CCE-95460-2Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2021-03-05 (M)2023-07-04 |
Description:
While the system administrator can establish secure permissions for users home
directories, the users can easily override these.
Rationale:
Group or world-writable user home directories may enable malicious users to steal or
modify other users data or to gain another user's system privileges.
Audit:
Run the following script and verify no results are returned:
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which
nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user
dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
dirperm=$(ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6) != "-" ]; then
echo "Group Write permission set on the home directory ($dir) of user
$user"
fi
if [ $(echo $dirperm | cut -c8) != "-" ]; then
echo "Other Read permission set on the home directory ($dir) of user
$user"
fi
if [ $(echo $dirperm | cut -c9) != "-" ]; then
echo "Other Write permission set on the home directory ($dir) of user
$user"
fi
if [ $(echo $dirperm | cut -c10) != "-" ]; then
echo "Other Execute permission set on the home directory ($dir) of user
$user"
fi
fi
done
Remediation:
Making global modifications to user home directories without alerting the user community
can result in unexpected outages and unhappy users. Therefore, it is recommended that a
monitoring policy be established to report user file permissions and determine the action
to be taken in accordance with site policy.
Notes:
On some distributions the /sbin/nologin should be replaced with /usr/sbin/nologin
Parameter:
[yes/no]
Technical Mechanism:
Making global modifications to user home directories without alerting the user community
can result in unexpected outages and unhappy users. Therefore, it is recommended that a
monitoring policy be established to report user file permissions and determine the action
to be taken in accordance with site policy.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.8 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84247 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72906 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72697 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73011 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72800 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72373 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68611 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72007 |