Profile Applicability:
Level 1

Description:
 Local interactive user home directories contain user files and configuration data. Incorrect permissions on these directories can allow unauthorized users to access or modify sensitive files, leading to potential privilege escalation or data compromise.

Rationale:
 Configuring secure permissions on user home directories ensures that only the respective user (and authorized administrators) can access their files, protecting user privacy and system security.

Impact:
 Pros:

  • Prevents unauthorized access to user data.

  • Mitigates privilege escalation risks through home directory manipulation.

Cons:

  • Overly restrictive permissions may interfere with legitimate sharing or collaborative workflows.

Default Value:
 By default, home directory permissions may vary and could be overly permissive.

Pre-requisites:

  • Root or sudo privileges to audit and modify directory permissions.

Remediation:

Test Plan:

Using Linux command line:

  1. Identify home directories of local interactive users:

     awk -F: '$3 >= 1000 && $1 != "nobody" {print $6}' /etc/passwd


  2. Check permissions and ownership of each home directory:

     ls -ld /home/username

    for each user.

  3. Verify directories are owned by the user and permissions are typically 750 or stricter.

Implementation Plan:

Using Linux command line:

  1. Set ownership of home directories to the respective user: 

    chown username:username /home/username


  2. Set permissions to restrict access: 

    chmod 750 /home/username


  3. Repeat for all local interactive users.

Backout Plan:

Using Linux command line:

  1. Revert permissions and ownership to previous state if necessary.

  2. Communicate changes to users to avoid disruptions.

References: