Run the following script to Ensure:
- local interactive user home directories exist
- Ensure local interactive users own their home directories
- Ensure local interactive user home directories are mode 750 or more restrictive
#!/usr/bin/env bash{l_output=""l_output2=""l_heout2=""l_hoout2=""l_haout2=""l_valid_shells="^($(awk-F\/'$NF != "nologin" {print}'/etc/shells|sed-rn'/^\//{s,/,\\\\/,g;p}'|paste-s-d'|'-))$"unseta_uarr&&a_uarr=()# Clear and initialize arraywhileread-rl_epul_eph;do# Populate array with users and user home locationa_uarr+=("$l_epu$l_eph")done<<<"$(awk-vpat="$l_valid_shells"-F:'$(NF) ~ pat { print $1 " "$(NF-1) }'/etc/passwd)"l_asize="${#a_uarr[@]}"# Here if we want to look at number of users before proceeding["$l_asize "-gt"10000"]&&echo-e"\n ** INFO **\n - \"$l_asize\"Local interactive users found on the system\n - This may be a long running check\n"whileread-rl_userl_home;doif[-d"$l_home"];thenl_mask='0027'l_max="$(printf'%o'$((0777&~$l_mask)))"whileread-rl_ownl_mode;do["$l_user"!="$l_own"]&&l_hoout2="$l_hoout2\n - User: \"$l_user\" Home \"$l_home\" is owned by: \"$l_own\""if[$(($l_mode&$l_mask))-gt0];thenl_haout2="$l_haout2\n - User: \"$l_user\" Home \"$l_home\" is mode: \"$l_mode\" should be mode: \"$l_max\" or more restrictive"fidone<<<"$(stat-Lc'%U %#a'"$l_home")"elsel_heout2="$l_heout2\n - User: \"$l_user\" Home \"$l_home\" Doesn't exist"fidone<<<"$(printf'%s\n'"${a_uarr[@]}")"[-z"$l_heout2"]&&l_output="$l_output\n- home directories exist"||l_output2="$l_output2$l_heout2"[-z"$l_hoout2"]&&l_output="$l_output\n- own their home directory"||l_output2="$l_output2$l_hoout2"[-z"$l_haout2"]&&l_output="$l_output\n- home directories are mode:\"$l_max\" or more restrictive"||l_output2="$l_output2$l_haout2"[-n"$l_output"]&&l_output=" - All local interactive users:$l_output"if[-z"$l_output2"];then# If l_output2 is empty, we passecho-e"\n- Audit Result:\n ** PASS **\n - * Correctly configured * :\n$l_output"elseecho-e"\n- Audit Result:\n ** FAIL **\n - * Reasons for audit failure * :\n$l_output2"[-n"$l_output"]&&echo-e"\n- * Correctly configured * :\n$l_output"fi}
If a local interactive users' home directory is undefined and/or doesn't exist, follow local
site policy and perform one of the following:
- Lock the user account
- Remove the user from the system
- create a directory for the user. If undefined, edit /etc/passwd and add the absolute path to the directory to the last field of the user.
Run the following script to:
- Remove excessive permissions from local interactive users home directories
- Update the home directory's owner
#!/usr/bin/env bash{l_output2=""l_valid_shells="^($(awk-F\/'$NF != "nologin" {print}'/etc/shells|sed-rn'/^\//{s,/,\\\\/,g;p}'|paste-s-d'|'-))$"unseta_uarr&&a_uarr=()# Clear and initialize arraywhileread-rl_epul_eph;do# Populate array with users and user home locationa_uarr+=("$l_epu$l_eph")done<<<"$(awk-vpat="$l_valid_shells"-F:'$(NF) ~ pat { print $1 " " $(NF-1) }'/etc/passwd)"l_asize="${#a_uarr[@]}"# Here if we want to look at number of users before proceeding["$l_asize "-gt"10000"]&&echo-e"\n ** INFO **\n - \"$l_asize\"Local interactive users found on the system\n - This may be a long running process\n"whileread-rl_userl_home;doif[-d"$l_home"];thenl_mask='0027'l_max="$(printf'%o'$((0777&~$l_mask)))"whileread-rl_ownl_mode;doif["$l_user"!="$l_own"];thenl_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\"is owned by: \"$l_own\"\n - changing ownership to: \"$l_user\"\n"chown"$l_user""$l_home"fiif[$(($l_mode&$l_mask))-gt0];thenl_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\"is mode: \"$l_mode\" should be mode: \"$l_max\" or more restrictive\n - removing excess permissions\n"chmodg-w,o-rwx"$l_home"fidone<<<"$(stat-Lc'%U %#a'"$l_home")"elsel_output2="$l_output2\n - User: \"$l_user\" Home \"$l_home\"Doesn't exist\n - Please create a home in accordance with local site policy"fidone<<<"$(printf'%s\n'"${a_uarr[@]}")"if[-z"$l_output2"];then# If l_output2 is empty, we passecho-e" - No modification needed to local interactive users home directories"elseecho-e"\n$l_output2"fi}