All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
Description
Change the mode of interactive users home directories to 0750
. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
Rationale
Excessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
# Only update the permissions when necessary. This will avoid changing the inode timestamp when
# the permission is already defined as expected, therefore not impacting in possible integrity
# check systems that also check inodes timestamps.
find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
done
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Create local_users variable from the getent output
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
tags:
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Test for existence home directories to avoid creating them.
ansible.builtin.stat:
path: '{{ item.value[4] }}'
register: path_exists
loop: '{{ local_users }}'
when:
- item.value[1]|int >= 1000
- item.value[1]|int != 65534
tags:
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure interactive local users have proper permissions on their respective
home directories
ansible.builtin.file:
path: '{{ item.0.value[4] }}'
mode: u-s,g-w-s,o=-
follow: false
recurse: false
loop: '{{ local_users|zip(path_exists.results)|list }}'
when: item.1.stat is defined and item.1.stat.exists
tags:
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy