Description: The .rhosts file specifies an email address to forward the users mail to. Rationale: Use of this file is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have been brought over from other systems and could contain information useful to an attacker for those other systems. Audit: Run the following script and verify no results are returned: #!/bin/bash grep -E -v ^(root|halt|sync|shutdown) /etc/passwd | awk -F: ($7 != ""$(which nologin)"" && $7 != "/bin/false") { print $1 " " $6 } | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else if [ ! -h "$dir/.d" -a -f "$dir/.rhosts" ]; then echo ".rhosts file $dir/.rhosts exists" fi fi done Remediation: Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .rhosts files and determine the action to be taken in accordance with site policy. Notes: On some distributions the /sbin/nologin should be replaced with /usr/sbin/nologin.

[yes/no]

Making global modifications to users files without alerting the user community can result in unexpected outages and unhappy users.Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy.