Ensure users' .netrc Files are not group or world accessible

Docs > Datadog Security > OOTB Rules > Ensure users' .netrc Files are not group or world accessible

Classification:

compliance

Framework:

Control:

Description

While the system administrator can establish secure permissions for users’ .netrc files, the users can easily override these.

This rule ensures every .netrc file or directory under the home directory related to an interactive user is not group or world accessible

Rationale

.netrc files may contain unencrypted passwords that may be used to attack other systems. Note: While the complete removal of .netrc files is recommended, if any are required on the system, secure permissions must be applied.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
 home\_dir=$(getent passwd "$user" | cut -d: -f6)
 find "${home\_dir}/.netrc" -exec chmod 0600 {} \;
done

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Get all local users from /etc/passwd
 ansible.builtin.getent:
 database: passwd
 split: ':'
 tags:
 - CCE-87369-5
 - accounts\_users\_netrc\_file\_permissions
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Create local\_users variable from the getent output
 ansible.builtin.set\_fact:
 local\_users: '{{ ansible\_facts.getent\_passwd|dict2items }}'
 tags:
 - CCE-87369-5
 - accounts\_users\_netrc\_file\_permissions
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Test for existence of .netrc file in home directories to avoid creating them,
 but only fixing permissions
 ansible.builtin.stat:
 path: '{{ item.value[4] }}/.netrc'
 register: path\_exists
 loop: '{{ local\_users }}'
 when:
 - item.value[1]|int >= 1000
 - item.value[1]|int != 65534
 tags:
 - CCE-87369-5
 - accounts\_users\_netrc\_file\_permissions
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure group and world cannot access respective .netrc files
 ansible.builtin.file:
 path: '{{ item.item.value[4] }}/.netrc'
 mode: '0600'
 state: file
 loop: '{{ path\_exists.results }}'
 when: item.stat is defined and item.stat.exists
 tags:
 - CCE-87369-5
 - accounts\_users\_netrc\_file\_permissions
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy