← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281084

CAT II (Medium)

RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.

Rule ID

SV-281084r1165607_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000213

Discussion

Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.

Check Content

Verify RHEL 10 enforces that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.

Check that all files from "/usr/share/rootfiles/" are overridden correctly in RHEL 10:
 
$ sudo grep /usr/share/rootfiles/ /etc/tmpfiles.d/*.conf
C /root/.bash_logout   600 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile  600 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc        600 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc         600 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc        600 root root - /usr/share/rootfiles/.tcshrc
 
If any files are not configured to "600", or if no files are found by grep, this is a finding.

Fix Text

Configure RHEL 10 to enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.

Ensure the following lines are in a ".conf" file under "/etc/tmpfiles.d/":
 
C /root/.bash_logout   600 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile  600 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc        600 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc         600 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc        600 root root - /usr/share/rootfiles/.tcshrc