Ensure dot files permissions are 0740 or less.

ggbecker · ggbecker · commit 34effa65b4c9 · 2026-03-31T12:25:46.000+02:00
Update description of those rules to improve the remediation that only
removes the undesired bits of the permissions, otherwise any offending
file would be set to 0740, no matter which of the offending bits it had.

This way it preserves the permissions the file previously had and
removes the offending bits only.
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
@@ -4,9 +4,9 @@ documentation_complete: true
 title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive'
 
 description: |-
-    Set the mode of the user initialization files to <tt>0740</tt> with the
+    Set the mode of the user initialization files to <tt>0740</tt> or less permissisive with the
     following command:
-    <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FILE</i></pre>
+    <pre>$ sudo chmod u-s,g-wxs,o= /home/<i>USER</i>/.<i>INIT_FILE</i></pre>
 
 rationale: |-
     Local initialization files are used to configure the user's shell environment
@@ -41,10 +41,10 @@ ocil: |-
     There should be no output.
 
 fixtext: |-
-    Set the mode of the local initialization files to "0740" with the following command:
+    Set the mode of the local initialization files to "0740" or less permissive with the following command:
 
     Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
 
-    $ sudo chmod 0740 /home/smithj/.
+    $ sudo chmod u-s,g-wxs,o= /home/smithj/.<i>INIT_FILE</i>
 
 srg_requirement: 'All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.'
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
@@ -4,10 +4,10 @@ title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive'
 
 description: |-
     Set the mode of the user initialization files, including the <tt>root</tt> user,
-    to <tt>0740</tt> with the following commands:
+    to <tt>0740</tt> or less permissisive with the following commands:
     <pre>
-    $ sudo chmod 0740 /root/.<i>INIT_FILE</i>
-    $ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FILE</i>
+    $ sudo chmod u-s,g-wxs,o= /root/.<i>INIT_FILE</i>
+    $ sudo chmod u-s,g-wxs,o= /home/<i>USER</i>/.<i>INIT_FILE</i>
     </pre>
 
 rationale: |-
@@ -34,10 +34,10 @@ ocil: |-
     There should be no output.
 
 fixtext: |-
-    Set the mode of the local initialization files to "0740" with the following command:
+    Set the mode of the local initialization files to "0740" or less permissive with the following command:
 
     Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
 
-    $ sudo chmod 0740 /home/smithj/.
+    $ sudo chmod u-s,g-wxs,o= /home/smithj/.<i>INIT_FILE</i>
 
 srg_requirement: 'All {{{ full_name }}} local initialization files must have mode 0740 or less permissive.'
