Rules Related To 'coreutils'

User Initialization Files Must Be Group-Owned By The Primary Group

Description

Change the group owner of interactive users files to the group found in

/etc/passwd

for the user. To change the group owner of a local interactive user home directory, use the following command:

$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE

This rule ensures every initialization file related to an interactive user is group-owned by an interactive user.

Rationale

Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

User Initialization Files Must Not Run World-Writable Programs

Description

Set the mode on files being executed by the user initialization files with the following command:

$ sudo chmod o-w FILE

Rationale

If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.

User Initialization Files Must Be Owned By the Primary User

Description

Set the owner of the user initialization files for interactive users to the primary owner with the following command:

$ sudo chown USER /home/USER/.*

This rule ensures every initialization file related to an interactive user is owned by an interactive user.

Rationale

Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

Description

Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command:

$ sudo chgrp USER_GROUP /home/USER/FILE_DIR

This rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.

Rationale

If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.

All User Files and Directories In The Home Directory Must Have a Valid Owner

Description

Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive user's files and directories, use the following command:

$ sudo chown -R USER /home/USER

This rule ensures every file or directory under the home directory related to an interactive user is owned by an interactive user.

Rationale

If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.

All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

Description

Set the mode on files and directories in the local interactive user home directory with the following command:

$ sudo chmod 0750 /home/USER/FILE_DIR

Files that begin with a "." are excluded from this requirement.

Rationale

If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.