Check: GEN001550
HP-UX 11.31 STIG:
GEN001550
(in versions v1 r19 through v1 r13)
Title
All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. (Cat II impact)
Discussion
If a user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.
Check Content
Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member: List the user accounts. # cat /etc/passwd | cut -f 1,1 -d ":" For each user account, get a list of GIDs for files in the user's home directory. # find ~<username> | xargs ls -ldn | tr '\011' ' ' | tr -s ' ' | awk '{print $4, $NF}' Obtain the list of GIDs associated with the user's account. # id <username> OR # id -G <username> OR # cat /etc/group | grep <username> Check the GID lists. If there are GIDs in the file list not present in the user list, this is a finding.
Fix Text
Change the group of a file not group-owned by a group of which the home directory's owner is a member. # chgrp [<username>'s primary group] [file with bad group ownership]
Additional Identifiers
Rule ID: SV-35145r1_rule
Vulnerability ID: V-22351
Group Title: GEN001550
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |