6.2.16 Ensure no users have .rhosts files

Information

While norhosts files are shipped by default, users can easily create them.

This action is only meaningful ifrhosts support is permitted in the file /etc/pam.conf Even though therhosts files are ineffective if support is disabled in /etc/pam.conf they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Solution

Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report userrhosts files and determine the action to be taken in accordance with site policy.

The following script will removerhosts files from interactive users' home directories

#!/bin/bash

awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(/usr)?/sbin/nologin(/)?$/ && $7!~/(/usr)?/bin/false(/)?$/) { print $6 }' /etc/passwd | while read -r dir; do
if [ -d "$dir" ]; then
file="$dir/.rhosts"
[ ! -h "$file" ] && [ -f "$file" ] && rm -r "$file"
fi
done

See Also

https://workbench.cisecurity.org/files/3796

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.4

Plugin: Unix

Control ID: 7fc59cbd8fee32c24b840f20e6563e49ca1aa1cc9ff185e6978d1861cc256fa4