4.1.1.18 Ensure Home directory configuration file access is configured

Information

The user configuration files in each home directory e.g. $HOME/.profile must not be group or world writable.

Group or world-writable user configuration files may enable malicious users to steal or modify other user's data, or to gain elevated privileges.

Solution

Search and remediate any user configuration files which have group or world writable access:

lsuser -a home ALL |cut -f2 -d= |egrep -v "^/$|/etc|/bin|/var|/usr|/usr/sys" |while read homedir;
do
if [[ -d ${homedir} ]];
then
echo "Removing 'go-w' from all user confguration files in '${homedir}'"
ls -a ${homedir} |egrep "^.[a-z]" |while read file;
do
if [[ -f "${homedir}/${file}" ]];
then
echo "Running 'chmod go-w' on '${homedir}/${file}'"
chmod go-w "${homedir}/${file}"
fi
done
else
echo "ERROR - no home directory for '${homedir}'"
fi
done

NOTE: The permission change is automatically applied

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 6e416d54a7862e53a57b8ded3289bb738424b327dc505b2616b150bdd0e9463a