6.2.8 Ensure no users have .netrc files

Information

The .netrc file contains data for logging into a remote host for file transfers via FTP.

While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these.

Note: While the complete removal of .netrc files is recommended, if any are required on the system secure permissions must be applied.

Rationale:

The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems.

If a .netrc file is required, and follows local site policy, it should have permissions of 600 or more restrictive.

Solution

Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc file permissions and determine the action to be taken in accordance with local site policy.
The following script will remove .netrc files from interactive users' home directories

#!/bin/bash

awk -F: '($1!~/(halt|sync|shutdown)/ && $7!~/^(/usr)?/sbin/nologin(/)?$/ && $7!~/(/usr)?/bin/false(/)?$/) { print $6 }' /etc/passwd | while read -r dir; do
if [ -d '$dir' ]; then
file='$dir/.netrc'
[ ! -h '$file' ] && [ -f '$file' ] && rm -f '$file'
fi
done

See Also

https://workbench.cisecurity.org/files/3219

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Unix

Control ID: f093488f7e06e8ecd5d61caf36bf4cb67a42f4fee8e0d774bc20d24ee643873c