|
|
dac76a |
From f657a1b61509c591a9b1c031865b520bd2c8bbbe Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 15:23:05 +0100
|
|
|
dac76a |
Subject: [PATCH 1/8] Add rules for /etc/passwd- permissions and owner
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../rule.yml | 31 +++++++++++++++++
|
|
|
dac76a |
.../file_owner_backup_etc_passwd/rule.yml | 31 +++++++++++++++++
|
|
|
dac76a |
.../rule.yml | 33 +++++++++++++++++++
|
|
|
dac76a |
4 files changed, 95 insertions(+), 6 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..b4ece4eda7
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Group Who Owns Backup passwd File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
|
|
|
dac76a |
+ it also contains information about the users that are configured on the system.
|
|
|
dac76a |
+ Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83323-6
|
|
|
dac76a |
+ cce@rhel8: 83324-4
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.6
|
|
|
dac76a |
+ cis@rhel8: 6.1.6
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/passwd-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/passwd-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_groupowner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/passwd-
|
|
|
dac76a |
+ filegid: '0'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..28ceaf57e2
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify User Who Owns Backup passwd File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
|
|
|
dac76a |
+ it also contains information about the users that are configured on the system.
|
|
|
dac76a |
+ Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83325-1
|
|
|
dac76a |
+ cce@rhel8: 83326-9
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.6
|
|
|
dac76a |
+ cis@rhel8: 6.1.6
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/passwd-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_owner(file="/etc/passwd-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_owner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/passwd-
|
|
|
dac76a |
+ fileuid: '0'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..3620e8d0d8
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,33 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Permissions on Backup passwd File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
|
|
|
dac76a |
+ it also contains information about the users that are configured on the system.
|
|
|
dac76a |
+ Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83331-9
|
|
|
dac76a |
+ cce@rhel8: 83332-7
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.6
|
|
|
dac76a |
+ cis@rhel8: 6.1.6
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_permissions
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/passwd-
|
|
|
dac76a |
+ filemode: '0600'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
From 5e641c50c9cb21cc664f2b6fe2ea820b96d3bde4 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 15:44:25 +0100
|
|
|
dac76a |
Subject: [PATCH 2/8] Add rules for /etc/shadow- permissions and owner
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../rule.yml | 37 ++++++++++++++++++
|
|
|
dac76a |
.../file_owner_backup_etc_shadow/rule.yml | 31 +++++++++++++++
|
|
|
dac76a |
.../rule.yml | 39 +++++++++++++++++++
|
|
|
dac76a |
4 files changed, 107 insertions(+), 6 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..6f4744e6cc
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,37 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify User Who Owns Backup shadow File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
|
|
|
dac76a |
+ it also contains the list of local system accounts and password hashes.
|
|
|
dac76a |
+ Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83414-3
|
|
|
dac76a |
+ cce@rhel8: 83415-0
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.7
|
|
|
dac76a |
+ cis@rhel8: 6.1.7
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_groupowner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/shadow-
|
|
|
dac76a |
+ filegid: '0'
|
|
|
dac76a |
+ filegid@debian8: '42'
|
|
|
dac76a |
+ filegid@debian9: '42'
|
|
|
dac76a |
+ filegid@debian10: '42'
|
|
|
dac76a |
+ filegid@ubuntu1404: '42'
|
|
|
dac76a |
+ filegid@ubuntu1604: '42'
|
|
|
dac76a |
+ filegid@ubuntu1804: '42'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..2b5a17d6bf
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Group Who Owns Backup shadow File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
|
|
|
dac76a |
+ it also contains the list of local system accounts and password hashes.
|
|
|
dac76a |
+ Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83412-7
|
|
|
dac76a |
+ cce@rhel8: 83413-5
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.7
|
|
|
dac76a |
+ cis@rhel8: 6.1.7
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_owner(file="/etc/shadow-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_owner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/shadow-
|
|
|
dac76a |
+ fileuid: '0'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..6090201c11
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,39 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Permissions on Backup shadow File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
|
|
|
dac76a |
+ it also contains the list of local system accounts and password hashes.
|
|
|
dac76a |
+ Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83416-8
|
|
|
dac76a |
+ cce@rhel8: 83417-6
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.7
|
|
|
dac76a |
+ cis@rhel8: 6.1.7
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_permissions
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/shadow-
|
|
|
dac76a |
+ filemode: '0000'
|
|
|
dac76a |
+ filemode@debian8: '0640'
|
|
|
dac76a |
+ filemode@debian9: '0640'
|
|
|
dac76a |
+ filemode@debian10: '0640'
|
|
|
dac76a |
+ filemode@ubuntu1404: '0640'
|
|
|
dac76a |
+ filemode@ubuntu1604: '0640'
|
|
|
dac76a |
+ filemode@ubuntu1804: '0640'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
From 9f206c3dede1f1fe41288559f8b465dcfe252b9e Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 16:07:26 +0100
|
|
|
dac76a |
Subject: [PATCH 3/8] Add rules for /etc/group- permissions and owner
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../file_groupowner_backup_etc_group/rule.yml | 31 +++++++++++++++++
|
|
|
dac76a |
.../file_owner_backup_etc_group/rule.yml | 31 +++++++++++++++++
|
|
|
dac76a |
.../rule.yml | 33 +++++++++++++++++++
|
|
|
dac76a |
4 files changed, 95 insertions(+), 6 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..6663d25ee6
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Group Who Owns Backup group File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
|
|
|
dac76a |
+ it also contains information regarding groups that are configured on the system.
|
|
|
dac76a |
+ Protection of this file is important for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83474-7
|
|
|
dac76a |
+ cce@rhel8: 83475-4
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.8
|
|
|
dac76a |
+ cis@rhel8: 6.1.8
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/group-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/group", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_groupowner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/group-
|
|
|
dac76a |
+ filegid: '0'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..43f508a788
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify User Who Owns Backup group File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
|
|
|
dac76a |
+ it also contains information regarding groups that are configured on the system.
|
|
|
dac76a |
+ Protection of this file is important for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83472-1
|
|
|
dac76a |
+ cce@rhel8: 83473-9
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.8
|
|
|
dac76a |
+ cis@rhel8: 6.1.8
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/group-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_owner(file="/etc/group-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_owner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/group-
|
|
|
dac76a |
+ fileuid: '0'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..d8e4ed220b
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,33 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Permissions on Backup group File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/group-", perms="0644") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
|
|
|
dac76a |
+ it also contains information regarding groups that are configured on the system.
|
|
|
dac76a |
+ Protection of this file is important for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83482-0
|
|
|
dac76a |
+ cce@rhel8: 83483-8
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.8
|
|
|
dac76a |
+ cis@rhel8: 6.1.8
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/group-", perms="-rw-r--r--") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/passwd", perms="-rw-r--r--") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_permissions
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/group-
|
|
|
dac76a |
+ filemode: '0644'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
From 8be59a951380245f9c163731d40a0fdbbddb2ccd Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 16:18:25 +0100
|
|
|
dac76a |
Subject: [PATCH 4/8] Add rules for /etc/gshadow- permissions and owner
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../rule.yml | 36 ++++++++++++++++++
|
|
|
dac76a |
.../file_owner_backup_etc_gshadow/rule.yml | 30 +++++++++++++++
|
|
|
dac76a |
.../rule.yml | 38 +++++++++++++++++++
|
|
|
dac76a |
4 files changed, 104 insertions(+), 6 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..d27abdad03
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,36 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Group Who Owns Backup gshadow File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
|
|
|
dac76a |
+ contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83534-8
|
|
|
dac76a |
+ cce@rhel8: 83535-5
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.9
|
|
|
dac76a |
+ cis@rhel8: 6.1.9
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_groupowner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/gshadow-
|
|
|
dac76a |
+ filegid: '0'
|
|
|
dac76a |
+ filegid@debian8: '42'
|
|
|
dac76a |
+ filegid@debian9: '42'
|
|
|
dac76a |
+ filegid@debian10: '42'
|
|
|
dac76a |
+ filegid@ubuntu1404: '42'
|
|
|
dac76a |
+ filegid@ubuntu1604: '42'
|
|
|
dac76a |
+ filegid@ubuntu1804: '42'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..a840f6ef55
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,30 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify User Who Owns Backup gshadow File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
|
|
|
dac76a |
+ contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83532-2
|
|
|
dac76a |
+ cce@rhel8: 83533-0
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.9
|
|
|
dac76a |
+ cis@rhel8: 6.1.9
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_file_owner(file="/etc/gshadow-", owner="root") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_owner
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/gshadow-
|
|
|
dac76a |
+ fileuid: '0'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..29c9556298
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,38 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Verify Permissions on Backup gshadow File'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
|
|
|
dac76a |
+ contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83572-8
|
|
|
dac76a |
+ cce@rhel8: 83573-6
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.1.9
|
|
|
dac76a |
+ cis@rhel8: 6.1.9
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: file_permissions
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ filepath: /etc/gshadow-
|
|
|
dac76a |
+ filemode: '0000'
|
|
|
dac76a |
+ filemode@debian8: '0640'
|
|
|
dac76a |
+ filemode@debian9: '0640'
|
|
|
dac76a |
+ filemode@debian10: '0640'
|
|
|
dac76a |
+ filemode@ubuntu1404: '0640'
|
|
|
dac76a |
+ filemode@ubuntu1604: '0640'
|
|
|
dac76a |
+ filemode@ubuntu1804: '0640'
|
|
|
dac76a |
+ missing_file_pass: 'true'
|
|
|
dac76a |
From 7957bfd07621000047e0784a717ffc0e3e0cf769 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 17:28:03 +0100
|
|
|
dac76a |
Subject: [PATCH 6/8] Fix language and inconsistencies in rationale
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../file_groupowner_backup_etc_group/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_groupowner_backup_etc_gshadow/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_groupowner_backup_etc_passwd/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_groupowner_backup_etc_shadow/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_owner_backup_etc_group/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_owner_backup_etc_gshadow/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_owner_backup_etc_passwd/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_owner_backup_etc_shadow/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_permissions_backup_etc_group/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_permissions_backup_etc_gshadow/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_permissions_backup_etc_passwd/rule.yml | 4 ++--
|
|
|
dac76a |
.../file_permissions_backup_etc_shadow/rule.yml | 4 ++--
|
|
|
dac76a |
12 files changed, 24 insertions(+), 24 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
|
|
dac76a |
index 6663d25ee6..00bbfd8615 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup group File'
|
|
|
dac76a |
description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
|
|
|
dac76a |
- it also contains information regarding groups that are configured on the system.
|
|
|
dac76a |
+ The <tt>/etc/group-</tt> file is a backup file of <tt>/etc/group</tt>, and as such,
|
|
|
dac76a |
+ it contains information regarding groups that are configured on the system.
|
|
|
dac76a |
Protection of this file is important for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
index d27abdad03..fcd4dfc0cb 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup gshadow File'
|
|
|
dac76a |
description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
|
|
|
dac76a |
- contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
+ The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
|
|
|
dac76a |
+ it contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
index b4ece4eda7..0855e37012 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup passwd File'
|
|
|
dac76a |
description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
|
|
|
dac76a |
- it also contains information about the users that are configured on the system.
|
|
|
dac76a |
+ The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
|
|
|
dac76a |
+ it contains information about the users that are configured on the system.
|
|
|
dac76a |
Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
index 6f4744e6cc..bbcf2deb48 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup shadow File'
|
|
|
dac76a |
description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
|
|
|
dac76a |
- it also contains the list of local system accounts and password hashes.
|
|
|
dac76a |
+ The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
|
|
|
dac76a |
+ it contains the list of local system accounts and password hashes.
|
|
|
dac76a |
Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
|
|
dac76a |
index 43f508a788..1e2cf1ae1a 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup group File'
|
|
|
dac76a |
description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
|
|
|
dac76a |
- it also contains information regarding groups that are configured on the system.
|
|
|
dac76a |
+ The <tt>/etc/group-</tt> file is a backup file of <tt>/etc/group</tt>, and as such,
|
|
|
dac76a |
+ it contains information regarding groups that are configured on the system.
|
|
|
dac76a |
Protection of this file is important for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
index a840f6ef55..d90826e407 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup gshadow File'
|
|
|
dac76a |
description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
|
|
|
dac76a |
- contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
+ The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
|
|
|
dac76a |
+ it contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
index 28ceaf57e2..180f474d96 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup passwd File'
|
|
|
dac76a |
description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
|
|
|
dac76a |
- it also contains information about the users that are configured on the system.
|
|
|
dac76a |
+ The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
|
|
|
dac76a |
+ it contains information about the users that are configured on the system.
|
|
|
dac76a |
Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
index 2b5a17d6bf..260810b94f 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup shadow File'
|
|
|
dac76a |
description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
|
|
|
dac76a |
- it also contains the list of local system accounts and password hashes.
|
|
|
dac76a |
+ The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
|
|
|
dac76a |
+ it contains the list of local system accounts and password hashes.
|
|
|
dac76a |
Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
|
|
dac76a |
index d8e4ed220b..68782db132 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
|
|
dac76a |
@@ -6,8 +6,8 @@ description: |-
|
|
|
dac76a |
{{{ describe_file_permissions(file="/etc/group-", perms="0644") }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
|
|
|
dac76a |
- it also contains information regarding groups that are configured on the system.
|
|
|
dac76a |
+ The <tt>/etc/group-</tt> file is a backup file of <tt>/etc/group</tt>, and as such,
|
|
|
dac76a |
+ it contains information regarding groups that are configured on the system.
|
|
|
dac76a |
Protection of this file is important for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
index 29c9556298..8dc2ca59dc 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -6,8 +6,8 @@ description: |-
|
|
|
dac76a |
{{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
|
|
|
dac76a |
- contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
+ The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
|
|
|
dac76a |
+ it contains group password hashes. Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
|
|
dac76a |
index 3620e8d0d8..b2c524d879 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -6,8 +6,8 @@ description: |-
|
|
|
dac76a |
{{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
|
|
|
dac76a |
- it also contains information about the users that are configured on the system.
|
|
|
dac76a |
+ The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
|
|
|
dac76a |
+ it contains information about the users that are configured on the system.
|
|
|
dac76a |
Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
index 6090201c11..05a7bd867f 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -6,8 +6,8 @@ description: |-
|
|
|
dac76a |
{{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
|
|
|
dac76a |
- it also contains the list of local system accounts and password hashes.
|
|
|
dac76a |
+ The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
|
|
|
dac76a |
+ it contains the list of local system accounts and password hashes.
|
|
|
dac76a |
Protection of this file is critical for system security.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
|
|
|
dac76a |
From 96e63d853d7e5ec42924a7ce5a06463dfc85b4b6 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Tue, 24 Mar 2020 11:32:09 +0100
|
|
|
dac76a |
Subject: [PATCH 7/8] Describe different group owners of shadow files
|
|
|
dac76a |
|
|
|
dac76a |
The group owner of shadow files in debian based distros should
|
|
|
dac76a |
be the shadow group.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../file_groupowner_backup_etc_gshadow/rule.yml | 12 +++++++++---
|
|
|
dac76a |
.../file_groupowner_backup_etc_shadow/rule.yml | 12 +++++++++---
|
|
|
dac76a |
.../file_groupowner_etc_gshadow/rule.yml | 12 +++++++++---
|
|
|
dac76a |
.../file_groupowner_etc_shadow/rule.yml | 12 +++++++++---
|
|
|
dac76a |
4 files changed, 36 insertions(+), 12 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
index fcd4dfc0cb..6ad814ea96 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -2,7 +2,13 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify Group Who Owns Backup gshadow File'
|
|
|
dac76a |
|
|
|
dac76a |
-description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_group="shadow" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_group="root" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
|
|
|
dac76a |
@@ -18,9 +24,9 @@ references:
|
|
|
dac76a |
cis@rhel7: 6.1.9
|
|
|
dac76a |
cis@rhel8: 6.1.9
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
-ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}'
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_groupowner
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
index bbcf2deb48..51f6076c0a 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -2,7 +2,13 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify User Who Owns Backup shadow File'
|
|
|
dac76a |
|
|
|
dac76a |
-description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_group="shadow" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_group="root" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/shadow-", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
|
|
|
dac76a |
@@ -19,9 +25,9 @@ references:
|
|
|
dac76a |
cis@rhel7: 6.1.7
|
|
|
dac76a |
cis@rhel8: 6.1.7
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
-ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}'
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_groupowner
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
|
|
|
dac76a |
index c2e12377ef..2720754282 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -2,7 +2,13 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify Group Who Owns gshadow File'
|
|
|
dac76a |
|
|
|
dac76a |
-description: '{{{ describe_file_group_owner(file="/etc/gshadow", group="root") }}}'
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_group="shadow" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_group="root" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/gshadow", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/gshadow</tt> file contains group password hashes. Protection of this file
|
|
|
dac76a |
@@ -29,9 +35,9 @@ references:
|
|
|
dac76a |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
dac76a |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group="root") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
-ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group="root") }}}'
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_groupowner
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
|
|
|
dac76a |
index d8a9d04142..b86a219e40 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -2,7 +2,13 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify Group Who Owns shadow File'
|
|
|
dac76a |
|
|
|
dac76a |
-description: '{{{ describe_file_group_owner(file="/etc/shadow", group="root") }}}'
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_group="shadow" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_group="root" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: '{{{ describe_file_group_owner(file="/etc/shadow", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/shadow</tt> file stores password hashes. Protection of this file is
|
|
|
dac76a |
@@ -31,9 +37,9 @@ references:
|
|
|
dac76a |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
dac76a |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group="root") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
-ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group="root") }}}'
|
|
|
dac76a |
+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group=target_group) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_groupowner
|
|
|
dac76a |
|
|
|
dac76a |
From 3896f75e95d902c865b8738c4a3988daa5e3091b Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Tue, 24 Mar 2020 12:11:58 +0100
|
|
|
dac76a |
Subject: [PATCH 8/8] Describe different permissions of shadow files
|
|
|
dac76a |
|
|
|
dac76a |
The permissions of shadow files in debian based distros are expected to
|
|
|
dac76a |
be different.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../file_permissions_backup_etc_gshadow/rule.yml | 16 ++++++++++++----
|
|
|
dac76a |
.../file_permissions_backup_etc_shadow/rule.yml | 14 +++++++++++---
|
|
|
dac76a |
.../file_permissions_etc_gshadow/rule.yml | 14 +++++++++++---
|
|
|
dac76a |
.../file_permissions_etc_shadow/rule.yml | 14 +++++++++++---
|
|
|
dac76a |
4 files changed, 45 insertions(+), 13 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
index 8dc2ca59dc..6e6857027f 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -2,8 +2,16 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify Permissions on Backup gshadow File'
|
|
|
dac76a |
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0640" %}}
|
|
|
dac76a |
+ {{% set target_perms="-rw-r-----" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0000" %}}
|
|
|
dac76a |
+ {{% set target_perms="----------" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}}
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/gshadow-", perms=target_perms_octal) }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
|
|
|
dac76a |
@@ -19,10 +27,10 @@ references:
|
|
|
dac76a |
cis@rhel7: 6.1.9
|
|
|
dac76a |
cis@rhel8: 6.1.9
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
-ocil: |-
|
|
|
dac76a |
- {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}}
|
|
|
dac76a |
+ocil: -
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_permissions
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
index 05a7bd867f..bba9f3de6c 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -1,9 +1,17 @@
|
|
|
dac76a |
documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0640" %}}
|
|
|
dac76a |
+ {{% set target_perms="-rw-r-----" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0000" %}}
|
|
|
dac76a |
+ {{% set target_perms="----------" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
title: 'Verify Permissions on Backup shadow File'
|
|
|
dac76a |
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}}
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/shadow-", perms=target_perms_octal) }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
|
|
|
dac76a |
@@ -20,10 +28,10 @@ references:
|
|
|
dac76a |
cis@rhel7: 6.1.7
|
|
|
dac76a |
cis@rhel8: 6.1.7
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms=target_perms) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
- {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}}
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/shadow-", perms=target_perms) }}}
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_permissions
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
|
|
|
dac76a |
index d1ed4475fb..7e226951ce 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
|
|
|
dac76a |
@@ -2,8 +2,16 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify Permissions on gshadow File'
|
|
|
dac76a |
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0640" %}}
|
|
|
dac76a |
+ {{% set target_perms="-rw-r-----" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0000" %}}
|
|
|
dac76a |
+ {{% set target_perms="----------" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- {{{ describe_file_permissions(file="/etc/gshadow", perms="0000") }}}
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/gshadow", perms=target_perms_octal) }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/gshadow</tt> file contains group password hashes. Protection of this file
|
|
|
dac76a |
@@ -31,10 +39,10 @@ references:
|
|
|
dac76a |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
dac76a |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms="----------") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms=target_perms) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
- {{{ ocil_file_permissions(file="/etc/gshadow", perms="----------") }}}
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/gshadow", perms=target_perms) }}}
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_permissions
|
|
|
dac76a |
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
|
|
|
dac76a |
index 61f4fb6cce..e66583627d 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -2,8 +2,16 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Verify Permissions on shadow File'
|
|
|
dac76a |
|
|
|
dac76a |
+{{% if "ubuntu" in product or "debian" in product %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0640" %}}
|
|
|
dac76a |
+ {{% set target_perms="-rw-r-----" %}}
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ {{% set target_perms_octal="0000" %}}
|
|
|
dac76a |
+ {{% set target_perms="----------" %}}
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
- {{{ describe_file_permissions(file="/etc/shadow", perms="0000") }}}
|
|
|
dac76a |
+ {{{ describe_file_permissions(file="/etc/shadow", perms=target_perms_octal) }}}
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
The <tt>/etc/shadow</tt> file contains the list of local
|
|
|
dac76a |
@@ -36,10 +44,10 @@ references:
|
|
|
dac76a |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
dac76a |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
dac76a |
|
|
|
dac76a |
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms="----------") }}}'
|
|
|
dac76a |
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms=target_perms) }}}'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
- {{{ ocil_file_permissions(file="/etc/shadow", perms="----------") }}}
|
|
|
dac76a |
+ {{{ ocil_file_permissions(file="/etc/shadow", perms=target_perms) }}}
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: file_permissions
|