mediumfilesystemverified ✓rollback-safe
Ensure local interactive user dot files access is configured
home-dotfiles-permissions · RHEL ≥ 8 · 1 impl
Description
Local interactive user dot files must not be group or world writable.
Rationale
Overly permissive dot files could allow other users to modify login scripts, potentially enabling code execution in the context of another user.
Check → Remediate
Checkcommand
awk -F: '($3>=1000 && $7 !~ /nologin|false/) {print $6}' /etc/passwd | while read dir; do find "$dir" -maxdepth 1 -name '.*' -type f -perm /go+w 2>/dev/null; done | head -1 | grep -q . && exit 1 || exit 0- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /home
- find_name:
- .*
- find_type:
- f
- find_args:
- -maxdepth 2 -perm /go+w
- mode:
- go-w
Framework references
CIS
rhel9 7.2.9rhel10 7.2.9rhel8 7.2.9
NIST 800-53
AC-3
Live verification
rhel10:checkrhel8:checkrhel9:check
#home#dotfiles#permissions