Title

All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. (Cat II impact)

Discussion

If a user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.

Check Content

Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member: List the user accounts. # cat /etc/passwd | cut -f 1,1 -d ":" For each user account, get a list of GIDs for files in the user's home directory. # find ~<username> | xargs ls -ldn | tr '\011' ' ' | tr -s ' ' | awk '{print $4, $NF}' Obtain the list of GIDs associated with the user's account. # id <username> OR # id -G <username> OR # cat /etc/group | grep <username> Check the GID lists. If there are GIDs in the file list not present in the user list, this is a finding.

Fix Text

Change the group of a file not group-owned by a group of which the home directory's owner is a member. # chgrp [<username>'s primary group] [file with bad group ownership]

Additional Identifiers

Rule ID: SV-35145r1_rule

Vulnerability ID: V-22351

Group Title: GEN001550

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.