{"description": "For each human user of the system, view the\npermissions of the user's home directory:\n<pre># ls -ld /home/<i>USER</i></pre>\nEnsure that the directory is not group-writable and that it\nis not world-readable. If necessary, repair the permissions:\n<pre># chmod g-w /home/<i>USER</i>\n# chmod o-rwx /home/<i>USER</i></pre>", "rationale": "User home directories contain many configuration files which\naffect the behavior of a user's account. No user should ever have\nwrite permission to another user's home directory. Group shared\ndirectories can be configured in sub-directories or elsewhere in the\nfilesystem if they are needed. Typically, user home directories\nshould not be world-readable, as it would disclose file names\nto other users. If a subset of users need read access\nto one another's home directories, this can be provided using\ngroups or ACLs.", "severity": "medium", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-6(a)", "AC-6(1)", "CM-6(a)"], "nist-csf": ["PR.AC-4", "PR.DS-5"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the user home directory is group-writable or world-readable", "ocil": "To ensure the user home directory is not group-writable or world-readable, run the following:\n<pre># ls -ld /home/<i>USER</i></pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"functionality": "This action may involve modifying user home directories.\nNotify your user community, and solicit input if appropriate,\nbefore making this type of change."}, {"general": "This rule is deprecated in favor of the <code>file_permissions_home_directories</code> rule.Please consider replacing this rule in your files as it is not expected to receive\nupdates as of version <code>0.1.62</code>."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure that User Home Directories are not Group-Writable or World-Readable", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml", "template": null}