iCompaas Support

Profile Applicability:
 Level 1

Description:
 Local interactive user dot files (such as .bashrc, .profile, .bash_profile, .bash_logout, .inputrc) control user environment settings and shell behavior. Improper permissions on these files can allow unauthorized users to modify shell environments or execute malicious commands.

Rationale:
 Configuring strict access permissions on user dot files helps prevent unauthorized modifications that could compromise user sessions or escalate privileges.

Impact:
 Pros:

• Protects against unauthorized changes to user shell environments.
  
  

• Prevents privilege escalation through manipulated shell configurations.
  
  

Cons:

• Overly restrictive permissions may disrupt legitimate user customizations.
  
  

Default Value:
 By default, permissions vary but may be too permissive, allowing group or other users to read or write these files.

Pre-requisites:

• Root or sudo privileges to audit and modify user home directory file permissions.
  
  

Remediation:

Test Plan:

Using Linux command line:

1. Identify all user home directories of local interactive users: 

awk -F: '$3 >= 1000 && $1 != "nobody" {print $6}' /etc/passwd

2. Check permissions of dot files:

 ls -ld ~/.bashrc ~/.profile ~/.bash_profile ~/.bash_logout ~/.inputrc 

   for each user.

3. Verify files have permissions set to 600 or 644, owned by the user, and not writable by group or others.

Implementation Plan:

Using Linux command line:

1. For each user, set appropriate permissions on dot files:

chmod 644 ~/.bashrc ~/.profile ~/.bash_profile ~/.bash_logout ~/.inputrc
chown $USER:$USER ~/.bashrc ~/.profile ~/.bash_profile ~/.bash_logout ~/.inputrc

2. Ensure no group or other write permissions exist:

chmod go-w ~/.bashrc ~/.profile ~/.bash_profile ~/.bash_logout ~/.inputrc

3. Repeat for all local interactive users.

Backout Plan:

Using Linux command line:

1. If needed, revert permissions to previous known state (if backed up).
   
   

2. Inform users about permission changes to avoid disruption.
   
   

3. Restore backups if permission changes cause issues.
   
   

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  
  

• NIST SP 800-53 Revision 5 - CM-6