6.2.9 Ensure no users have .forward files

Information

The .forward file specifies an email address to forward the user's mail to.

Rationale:

Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions.

Solution

Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy.
The following script will remove .forward files from interactive users' home directories

#!/bin/bash

awk -F: '($1!~/(root|halt|sync|shutdown)/ && $7!~/^(/usr)?/sbin/nologin(/)?$/ && $7!~/(/usr)?/bin/false(/)?$/) { print $6 }' /etc/passwd | while read -r dir; do
if [ -d '$dir' ]; then
file='$dir/.forward'
[ ! -h '$file' ] && [ -f '$file' ] && rm -r '$file'
fi
done

See Also

https://workbench.cisecurity.org/files/3219

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: e9f12254941c05cf78e0bf6914f9beca5e04f20ddaf8d86d5b3df753e984a19c