#!/usr/bin/env bash{output=""output2=""perm_mask='0177'maxperm="$(printf'%o'$((0777&~$perm_mask)))"valid_shells="^($(sed-rn'/^\//{s,/,\\\\/,g;p}'/etc/shells|paste-s-d'|'-))$"awk-vpat="$valid_shells"-F:'$(NF) ~ pat { print $1 " " $(NF-1) }'/etc/passwd|(whileread-ruserhome;doif[-f"$home/.netrc"];thenmode="$(stat-L-c'%#a'"$home/.netrc")"if[$(($mode&$perm_mask))-gt0];thenoutput="$output\n - User \"$user\" file: \"$home/.netrc\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"elseoutput2="$output2\n - User \"$user\" file: \"$home/.netrc\" exists and has file mode: \"$mode\" (should be: \"$maxperm\" or more restrictive)"fifidoneif[-z"$output"];thenif[-z"$output2"];thenecho-e"\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n"elseecho-e"\n- WARNING:\n$output2\n"fielseecho-e"\n- FAILED:\n$output\n"[-n"$output2"]&&echo-e"\n- WARNING:\n$output2\n"fi)}
Verify:
Any lines under FAILED: - File should be removed unless deemed necessary, in accordance with local site policy, and permissions are updated to be 600 or more restrictive
Any lines under WARNING: - File should be removed unless deemed necessary, and in accordance with local site policy
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc file permissions and determine the action to be taken in accordance with local site policy.
The following script will remove .netrc files from interactive users' home directories