Information
All user home directories must have a suitable owner UID.
Manipulating home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. The UID (or owner) of the HOME directory needs to be either the account or a special account defined for this purpose.
When the account is the owner - the security policy must specify that (some) accounts may have DAC authorization to modify HOME directory contents. Security policy may also specify a special UID used to own HOME directories to prevent accounts from modifying the layout and/or content of the HOME directory.
The assumption of this recommendation is that security policy has not specified either. The recommendation is to lock accounts when the HOME directory is not owned by the user or by
root
.
Solution
For all local accounts with UID >= 200:
#!/usr/bin/ksh -e
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
uid=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid} -ge 200 ]]; then
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf "%-32s does not exist; Run appropriate CIS remediation
" ${home} ${name}
continue
else
/usr/bin/perl -e '
$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
if ($huid != $uid && $huid != 0) {
printf("Locked Account: %s does not own %s.
", ${user},${hd});
exit(1); # triggers command after OR (||)
}' ${name} ${home} ${uid} ||
/usr/bin/chuser -R files account_locked=true $name
fi
fi
done
Impact:
*
Locally
administered accounts with HOME directories owned by a random userid will be locked.
Valid users can open a ticket to get the UID of their HOME directory corrected.
The risk of a malicious user modifying an accounts HOME directory is reduced.