin/env bash

{
l_valid_shells="^($( awk -F/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^//{s,/,\\/,g;p}' | paste -s -d '|' - ))$"
unset a_uarr && a_uarr=() # Clear and initialize array
while read -r l_epu l_eph; do # Populate array with users and user home location
[[ -n "$l_epu" && -n "$l_eph" ]] && a_uarr+=("$l_epu $l_eph")
done <<< "$(awk -v pat="$l_valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd)"
l_asize="${#a_uarr[@]}" # Here if we want to look at number of users before proceeding
l_maxsize="1000" # Maximum number of local interactive users before warning (Default 1,000)
[ "$l_asize " -gt "$l_maxsize" ] &amp;&amp; echo -e "
** INFO **
- \"$l_asize\" Local interactive users found on the system
- This may be a long running check
"
file_access_fix()
{
l_facout2=""
l_max="$( printf '%o' $(( 0777 &amp; ~$l_mask)) )"
if [ $(( $l_mode &amp; $l_mask )) -gt 0 ]; then
echo -e " - File: \"$l_hdfile\" is mode: \"$l_mode\" and should be mode: \"$l_max\" or more restrictive
- Changing to mode \"$l_max\""
chmod "$l_chp" "$l_hdfile"
fi
if [[ ! "$l_owner" =~ ($l_user) ]]; then
echo -e " - File: \"$l_hdfile\" owned by: \"$l_owner\" and should be owned by \"${l_user//|/ or }\"
- Changing ownership to \"$l_user\""
chown "$l_user" "$l_hdfile"
fi
if [[ ! "$l_gowner" =~ ($l_group) ]]; then
echo -e " - File: \"$l_hdfile\" group owned by: \"$l_gowner\" and should be group owned by \"${l_group//|/ or }\"
- Changing group ownership to \"$l_group\""
chgrp "$l_group" "$l_hdfile"
fi
}
while read -r l_user l_home; do
if [ -d "$l_home" ]; then
echo -e "
- Checking user: \"$l_user\" home directory: \"$l_home\""
l_group="$(id -gn "$l_user" | xargs)"
l_group="${l_group// /|}"
while IFS= read -r -d $'0' l_hdfile; do
while read -r l_mode l_owner l_gowner; do
case "$(basename "$l_hdfile")" in
.forward | .rhost )
echo -e " - File: \"$l_hdfile\" exists
- Please investigate and manually delete \"$l_hdfile\""
;;
.netrc )
l_mask='0177'
l_chp="u-x,go-rwx"
file_access_fix ;;
.bash_history )
l_mask='0177'
l_chp="u-x,go-rwx"
file_access_fix ;;
* )
l_mask='0133'
l_chp="u-x,go-wx"
file_access_fix ;;
esac
done <<< "$(stat -Lc '%#a %U %G' "$l_hdfile")"
done < <(find "$l_home" -xdev -type f -name '.*' -print0)
fi
done <<< "$(printf '%s
' "${a_uarr[@]}")"
unset a_uarr # Remove array
}

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f75cffebf43dfedae098228514f0d2f2d853f44ddd5c63ea91919628ac81435c