6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored)

Level 1 - Server
Level 1 - Workstation 

While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these.

.netrc files may contain unencrypted passwords that may be used to attack other systems.

Run the following script and verify no results are returned:

#!/bin/bash 
for dir in `cat /etc/passwd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin") { print $6 }'`; do
  for file in $dir/.netrc; do
    if [ ! -h "$file" -a -f "$file" ]; then
      fileperm=`ls -ld $file | cut -f1 -d" "` 
      if [ `echo $fileperm | cut -c5 ` != "-" ]; then
        echo "Group Read set on $file" 
      fi 
      if [ `echo $fileperm | cut -c6 ` != "-" ]; then
        echo "Group Write set on $file" 
      fi 
      if [ `echo $fileperm | cut -c7 ` != "-" ]; then 
        echo "Group Execute set on $file" 
      fi 
      if [ `echo $fileperm | cut -c8 ` != "-" ]; then 
        echo "Other Read set on $file" 
      fi 
      if [ `echo $fileperm | cut -c9 ` != "-" ]; then 
        echo "Other Write set on $file" 
      fi 
      if [ `echo $fileperm | cut -c10 ` != "-" ]; then 
        echo "Other Execute set on $file" 
      fi 
    fi 
  done 
done

Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc file permissions and determine the action to be taken in accordance with site policy.

While the complete removal of .netrc files is recommended if any are required on the system secure permissions must be applied.

  • centos7/6/2/13.txt
  • Last modified: 2017/05/04 20:05
  • by 127.0.0.1