All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230322	RHEL-08-010740	SV-230322r743963_rule		Medium

Description
If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.

STIG	Date
Red Hat Enterprise Linux 8 Security Technical Implementation Guide	2021-06-14

Details

Check Text ( C-32991r743962_chk )
Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command: Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj Check the user's primary group with the following command: $ sudo grep $(grep smithj /etc/passwd \| awk -F: ‘{print $4}’) /etc/group admin:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding.

Check Text ( C-32991r743962_chk )

Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command:

Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.

$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)

drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj

Check the user's primary group with the following command:

$ sudo grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group

admin:x:250:smithj,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding.

Fix Text (F-32966r567713_fix)
Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. $ sudo chgrp users /home/smithj