RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-281084 | SRG-OS-000080-GPOS-00048 | RHEL-10-400335 | SV-281084r1165607_rule | 2026-03-11 | 1 |
Description
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
ℹ️ Check
Verify RHEL 10 enforces that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.
Check that all files from "/usr/share/rootfiles/" are overridden correctly in RHEL 10:
$ sudo grep /usr/share/rootfiles/ /etc/tmpfiles.d/*.conf
C /root/.bash_logout 600 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile 600 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc 600 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc 600 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc 600 root root - /usr/share/rootfiles/.tcshrc
If any files are not configured to "600", or if no files are found by grep, this is a finding.
✔️ Fix
Configure RHEL 10 to enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.
Ensure the following lines are in a ".conf" file under "/etc/tmpfiles.d/":
C /root/.bash_logout 600 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile 600 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc 600 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc 600 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc 600 root root - /usr/share/rootfiles/.tcshrc