STIGQter: STIG Summary: Oracle Linux 7 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.

DISA Rule

SV-221736r603799_rule

Vulnerability Number

V-221736

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

OL07-00-020700

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command:

Note: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users.

# chgrp users /home/smithj/.[^.]*

Check Contents

Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).

Check the home directory assignment for all non-privileged users on the system with the following command:

Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".

# awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd
smithj 1000 /home/smithj

# grep 1000 /etc/group
users:x:1000:smithj,jonesj,jacksons

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Check the group owner of all local interactive user's initialization files with the following command:

# ls -al /home/smithj/.[^.]* | more
-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something

If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.

Vulnerability Number

V-221736

Documentable

False

Rule Version

OL07-00-020700

Severity Override Guidance

Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).

Check the home directory assignment for all non-privileged users on the system with the following command:

Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".

# awk -F: '($4>=1000)&&($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd
smithj 1000 /home/smithj

# grep 1000 /etc/group
users:x:1000:smithj,jonesj,jacksons

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Check the group owner of all local interactive user's initialization files with the following command:

# ls -al /home/smithj/.[^.]* | more
-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something

If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.

Check Content Reference

M

Target Key

4089

Comments