Local initialization files must be group-owned by the users primary group or root.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22361	GEN001870	SV-63343r1_rule	ECLP-1	Medium

Description
Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-52055r1_chk )
Check user home directories for local initialization files group-owned by a group other than the user's primary group or root. Procedure: # FILES=" .login .cshrc .logout .profile .bash_profile .bashrc .bash_logout .env .dtprofile .dispatch .emacs .exrc"; # for PWLINE in `cut -d: -f4,6 /etc/passwd`; do HOMEDIR=$(echo ${PWLINE}\|cut -d: -f2);GROUP=$(echo ${PWLINE} \| cut -d: -f1);for INIFILE in $FILES;do stat -c %g/%G:%n ${HOMEDIR}/${INIFILE} 2>null\|egrep -v "${GROUP}";done;done If any file is not group-owned by root or the user's primary GID, this is a finding.

Check Text ( C-52055r1_chk )

Check user home directories for local initialization files group-owned by a group other than the user's primary group or root.

Procedure:
# FILES=" .login .cshrc .logout .profile .bash_profile .bashrc .bash_logout .env .dtprofile .dispatch .emacs .exrc";
# for PWLINE in `cut -d: -f4,6 /etc/passwd`; do HOMEDIR=$(echo ${PWLINE}|cut -d: -f2);GROUP=$(echo ${PWLINE} | cut -d: -f1);for INIFILE in $FILES;do stat -c %g/%G:%n ${HOMEDIR}/${INIFILE} 2>null|egrep -v "${GROUP}";done;done

If any file is not group-owned by root or the user's primary GID, this is a finding.

Fix Text (F-53941r2_fix)
Change the group-owner of the local initialization file to the user's primary group, or root. # chgrp Procedure: # FILES=".bashrc .bash_login .bash_logout .bash_profile .cshrc .kshrc .login .logout .profile .tcshrc .env .dtprofile .dispatch .emacs .exrc"; # for PWLINE in `cut -d: -f4,6 /etc/passwd`; do HOMEDIR=$(echo ${PWLINE}\|cut -d: -f2);GROUP=$(echo ${PWLINE} \| cut -d: -f1);for INIFILE in $FILES;do MATCH=$(stat -c %g/%G:%n ${HOMEDIR}/${INIFILE} 2>null\|egrep -c -v "${GROUP}");if [ $MATCH != 0 ] ; then chgrp ${GROUP} ${HOMEDIR}/${INIFILE};fi;done;done

Fix Text (F-53941r2_fix)

Change the group-owner of the local initialization file to the user's primary group, or root.
# chgrp

Procedure:
# FILES=".bashrc .bash_login .bash_logout .bash_profile .cshrc .kshrc .login .logout .profile .tcshrc .env .dtprofile .dispatch .emacs .exrc";
# for PWLINE in `cut -d: -f4,6 /etc/passwd`; do HOMEDIR=$(echo ${PWLINE}|cut -d: -f2);GROUP=$(echo ${PWLINE} | cut -d: -f1);for INIFILE in $FILES;do MATCH=$(stat -c %g/%G:%n ${HOMEDIR}/${INIFILE} 2>null|egrep -c -v "${GROUP}");if [ $MATCH != 0 ] ; then chgrp ${GROUP} ${HOMEDIR}/${INIFILE};fi;done;done