From 34effa65b4c90e8e2203a8fafabfe06eeece7d4a Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 30 Mar 2026 15:37:51 +0200 Subject: [PATCH] Ensure dot files permissions are 0740 or less. Update description of those rules to improve the remediation that only removes the undesired bits of the permissions, otherwise any offending file would be set to 0740, no matter which of the offending bits it had. This way it preserves the permissions the file previously had and removes the offending bits only. --- .../file_permission_user_init_files/rule.yml | 8 ++++---- .../file_permission_user_init_files_root/rule.yml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 46ddf596ed6e..aa4101b1bb1a 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -4,9 +4,9 @@ documentation_complete: true title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive' description: |- - Set the mode of the user initialization files to 0740 with the + Set the mode of the user initialization files to 0740 or less permissisive with the following command: - 
$ sudo chmod 0740 /home/USER/.INIT_FILE
+ 
$ sudo chmod u-s,g-wxs,o= /home/USER/.INIT_FILE
rationale: |- Local initialization files are used to configure the user's shell environment @@ -41,10 +41,10 @@ ocil: |- There should be no output. fixtext: |- - Set the mode of the local initialization files to "0740" with the following command: + Set the mode of the local initialization files to "0740" or less permissive with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - $ sudo chmod 0740 /home/smithj/. + $ sudo chmod u-s,g-wxs,o= /home/smithj/.INIT_FILE srg_requirement: 'All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml index cd0fa53bd48d..b94d60723f83 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml @@ -4,10 +4,10 @@ title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive' description: |- Set the mode of the user initialization files, including the root user, - to 0740 with the following commands: + to 0740 or less permissisive with the following commands: 
-    $ sudo chmod 0740 /root/.INIT_FILE
-    $ sudo chmod 0740 /home/USER/.INIT_FILE
+    $ sudo chmod u-s,g-wxs,o= /root/.INIT_FILE
+    $ sudo chmod u-s,g-wxs,o= /home/USER/.INIT_FILE
rationale: |- @@ -34,10 +34,10 @@ ocil: |- There should be no output. fixtext: |- - Set the mode of the local initialization files to "0740" with the following command: + Set the mode of the local initialization files to "0740" or less permissive with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". - $ sudo chmod 0740 /home/smithj/. + $ sudo chmod u-s,g-wxs,o= /home/smithj/.INIT_FILE srg_requirement: 'All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.'