← Rules Catalog
mediumfilesystemverified rollback-safe

Ensure local interactive user dot files access is configured

home-dotfiles-permissions · RHEL ≥ 8 · 1 impl

Description

Local interactive user dot files must not be group or world writable.

Rationale

Overly permissive dot files could allow other users to modify login scripts, potentially enabling code execution in the context of another user.

Check → Remediate

Checkcommand
awk -F: '($3>=1000 && $7 !~ /nologin|false/) {print $6}' /etc/passwd | while read dir; do find "$dir" -maxdepth 1 -name '.*' -type f -perm /go+w 2>/dev/null; done | head -1 | grep -q . && exit 1 || exit 0
expected_exit:
0
Remediatefile_permissions
find_paths:
/home
find_name:
.*
find_type:
f
find_args:
-maxdepth 2 -perm /go+w
mode:
go-w

Framework references

CIS

rhel9 7.2.9rhel10 7.2.9rhel8 7.2.9

NIST 800-53

AC-3

Live verification

rhel10:checkrhel8:checkrhel9:check
#home#dotfiles#permissions