Ensure User Bash History File Has Correct Permissions

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Set the mode of the bash history file to 0600 with the following command:

$ sudo chmod 0600 /home/USER/.bash_history

Rationale

Incorrect permissions may enable malicious users to recover other users’ command history.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

readarray -t interactive_users < <(awk -F: '$3>=1000   {print $1}' /etc/passwd)
readarray -t interactive_users_home < <(awk -F: '$3>=1000   {print $6}' /etc/passwd)
readarray -t interactive_users_shell < <(awk -F: '$3>=1000   {print $7}' /etc/passwd)

USERS_IGNORED_REGEX='nobody|nfsnobody'

for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then

        chmod u-sx,go= "${interactive_users_home[$i]}/.bash_history"
    fi
done

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure User Bash History File Has Correct Permissions - Gather User Info
  ansible.builtin.getent:
    database: passwd
  tags:
  - file_permission_user_bash_history
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure User Bash History File Has Correct Permissions - Check Bash History
    Files Existence
  ansible.builtin.stat:
    path: '{{ item.value[4] }}/.bash_history'
  register: bash_history_files
  with_dict: '{{ ansible_facts.getent_passwd }}'
  when:
  - item.value[4] != "/sbin/nologin"
  - item.key not in ["nobody", "nfsnobody"]
  - item.value[1] | int >= 1000
  tags:
  - file_permission_user_bash_history
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure User Bash History File Has Correct Permissions - Fix Bash History Files
    Permissions
  ansible.builtin.file:
    path: '{{ item.stat.path }}'
    mode: u-sx,go=
  with_items: '{{ bash_history_files.results }}'
  when:
  - item.stat is defined
  - item.stat.exists
  tags:
  - file_permission_user_bash_history
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy