6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive

Audit

Run the following script and verify no verify interactive user home directories are mode 750 or more restrictive:

#!/usr/bin/env bash

{
 output=""
 perm_mask='0027'
 maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
 valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
 awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
 if [ -d "$home" ]; then
 mode=$( stat -L -c '%#a' "$home" )
 [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
 fi
 done
 if [ -n "$output" ]; then
 echo -e "\n- Failed:$output"
 else
 echo -e "\n- Passed:\n- All user home directories are mode: \"$maxperm\" or more restrictive"
 fi
 )
}

Remediation

Making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy.

The following script can be used to remove permissions is excess of 750 from interactive user home directories:

#!/usr/bin/env bash

{
 perm_mask='0027'
 maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
 valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
 awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
 mode=$( stat -L -c '%#a' "$home" )
 if [ $(( $mode & $perm_mask )) -gt 0 ]; then
 echo -e "- modifying User $user home directory: \"$home\"\nremoving excessive permissions from current mode of \"$mode\""
 chmod g-w,o-rwx "$home"
 fi
 done
 )
}