Ensure User Bash History File Has Correct Permissions
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
Set the mode of the bash history file to 0600 with the
following command:
$ sudo chmod 0600 /home/USER/.bash_history
Rationale
Incorrect permissions may enable malicious users to recover
other users’ command history.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd)
readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd)
readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd)
USERS_IGNORED_REGEX='nobody|nfsnobody'
for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
[ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
chmod u-sx,go= "${interactive_users_home[$i]}/.bash_history"
fi
done
