4.1.2.2 Ensure Home directories access is configured

Information

All user home directories must have a suitable owner UID.

Manipulating home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. The UID (or owner) of the HOME directory needs to be either the account or a special account defined for this purpose.

When the account is the owner - the security policy must specify that (some) accounts may have DAC authorization to modify HOME directory contents. Security policy may also specify a special UID used to own HOME directories to prevent accounts from modifying the layout and/or content of the HOME directory.

The assumption of this recommendation is that security policy has not specified either. The recommendation is to lock accounts when the HOME directory is not owned by the user or by

root

.

Solution

For all local accounts with UID >= 200:

#!/usr/bin/ksh -e
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
uid=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid} -ge 200 ]]; then
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf "%-32s does not exist; Run appropriate CIS remediation
" ${home} ${name}
continue
else
/usr/bin/perl -e '
$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
if ($huid != $uid && $huid != 0) {
printf("Locked Account: %s does not own %s.
", ${user},${hd});
exit(1); # triggers command after OR (||)
}' ${name} ${home} ${uid} ||
/usr/bin/chuser -R files account_locked=true $name
fi
fi
done

Impact:

*

Locally

administered accounts with HOME directories owned by a random userid will be locked.

Valid users can open a ticket to get the UID of their HOME directory corrected.

The risk of a malicious user modifying an accounts HOME directory is reduced.

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: e6b6edb9dd7871087231c109a5f99d01b9d6c33fcff6f02538862bd944ed12ce